I see that you have a problem decrypting mails by using the OpenSSL 3.x version (https://mailcow.email/posts/2023/arm64-delay/). I encountered a similar problem when my OpenVPN would not connect when my distro upgraded to OpenSSL 3.x. I'm writing this in hope that my solution helps you in tracking down the issue.
The problem for me was basically that OpenSSL 3.x disabled the usage of legacy cryptographic algorithms because they are not considered safe anymore. References:
The issue was easily reproducible by trying to decrypt a local certificate:
$ openssl x509 -text -noout -in .cert/nm-openvpn/blaz-tomazic-pkcs12.pem
Could not read certificate from .cert/nm-openvpn/blaz-tomazic-pkcs12.pem
403C0706287F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
Unable to load certificate
After enabling the legacy algorithms in /etc/ssl/openssl.conf (uncommenting the linest starting with ##):
# Uncomment the sections that start with ## below to enable the legacy provider.
# Loading the legacy provider enables support for the following algorithms:
# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
# Key Derivation Function (KDF): PBKDF1
# In general it is not recommended to use the above mentioned algorithms for
# security critical operations, as they are cryptographically weak or vulnerable
# to side-channel attacks and as such have been deprecated.
##[provider_sect]
##default = default_sect
##legacy = legacy_sect
##
##[default_sect]
##activate = 1
##
##[legacy_sect]
##activate = 1
Summary
I see that you have a problem decrypting mails by using the OpenSSL 3.x version (https://mailcow.email/posts/2023/arm64-delay/). I encountered a similar problem when my OpenVPN would not connect when my distro upgraded to OpenSSL 3.x. I'm writing this in hope that my solution helps you in tracking down the issue.
The problem for me was basically that OpenSSL 3.x disabled the usage of legacy cryptographic algorithms because they are not considered safe anymore. References:
The issue was easily reproducible by trying to decrypt a local certificate:
After enabling the legacy algorithms in
/etc/ssl/openssl.conf
(uncommenting the linest starting with##
):the decryption started to work:
I hope this helps your investigation. If not, please close this issue and I apologize for adding noise to the issue tracker :)
Motivation
/
Additional context
No response