I just received the message below, and am wondering if Forte will be issuing
an upgrade for Agent to support Microsoft's change to TLS 1.2.

=============================================================================
Disabling TLS 1.0/1.1 for POP3 and IMAP4 on December 01, 2022

Starting on December 01, 2022, Office 365 will begin retiring Transport
Layer Security (TLS) 1.0 and 1.1 for POP3 and IMAP4. TLS is a standard
protocol used to provide secure web communications for POP3 and IMAP4. POP3
and IMAP4 are the client/server protocols for receiving emails. We will
enforce TLS 1.2 moving forward to provide enhanced encryption and help
ensure your emails are received more securely. We have already disabled TLS
1.0 and 1.1 for most Microsoft 365 services in the worldwide environment.

When this will happen
December 01, 2022

What do I need to do?
Our records show that your email account has recently been accessed with
POP3/IMAP4 through TLS 1.0 or 1.1.
POP3 and IMAP4 will not be able to connect with TLS 1.0 and 1.1 starting on
December 01, 2022. You will not be able to receive emails with POP3/IMAP4
protocol after that. To continue accessing your email account using POP3 or
IMAP4, please upgrade/update your client to support TLS 1.2. Your emails
will not be removed, but you cannot access them without upgrading your
client. You can find out technical details on how to upgrade in this
article: Disabling TLS 1.0 and 1.1 for Microsoft 365 - Microsoft Purview
(compliance) | Microsoft Docs

What if I cannot update/upgrade?
If you cannot update/upgrade your legacy client, we provide an opt-in
endpoint for you to continue connecting with TLS 1.0/1.1. Your legacy
clients must be configured to pop-legacy.office365.com for POP3 and
imap-legacy.office365.com for IMAP4. Using legacy versions of TLS is not as
secure as TLS 1.2, however, so we recommend you update and use TLS 1.2.
==============================================================================

On Thu, 10 Nov 2022 16:49:34 -0800, Larry Dighera wrote:

> I just received the message below, and am wondering if Forte will be issuing
> an upgrade for Agent to support Microsoft's change to TLS 1.2.

No upgrade needed. You just need to make a small configuration change in Agent.

See this message for details of the configuration change:

* On Google Groups: <https://groups.google.com/g/alt.usenet.offline-reader.forte-agent/c/mJmtMSUqp6M>

* On Narkive: <https://alt.usenet.offline-reader.forte-agent.narkive.com/35h3yv8s/notice-agent-and-ssl>

* On Usenet: <news:p8hpuglnb0tot2oot3ob7m8n1k940kfgcl@4ax.com>

If you are using Windows 7, 8, 10, or 11, then this will work.
If you are using XP, this may not work. Agent relies on the operating system
to support SSL/TLS, and XP did not support TLS 1.2.

> =============================================================================
> Disabling TLS 1.0/1.1 for POP3 and IMAP4 on December 01, 2022
>
> Starting on December 01, 2022, Office 365 will begin retiring Transport
> Layer Security (TLS) 1.0 and 1.1 for POP3 and IMAP4. TLS is a standard
> protocol used to provide secure web communications for POP3 and IMAP4. POP3
> and IMAP4 are the client/server protocols for receiving emails. We will
> enforce TLS 1.2 moving forward to provide enhanced encryption and help
> ensure your emails are received more securely. We have already disabled TLS
> 1.0 and 1.1 for most Microsoft 365 services in the worldwide environment.
>
>
> When this will happen
> December 01, 2022
>
> What do I need to do?
> Our records show that your email account has recently been accessed with
> POP3/IMAP4 through TLS 1.0 or 1.1.
> POP3 and IMAP4 will not be able to connect with TLS 1.0 and 1.1 starting on
> December 01, 2022. You will not be able to receive emails with POP3/IMAP4
> protocol after that. To continue accessing your email account using POP3 or
> IMAP4, please upgrade/update your client to support TLS 1.2. Your emails
> will not be removed, but you cannot access them without upgrading your
> client. You can find out technical details on how to upgrade in this
> article: Disabling TLS 1.0 and 1.1 for Microsoft 365 - Microsoft Purview
> (compliance) | Microsoft Docs
>
> What if I cannot update/upgrade?
> If you cannot update/upgrade your legacy client, we provide an opt-in
> endpoint for you to continue connecting with TLS 1.0/1.1. Your legacy
> clients must be configured to pop-legacy.office365.com for POP3 and
> imap-legacy.office365.com for IMAP4. Using legacy versions of TLS is not as
> secure as TLS 1.2, however, so we recommend you update and use TLS 1.2.
> ==============================================================================

--
Kind regards
Ralph Fox
🕵️‍🔐✔

On Fri, 11 Nov 2022 17:37:28 +1300, Ralph Fox <-rf-nz-@-.invalid> wrote
as underneath :

>On Thu, 10 Nov 2022 16:49:34 -0800, Larry Dighera wrote:
>
>> I just received the message below, and am wondering if Forte will be issuing
>> an upgrade for Agent to support Microsoft's change to TLS 1.2.
>
>
>No upgrade needed. You just need to make a small configuration change in Agent.
>
>See this message for details of the configuration change:
>
> * On Google Groups: <https://groups.google.com/g/alt.usenet.offline-reader.forte-agent/c/mJmtMSUqp6M>
>
> * On Narkive: <https://alt.usenet.offline-reader.forte-agent.narkive.com/35h3yv8s/notice-agent-and-ssl>
>
> * On Usenet: <news:p8hpuglnb0tot2oot3ob7m8n1k940kfgcl@4ax.com>
>
>
>If you are using Windows 7, 8, 10, or 11, then this will work.
>If you are using XP, this may not work. Agent relies on the operating system
>to support SSL/TLS, and XP did not support TLS 1.2.
>
>
>> =============================================================================
>> Disabling TLS 1.0/1.1 for POP3 and IMAP4 on December 01, 2022
>>
>> Starting on December 01, 2022, Office 365 will begin retiring Transport
>> Layer Security (TLS) 1.0 and 1.1 for POP3 and IMAP4. TLS is a standard
>> protocol used to provide secure web communications for POP3 and IMAP4. POP3
>> and IMAP4 are the client/server protocols for receiving emails. We will
>> enforce TLS 1.2 moving forward to provide enhanced encryption and help
>> ensure your emails are received more securely. We have already disabled TLS
>> 1.0 and 1.1 for most Microsoft 365 services in the worldwide environment.
>>
>>
>> When this will happen
>> December 01, 2022
>>
>> What do I need to do?
>> Our records show that your email account has recently been accessed with
>> POP3/IMAP4 through TLS 1.0 or 1.1.
>> POP3 and IMAP4 will not be able to connect with TLS 1.0 and 1.1 starting on
>> December 01, 2022. You will not be able to receive emails with POP3/IMAP4
>> protocol after that. To continue accessing your email account using POP3 or
>> IMAP4, please upgrade/update your client to support TLS 1.2. Your emails
>> will not be removed, but you cannot access them without upgrading your
>> client. You can find out technical details on how to upgrade in this
>> article: Disabling TLS 1.0 and 1.1 for Microsoft 365 - Microsoft Purview
>> (compliance) | Microsoft Docs
>>
>> What if I cannot update/upgrade?
>> If you cannot update/upgrade your legacy client, we provide an opt-in
>> endpoint for you to continue connecting with TLS 1.0/1.1. Your legacy
>> clients must be configured to pop-legacy.office365.com for POP3 and
>> imap-legacy.office365.com for IMAP4. Using legacy versions of TLS is not as
>> secure as TLS 1.2, however, so we recommend you update and use TLS 1.2.
>> ==============================================================================

Forgive my ignorance please! I use as my workhorse XP SP3 with Agent V6
collecting POP3 email from Gmail with an app password. Also n/groups
from Newsnet-news (a block provider). Is something just going to stop
working in my setup that I need to prepare for with this December 01
change? (Ralph's Agent.ini recommended edit I did some time ago). C+

Ralph,

Thank you once again for your sagacious assistance.

I'll post a copy of your article in this message for redundancy.

Very much appreciated.

Best regards,
Larry

===================================================================
Ralph Fox
If you use SSL in Agent 3.2 - 8.0, or if you want to use SSL, these days
you may need to make the following configuration change in AGENT.INI.

In the [Online] section of AGENT.INI,
change the setting 'AllowedSSLProtocols' from this:

AllowedSSLProtocols=0

to one of these:
* In Windows 11, and in Windows 10 version 1903 and later

AllowedSSLProtocols=10880

* In Windows before Windows 10 version 1903

AllowedSSLProtocols=2688

EXPLANATION

When Agent's SSL was implemented, the highest version of SSL in
use was TLS1.0. The AGENT.INI default setting AllowedSSLProtocols=0
will support versions of SSL up to TLS1.0.

Since then, TLS1.0 has been deprecated. Many mail servers and some news
servers have stopped using TLS1.0. Many mail servers and some news servers
now require a minimum SSL version of TLS1.2.

The setting AllowedSSLProtocols=2688 will configure Agent to support
SSL versions up to TLS1.2 (providing your Windows supports it; do not
expect it to work on Windows 95).

The setting AllowedSSLProtocols=10880 will configure Agent to support
SSL versions up to TLS1.3 in Windows 10.1903 and later.
--
Kind regards
Ralph
===================================================================

On Fri, 11 Nov 2022 17:37:28 +1300, Ralph Fox <-rf-nz-@-.invalid> wrote:

>On Thu, 10 Nov 2022 16:49:34 -0800, Larry Dighera wrote:
>
>> I just received the message below, and am wondering if Forte will be issuing
>> an upgrade for Agent to support Microsoft's change to TLS 1.2.
>
>
>No upgrade needed. You just need to make a small configuration change in Agent.
>
>See this message for details of the configuration change:
>
> * On Google Groups: <https://groups.google.com/g/alt.usenet.offline-reader.forte-agent/c/mJmtMSUqp6M>
>
> * On Narkive: <https://alt.usenet.offline-reader.forte-agent.narkive.com/35h3yv8s/notice-agent-and-ssl>
>
> * On Usenet: <news:p8hpuglnb0tot2oot3ob7m8n1k940kfgcl@4ax.com>
>
>
>If you are using Windows 7, 8, 10, or 11, then this will work.
>If you are using XP, this may not work. Agent relies on the operating system
>to support SSL/TLS, and XP did not support TLS 1.2.
>
>
>> =============================================================================
>> Disabling TLS 1.0/1.1 for POP3 and IMAP4 on December 01, 2022
>>
>> Starting on December 01, 2022, Office 365 will begin retiring Transport
>> Layer Security (TLS) 1.0 and 1.1 for POP3 and IMAP4. TLS is a standard
>> protocol used to provide secure web communications for POP3 and IMAP4. POP3
>> and IMAP4 are the client/server protocols for receiving emails. We will
>> enforce TLS 1.2 moving forward to provide enhanced encryption and help
>> ensure your emails are received more securely. We have already disabled TLS
>> 1.0 and 1.1 for most Microsoft 365 services in the worldwide environment.
>>
>>
>> When this will happen
>> December 01, 2022

[Snipped for brevity]

On Fri, 11 Nov 2022 07:39:02 +0000, Charlie+ wrote:

> Forgive my ignorance please! I use as my workhorse XP SP3 with Agent V6
> collecting POP3 email from Gmail with an app password. Also n/groups
> from Newsnet-news (a block provider). Is something just going to stop
> working in my setup that I need to prepare for with this December 01
> change? (Ralph's Agent.ini recommended edit I did some time ago). C+

Microsoft is making this change on December 01, 2022 to some Microsoft
services.

What Gmail does to Gmail services is completely independent of Microsoft.
What Newsnet-news does to Newsnet-news services is completely independent
of Microsoft.

Check for announcements from Gmail to see if and when Gmail will be making
a similar change. Check for announcements from Newsnet-news to see if and
when Newsnet-news will be making a similar change.

--
Kind regards
Ralph

Agent Unicode Test: ☄️🌚️🔥️🛸️🌃️🧟️

On Sat, 12 Nov 2022 10:07:38 +1300, Ralph Fox <-rf-nz-@-.invalid> wrote
as underneath :

>On Fri, 11 Nov 2022 07:39:02 +0000, Charlie+ wrote:
>
>> Forgive my ignorance please! I use as my workhorse XP SP3 with Agent V6
>> collecting POP3 email from Gmail with an app password. Also n/groups
>> from Newsnet-news (a block provider). Is something just going to stop
>> working in my setup that I need to prepare for with this December 01
>> change? (Ralph's Agent.ini recommended edit I did some time ago). C+
>
>
>Microsoft is making this change on December 01, 2022 to some Microsoft
>services.
>
>What Gmail does to Gmail services is completely independent of Microsoft.
>What Newsnet-news does to Newsnet-news services is completely independent
>of Microsoft.
>
>Check for announcements from Gmail to see if and when Gmail will be making
>a similar change. Check for announcements from Newsnet-news to see if and
>when Newsnet-news will be making a similar change.

Many thanks for clarification Ralf, I'll wait for the sword of Damocles
to drop on this XP computer at some unknown date then :( ! C+

On Sat, 12 Nov 2022 06:35:11 +0000, Charlie+ wrote:

> Many thanks for clarification Ralf, I'll wait for the sword of Damocles
> to drop on this XP computer at some unknown date then :( ! C+

I have not tried this myself (I never used XP as my main OS at home),
but you might want to look at the post "Fix for SSL Not Working with
Agent 7.2, Windows XP and Usenet" from 15 months ago.
news:rr2nggdpim30ar6ca3ipgt7d1dmcg0th6a@4ax.com  

On Sat, 12 Nov 2022 22:16:43 +1300, Ralph Fox <-rf-nz-@-.invalid> wrote
as underneath :

>On Sat, 12 Nov 2022 06:35:11 +0000, Charlie+ wrote:
>
>> Many thanks for clarification Ralf, I'll wait for the sword of Damocles
>> to drop on this XP computer at some unknown date then :( ! C+
>
>I have not tried this myself (I never used XP as my main OS at home),
>but you might want to look at the post "Fix for SSL Not Working with
>Agent 7.2, Windows XP and Usenet" from 15 months ago.
>news:rr2nggdpim30ar6ca3ipgt7d1dmcg0th6a@4ax.com  
>
TVM for pointing.. I did put a watch on that post at the time but it did
not seem so relevant and there were no follow ups to make me pay more
attention! I have now d/l the linked files and will try it out on a
clone.. Good one Ralf if it works as Axel indicates it should. Thanks
Kind Regards C+

On Sun, 13 Nov 2022 07:20:37 +0000, Charlie+ <charlie@xxx.net> wrote as
underneath :

>On Sat, 12 Nov 2022 22:16:43 +1300, Ralph Fox <-rf-nz-@-.invalid> wrote
>as underneath :
>
>>On Sat, 12 Nov 2022 06:35:11 +0000, Charlie+ wrote:
>>
>>> Many thanks for clarification Ralf, I'll wait for the sword of Damocles
>>> to drop on this XP computer at some unknown date then :( ! C+
>>
>>I have not tried this myself (I never used XP as my main OS at home),
>>but you might want to look at the post "Fix for SSL Not Working with
>>Agent 7.2, Windows XP and Usenet" from 15 months ago.
>>news:rr2nggdpim30ar6ca3ipgt7d1dmcg0th6a@4ax.com  
>>
>TVM for pointing.. I did put a watch on that post at the time but it did
>not seem so relevant and there were no follow ups to make me pay more
>attention! I have now d/l the linked files and will try it out on a
>clone.. Good one Ralf if it works as Axel indicates it should. Thanks
>Kind Regards C+

OK Mods done on a clone SSD and nothing has broken it seems :) - is
there a command line set to check which TLS version is actually in use?
C+

On Tue, 15 Nov 2022 11:30:07 +0000, Charlie+ wrote:

> OK Mods done on a clone SSD and nothing has broken it seems :) - is
> there a command line set to check which TLS version is actually in use?
> C+

Which versions [plural] your computer can use ought to be shown in
Control Panel >> Internet Options >> Advanced >> scroll down to near
the bottom to see.

Which version is actually in use for a connection depends on the
connection. This is negotiated between your computer and the remote
server each time an SSL connection is made.

Using Agent, you could try to connect to news server nntp.aioe.org with SSL.
News server nntp.aioe.org requires TLS 1.2 or TLS 1.3. If Agent connects
successfully, you know TLS 1.2 or TLS 1.3 is working.

I have the OpenSSL command line tools, but they have their own SSL
implementation which says nothing about what Windows can use. They are
good for testing which versions the server can use.

On Wed, 16 Nov 2022 06:32:54 +1300, Ralph Fox <-rf-nz-@-.invalid> wrote
as underneath :

>On Tue, 15 Nov 2022 11:30:07 +0000, Charlie+ wrote:
>
>> OK Mods done on a clone SSD and nothing has broken it seems :) - is
>> there a command line set to check which TLS version is actually in use?
>> C+
>
>
>Which versions [plural] your computer can use ought to be shown in
>Control Panel >> Internet Options >> Advanced >> scroll down to near
>the bottom to see.
>
>Which version is actually in use for a connection depends on the
>connection. This is negotiated between your computer and the remote
>server each time an SSL connection is made.
>
>Using Agent, you could try to connect to news server nntp.aioe.org with SSL.
>News server nntp.aioe.org requires TLS 1.2 or TLS 1.3. If Agent connects
>successfully, you know TLS 1.2 or TLS 1.3 is working.
>
>
>I have the OpenSSL command line tools, but they have their own SSL
>implementation which says nothing about what Windows can use. They are
>good for testing which versions the server can use.
>
Thanks again Ralf - done as you instructed and all is well. SSL 3.0
shows up ticked in the list and aioe connects fine so a successful fix
to the impending problem :) C+

On Wed, 16 Nov 2022 08:06:18 +0000, Charlie+ wrote:

> SSL 3.0
> shows up ticked in the list

You want TLS 1.2, not SSL 3.0. They are different.

On Thu, 17 Nov 2022 06:18:45 +1300, Ralph Fox <-rf-nz-@-.invalid> wrote
as underneath :

>On Wed, 16 Nov 2022 08:06:18 +0000, Charlie+ wrote:
>
>> SSL 3.0
>> shows up ticked in the list
>
>You want TLS 1.2, not SSL 3.0. They are different.
>
Sorry about that, there is no entry in the list that refers to TLS
(win XP Pro SP3). I notice that a Win 7 (Ult) does have TLS in that
list as you mention.. C+

> ===================================================================
> Ralph Fox
> If you use SSL in Agent 3.2 - 8.0, or if you want to use SSL, these days
> you may need to make the following configuration change in AGENT.INI.
>
> In the [Online] section of AGENT.INI,
> change the setting 'AllowedSSLProtocols' from this:
>
> AllowedSSLProtocols=0
>
> to one of these:
> * In Windows 11, and in Windows 10 version 1903 and later
>
> AllowedSSLProtocols=10880
>
> * In Windows before Windows 10 version 1903
>
> AllowedSSLProtocols=2688

I figured out that when TLS 1.4 comes the value will be 43648
(actually it works using that value now as well :-)

But what happends when we come to TLS 1.5?
If I try the value 174720 I get lots of error.
I guess that is because the numer is greter than 16-bit (65535).
So how will we then make Forte Agent allow using TLS 1.5?

Isn't there a vaulue to make it allow ALL TLS versions?

On Mon, 9 Jan 2023 12:34:24 -0800 (PST), Lars-Erik Østerud wrote:

>> ===================================================================
>> Ralph Fox
>> If you use SSL in Agent 3.2 - 8.0, or if you want to use SSL, these days
>> you may need to make the following configuration change in AGENT.INI.
>>
>> In the [Online] section of AGENT.INI,
>> change the setting 'AllowedSSLProtocols' from this:
>>
>> AllowedSSLProtocols=0
>>
>> to one of these:
>> * In Windows 11, and in Windows 10 version 1903 and later
>>
>> AllowedSSLProtocols=10880
>>
>> * In Windows before Windows 10 version 1903
>>
>> AllowedSSLProtocols=2688
>
> I figured out that when TLS 1.4 comes the value will be 43648
> (actually it works using that value now as well :-)
>
> But what happends when we come to TLS 1.5?
> If I try the value 174720 I get lots of error.
> I guess that is because the numer is greter than 16-bit (65535).
> So how will we then make Forte Agent allow using TLS 1.5?

The bit you are trying to add, 131072 = 0x20000, would enable
"Datagram Transport Layer Security" (DTLS) 1.0 client side
and not a hypothetical future TLS 1.5.
<https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security>
See field 'grbitEnabledProtocols' in Microsoft's SCHANNEL_CRED
structure:
<https://learn.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred>

There is no bit in Microsoft's SCHANNEL_CRED structure for a
hypothetical future TLS 1.5.

Whether this would become a real problem for Agent will depend on
whether it would become necessary to support this hypothetical TLS 1.5
before 19 January 2038. Agent will not work properly after 19 January
2038. <https://en.wikipedia.org/wiki/Year_2038_problem>

--
Kind regards
Ralph

山高自有客行路，水深自有渡船人。