[PATCH] Add support for lower TLS version than default
Aki Tuomi
aki.tuomi at dovecot.fi
Sun Aug 27 14:04:21 EEST 2017
On 2017-08-27 13:47, Aki Tuomi wrote:
>
>
> On 2017-08-27 13:46, Sebastian Andrzej Siewior wrote:
>> On 27 August 2017 08:32:06 CEST, Timo Sirainen <tss at iki.fi> wrote:
>>>> DEF(SET_STR, ssl_protocols),
>>>> DEF(SET_STR, ssl_cert_username_field),
>>>> DEF(SET_STR, ssl_crypto_device),
>>>> + DEF(SET_STR, ssl_lowest_version),
>>> Does it really require a new setting? Couldn't it use the existing
>>> ssl_protocols setting?
>> You need to set a minimal version. SSL_PROTOLS can be set tls1.0 and
>> tls1.2 which avoids tls1.1. Not saying that it is a good thing to do.
>> Also you set it to not do sslv2 and sslv3 which then enables tls1.0+.
>> If you want change its definition to use as a minimal version, be my
>> guest. Or if you plan to scan the string and match for the lowest
>> version then this could work, too.
>>
>> Sebastian
> Yes, that was the plan.
>
> Aki
In fact, OpenSSL docs say:
These options turn off the SSLv3, TLSv1, TLSv1.1 or TLSv1.2
protocol versions with TLS or the DTLSv1, DTLSv1.2 versions with DTLS,
respectively. As of OpenSSL 1.1.0, these options are deprecated, use
SSL_CTX_set_min_proto_version and SSL_CTX_set_max_proto_version instead.
Which seems to imply that OpenSSL would rather people do not turn off
1.1 but leave 1.0 and 1.2 on. So I suppose we will parse the field, and
if OpenSSL is recent enough, we use the set_min_proto/set_max_proto
instead of directly setting the protocol flags.
Aki
Aki
More information about the dovecot
mailing list