Hi,
I came up with the following patch while trying to figure out a good solution for the situation described in Debian bug #871987[1]. In short, OpenSSL in Debian unstable has disabled TLSv1.0 and TLSv1.1 *by default*. That means that unless an application requests otherwise, only TLSv1.2 is supported. In the world of e-mail this is seemingly an issue, as there are still way too many old clients out there supporting only TLSv1 or TLSv1.1.
Now, traditionally OpenSSL 0.9.8/1.0 used SSL_CTX_set_options() to allow *disabling* specific protocols, without offering a way to enable previously disabled protocols. OpenSSL 1.1 introduced a dedicated API[2] to set allowed protocol versions, taking a linear version approach: the application may request a minimum and a maximum allowed version (inclusive), allowing all versions inbetween as well.
Dovecot's existing ssl_protocols option is probably not ideal to use with this new "linear" model. Instead, I introduced two new options, ssl_min_proto_version and ssl_max_proto_version, that map directly to OpenSSL 1.1 concepts.
I have tested the patch with both OpenSSL 1.0 and OpenSSL 1.1. With OpenSSL 1.1 it works as expected; with OpenSSL 1.0 it doesn't seem to break anything. Other than that, this is a first version; I'm sure there are still things to improve, so comments are welcome :)
Regards, Apollon
[1] https://bugs.debian.org/871987 [2] https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_min_proto_version.html
Apollon Oikonomopoulos (1): Support setting min/max SSL protocol version
doc/example-config/conf.d/10-ssl.conf | 4 ++++ src/config/config-parser.c | 25 +++++++++++++++++++++ src/lib-master/master-service-ssl-settings.c | 4 ++++ src/lib-master/master-service-ssl-settings.h | 2 ++ src/lib-master/master-service-ssl.c | 2 ++ src/lib-ssl-iostream/iostream-openssl-common.c | 12 +++++++++++ src/lib-ssl-iostream/iostream-openssl.h | 1 + src/lib-ssl-iostream/iostream-ssl.h | 2 ++ src/login-common/ssl-proxy-openssl.c | 30 ++++++++++++++++++++++++++ 9 files changed, 82 insertions(+)
-- 2.14.1