Unable to set ssl_min_protocol=TLSv1.3
Good $daytime,
as per the recommendations of Mozilla’s SSL config generator0, I wanted to set ssl_min_protocol=TLSv1.3 in my dovecot config. This produced the error:
imap-login: Error: Failed to initialize SSL server context: Unknown ssl_min_protocol setting 'TLSv1.3'
After some digging, I found the function that parses this setting in src/lib-ssl-iostream/iostream-openssl-common.c (openssl_min_protocol_to_options()), which maps strings such as SSL_TXT_TLSV1_2 == "TLSv1.2" (from openssl/ssl.h) to the appropriate version and option defines of OpenSSL.
Said openssl/ssl.h does not contain a SSL_TXT_TLSV1_3, so it’s no surprise that dovecot does not know this setting. As a quick fix, I could probably extend struct {…} protocol_versions[] (in iostream-openssl-common.c again) with an appropriate "TLSv1.3" entry (and send a patch), though I would also suggest to OpenSSL to add a SSL_TXT_TLSV1_3 define.
Unfortunately, I have not found a config setting in dovecot to set SSL_OP_NO_TLSv1_2, or in fact any way to enforce TLS >=1.3, except maybe via the cipher list string.
I think that dovecot should support setting this, and I’d also gladly provide a patch.
Thanks, Thomas
On 13/04/2020 12:35 Thomas Schneider qsx@chaotikum.eu wrote:
Good $daytime,
as per the recommendations of Mozilla’s SSL config generator[0], I wanted to set ssl_min_protocol=TLSv1.3 in my dovecot config. This produced the error:
imap-login: Error: Failed to initialize SSL server context: Unknown ssl_min_protocol setting 'TLSv1.3'
After some digging, I found the function that parses this setting in src/lib-ssl-iostream/iostream-openssl-common.c (openssl_min_protocol_to_options()), which maps strings such as SSL_TXT_TLSV1_2 == "TLSv1.2" (from openssl/ssl.h) to the appropriate version and option defines of OpenSSL.
Said openssl/ssl.h does not contain a SSL_TXT_TLSV1_3, so it’s no surprise that dovecot does not know this setting. As a quick fix, I could probably extend struct {…} protocol_versions[] (in iostream-openssl-common.c again) with an appropriate "TLSv1.3" entry (and send a patch), though I would also suggest to OpenSSL to add a SSL_TXT_TLSV1_3 define.
Unfortunately, I have not found a config setting in dovecot to set SSL_OP_NO_TLSv1_2, or in fact any way to enforce TLS >=1.3, except maybe via the cipher list string.
I think that dovecot should support setting this, and I’d also gladly provide a patch.
Thanks, Thomas
Hi!
What version of Dovecot are you using? What OS/distro are you using?
I'm guessing you're seeing this, see https://dovecot.org/pipermail/dovecot/2019-December/117799.html
Aki
Any news on setting TLS 1.3 as minimal version?
I am using Debian 10 with Dovecot 2.3.4.1-5+deb10u1 and openssl 1.1.1d-0+deb10u3.
participants (3)
-
Aki Tuomi
-
da-dovecotlist-15@abelonline.de
-
Thomas Schneider