ssl_dh required, even though DH is disabled.
Here's my config:
# 2.3.2 (582970113): /etc/dovecot/dovecot.conf # OS: Linux 4.17.5-1-ARCH x86_64 Arch Linux # Hostname: vault passdb { driver = pam } protocols = imap service imap-login { inet_listener imap { port = 0 } } ssl = required ssl_cert = </etc/letsencrypt/live/myhostname.com/fullchain.pem ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384 ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2
My filesystem is ext4.
Even though I use ssl_cipher_list to forbid DH, dovecot still doesn't work unless I provide an ssl_dh, delivering the following error:
Jul 14 21:48:08 vault dovecot[8349]: imap-login: Error: Failed to initialize SSL server context: Couldn't parse DH parameters: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: DH PARAMETERS: user=<>, rip=10.0.0.1, lip=10.0.0.2, session=<4sGi5/9w3pwKAAAB>
While providing an ssl_dh is only a minor annoyance, it would be nice if I didn't have to.
This is a known issue, but thanks for reporting it.
---Aki TuomiDovecot oy -------- Original message --------From: Eric Toombs <ewtoombs@uwaterloo.ca> Date: 16/07/2018 08:41 (GMT+02:00) To: dovecot@dovecot.org Subject: ssl_dh required, even though DH is disabled. Here's my config:
# 2.3.2 (582970113): /etc/dovecot/dovecot.conf # OS: Linux 4.17.5-1-ARCH x86_64 Arch Linux # Hostname: vault passdb { driver = pam } protocols = imap service imap-login { inet_listener imap { port = 0 } } ssl = required ssl_cert = </etc/letsencrypt/live/myhostname.com/fullchain.pem ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384 ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2
My filesystem is ext4.
Even though I use ssl_cipher_list to forbid DH, dovecot still doesn't work unless I provide an ssl_dh, delivering the following error:
Jul 14 21:48:08 vault dovecot[8349]: imap-login: Error: Failed to initialize SSL server context: Couldn't parse DH parameters: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: DH PARAMETERS: user=<>, rip=10.0.0.1, lip=10.0.0.2, session=<4sGi5/9w3pwKAAAB>
While providing an ssl_dh is only a minor annoyance, it would be nice if I didn't have to.
participants (2)
-
Aki Tuomi
-
Eric Toombs