[PATCH] Add support for lower TLS version than default

Sebastian Andrzej Siewior sebastian at breakpoint.cc
Sun Aug 27 21:25:53 EEST 2017


On 2017-08-27 12:46:59 [+0200], To Timo Sirainen wrote:
> On 27 August 2017 08:32:06 CEST, Timo Sirainen <tss at iki.fi> wrote:
> >> 	DEF(SET_STR, ssl_protocols),
> >> 	DEF(SET_STR, ssl_cert_username_field),
> >> 	DEF(SET_STR, ssl_crypto_device),
> >> +	DEF(SET_STR, ssl_lowest_version),
> >
> >Does it really require a new setting? Couldn't it use the existing
> >ssl_protocols setting?
> You need to set a minimal version. SSL_PROTOLS can be set tls1.0 and tls1.2 which avoids tls1.1. Not saying that it is a good thing to do. Also you set it to not do sslv2 and sslv3 which then enables tls1.0+.
> If you want change its definition to use as a minimal version, be my guest. Or if you plan to scan the string and match for the lowest version then this could work, too. 

Now that I looked at the source. There is openssl_get_protocol_options()
which could be used to figure out the lowest protocol version.
Please be aware that SSL_OP_NO_TLSv1 and friends are deprecated as of
openssl 1.1.0. So setting an explicit version looks more future proof.
I currently don't have an opinion about "always" enabling TLS1.0 by
default (since the !SSLv2 !SSLv3 line would enable TLS1.0+ and so set
min protocol version TLS1.0).
So it is up to you, I could prepare a patch doing that…

Sebastian


More information about the dovecot mailing list