[RFC master-2.2 0/1] Support OpenSSL 1.1 API for setting allowed TLS versions

Apollon Oikonomopoulos apoikos at debian.org
Wed Sep 13 23:51:19 EEST 2017


Hi,

I came up with the following patch while trying to figure out a good solution
for the situation described in Debian bug #871987[1]. In short, OpenSSL in
Debian unstable has disabled TLSv1.0 and TLSv1.1 *by default*. That means that
unless an application requests otherwise, only TLSv1.2 is supported. In the
world of e-mail this is seemingly an issue, as there are still way too many old
clients out there supporting only TLSv1 or TLSv1.1.

Now, traditionally OpenSSL 0.9.8/1.0 used SSL_CTX_set_options() to allow
*disabling* specific protocols, without offering a way to enable previously
disabled protocols. OpenSSL 1.1 introduced a dedicated API[2] to set allowed
protocol versions, taking a linear version approach: the application may
request a minimum and a maximum allowed version (inclusive), allowing all
versions inbetween as well.

Dovecot's existing ssl_protocols option is probably not ideal to use with this
new "linear" model. Instead, I introduced two new options,
ssl_min_proto_version and ssl_max_proto_version, that map directly to OpenSSL
1.1 concepts.

I have tested the patch with both OpenSSL 1.0 and OpenSSL 1.1. With OpenSSL 1.1
it works as expected; with OpenSSL 1.0 it doesn't seem to break anything. Other
than that, this is a first version; I'm sure there are still things to improve,
so comments are welcome :)

Regards,
Apollon

[1] https://bugs.debian.org/871987
[2] https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_min_proto_version.html

Apollon Oikonomopoulos (1):
  Support setting min/max SSL protocol version

 doc/example-config/conf.d/10-ssl.conf          |  4 ++++
 src/config/config-parser.c                     | 25 +++++++++++++++++++++
 src/lib-master/master-service-ssl-settings.c   |  4 ++++
 src/lib-master/master-service-ssl-settings.h   |  2 ++
 src/lib-master/master-service-ssl.c            |  2 ++
 src/lib-ssl-iostream/iostream-openssl-common.c | 12 +++++++++++
 src/lib-ssl-iostream/iostream-openssl.h        |  1 +
 src/lib-ssl-iostream/iostream-ssl.h            |  2 ++
 src/login-common/ssl-proxy-openssl.c           | 30 ++++++++++++++++++++++++++
 9 files changed, 82 insertions(+)

-- 
2.14.1



More information about the dovecot mailing list