ssl_dh required, even though DH is disabled.

[Aki Tuomi]

Hi!

This change has now been committed, please find it at
https://github.com/dovecot/core/compare/cd08262%5E...dd6323.patch

Aki

On 16.07.2018 09:53, Aki Tuomi wrote:
> This is a known issue, but thanks for reporting it.
>
>
>
> ---
> Aki Tuomi
> Dovecot oy
>
> -------- Original message --------
> From: Eric Toombs <ewtoombs at uwaterloo.ca>
> Date: 16/07/2018 08:41 (GMT+02:00)
> To: dovecot at dovecot.org
> Subject: ssl_dh required, even though DH is disabled.
>
> Here's my config:
>
> # 2.3.2 (582970113): /etc/dovecot/dovecot.conf
> # OS: Linux 4.17.5-1-ARCH x86_64 Arch Linux
> # Hostname: vault
> passdb {
>   driver = pam
> }
> protocols = imap
> service imap-login {
>   inet_listener imap {
>     port = 0
>   }
> }
> ssl = required
> ssl_cert = </etc/letsencrypt/live/myhostname.com/fullchain.pem
> ssl_cipher_list =
> ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384
> ssl_key =  # hidden, use -P to show it
> ssl_min_protocol = TLSv1.2
>
> My filesystem is ext4.
>
> Even though I use ssl_cipher_list to forbid DH, dovecot still doesn't
> work unless I provide an ssl_dh, delivering the following error:
>
>
> Jul 14 21:48:08 vault dovecot[8349]: imap-login: Error: Failed to
> initialize SSL server context: Couldn't parse DH parameters:
> error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: DH
> PARAMETERS: user=<>, rip=10.0.0.1, lip=10.0.0.2,
> session=<4sGi5/9w3pwKAAAB>
>
> While providing an ssl_dh is only a minor annoyance, it would be nice if
> I didn't have to.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180803/e55ead07/attachment.html>