ssl_dh required, even though DH is disabled.

Aki Tuomi aki.tuomi at dovecot.fi
Mon Jul 16 09:53:37 EEST 2018


This is a known issue, but thanks for reporting it.


---Aki TuomiDovecot oy
-------- Original message --------From: Eric Toombs <ewtoombs at uwaterloo.ca> Date: 16/07/2018  08:41  (GMT+02:00) To: dovecot at dovecot.org Subject: ssl_dh required, even though DH is disabled. 
Here's my config:

# 2.3.2 (582970113): /etc/dovecot/dovecot.conf
# OS: Linux 4.17.5-1-ARCH x86_64 Arch Linux
# Hostname: vault
passdb {
  driver = pam
}
protocols = imap
service imap-login {
  inet_listener imap {
    port = 0
  }
}
ssl = required
ssl_cert = </etc/letsencrypt/live/myhostname.com/fullchain.pem
ssl_cipher_list =
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384
ssl_key =  # hidden, use -P to show it
ssl_min_protocol = TLSv1.2

My filesystem is ext4.

Even though I use ssl_cipher_list to forbid DH, dovecot still doesn't
work unless I provide an ssl_dh, delivering the following error:


Jul 14 21:48:08 vault dovecot[8349]: imap-login: Error: Failed to
initialize SSL server context: Couldn't parse DH parameters:
error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: DH
PARAMETERS: user=<>, rip=10.0.0.1, lip=10.0.0.2, session=<4sGi5/9w3pwKAAAB>

While providing an ssl_dh is only a minor annoyance, it would be nice if
I didn't have to.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180716/00c184dd/attachment.html>


More information about the dovecot mailing list