ssl_min_protocol = TLSv1.3 does not work

Stephan Bosch stephan at rename-it.nl
Sun Dec 8 13:27:35 EET 2019



On 27/11/2019 08:13, Aki Tuomi via dovecot wrote:
> On 26.11.2019 19.34, Laurens Post via dovecot wrote:
>> Hi all,
>>
>> I'm trying to set up my server with support for TLS 1.3 only, but that
>> does not seem to be supported.
>> First off, TLS 1.3 itself does work fine, so it's not the config or
>> ssl library, and 1.3-only works fine with Postfix. The problem is only
>> in disabling TLS 1.2 for Dovecot.
>> On connection, I'm getting an error that 1.3 is an "Unknown
>> ssl_min_protocol setting".
>> Reading the source code, it seems that
>> `openssl_min_protocol_to_options` in
>> `src/lib-ssl-iostream/iostream-openssl-common.c` is simply missing an
>> entry like
>>
>> { SSL_TXT_TLSV1_3, TLS1_3_VERSION, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
>> SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 }
>>
>> Is this a bug, something intentional, or has it simply not been added
>> yet because nobody has been crazy enough to ask for it?
>>
>> Kind regards,
>>
>> Laurens
> Just haven't gotten round to implement this yet. Will get there.

Tracking as DOP-1592.

Fix would likely be something like this (not tested):

diff --git a/src/lib-ssl-iostream/iostream-openssl-common.c 
b/src/lib-ssl-iostream/iostream-openssl-common.c
index d79c986ed8..e2a4c42ccb 100644
--- a/src/lib-ssl-iostream/iostream-openssl-common.c
+++ b/src/lib-ssl-iostream/iostream-openssl-common.c
@@ -9,6 +9,14 @@
  #include <openssl/err.h>
  #include <arpa/inet.h>

+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+/* Weirdly, OpenSSL fails to define this constant, even though TLSv1.3 is
+   supported. */
+#ifndef SSL_TXT_TLSV1_3
+#define SSL_TXT_TLSV1_3 "TLSv1.3"
+#endif
+#endif
+
  /* openssl_min_protocol_to_options() scans this array for name and returns
     version and opt. opt is used with SSL_set_options() and version is 
used with
     SSL_set_min_proto_version(). Using either method should enable the same
@@ -23,6 +31,10 @@ static const struct {
         { SSL_TXT_TLSV1_1, TLS1_1_VERSION, SSL_OP_NO_SSLv3 | 
SSL_OP_NO_TLSv1 },
         { SSL_TXT_TLSV1_2, TLS1_2_VERSION,
                 SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 },
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+       { SSL_TXT_TLSV1_3, TLS1_3_VERSION, SSL_OP_NO_SSLv3 | 
SSL_OP_NO_TLSv1 |
+         SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 },
+#endif
  };
  int openssl_min_protocol_to_options(const char *min_protocol, long *opt_r,
                                     int *version_r)



Regards,

Stephan.


More information about the dovecot mailing list