ssl_min_protocol = TLSv1.3 does not work

Laurens Post l.k.post at students.uu.nl
Tue Nov 26 19:34:59 EET 2019


Hi all,

I'm trying to set up my server with support for TLS 1.3 only, but that does
not seem to be supported.
First off, TLS 1.3 itself does work fine, so it's not the config or ssl
library, and 1.3-only works fine with Postfix. The problem is only in
disabling TLS 1.2 for Dovecot.
On connection, I'm getting an error that 1.3 is an "Unknown
ssl_min_protocol setting".
Reading the source code, it seems that `openssl_min_protocol_to_options` in
`src/lib-ssl-iostream/iostream-openssl-common.c` is simply missing an entry
like

{ SSL_TXT_TLSV1_3, TLS1_3_VERSION, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 }

Is this a bug, something intentional, or has it simply not been added yet
because nobody has been crazy enough to ask for it?

Kind regards,

Laurens
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20191126/82128b3c/attachment.html>


More information about the dovecot mailing list