Unable to set ssl_min_protocol=TLSv1.3

Thomas Schneider qsx at chaotikum.eu
Mon Apr 13 12:35:56 EEST 2020

Good $daytime,

as per the recommendations of Mozilla’s SSL config generator[0], I
wanted to set ssl_min_protocol=TLSv1.3 in my dovecot config.  This
produced the error:

  imap-login: Error: Failed to initialize SSL server context: Unknown
  ssl_min_protocol setting 'TLSv1.3'

After some digging, I found the function that parses this setting in
(openssl_min_protocol_to_options()), which maps strings such as
SSL_TXT_TLSV1_2 == "TLSv1.2" (from openssl/ssl.h) to the appropriate
version and option defines of OpenSSL.

Said openssl/ssl.h does not contain a SSL_TXT_TLSV1_3, so it’s no
surprise that dovecot does not know this setting.  As a quick fix, I
could probably extend struct {…} protocol_versions[] (in
iostream-openssl-common.c again) with an appropriate "TLSv1.3" entry
(and send a patch), though I would also suggest to OpenSSL to add a
SSL_TXT_TLSV1_3 define.

Unfortunately, I have not found a config setting in dovecot to set
SSL_OP_NO_TLSv1_2, or in fact any way to enforce TLS >=1.3, except maybe
via the cipher list string.

I think that dovecot should support setting this, and I’d also gladly
provide a patch.


[0]: https://ssl-config.mozilla.org/#server=dovecot&version=
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <https://dovecot.org/pipermail/dovecot/attachments/20200413/6ce6f316/attachment-0001.sig>

More information about the dovecot mailing list