Unable to set ssl_min_protocol=TLSv1.3
Thomas Schneider
qsx at chaotikum.eu
Mon Apr 13 12:35:56 EEST 2020
Good $daytime,
as per the recommendations of Mozilla’s SSL config generator[0], I
wanted to set ssl_min_protocol=TLSv1.3 in my dovecot config. This
produced the error:
imap-login: Error: Failed to initialize SSL server context: Unknown
ssl_min_protocol setting 'TLSv1.3'
After some digging, I found the function that parses this setting in
src/lib-ssl-iostream/iostream-openssl-common.c
(openssl_min_protocol_to_options()), which maps strings such as
SSL_TXT_TLSV1_2 == "TLSv1.2" (from openssl/ssl.h) to the appropriate
version and option defines of OpenSSL.
Said openssl/ssl.h does not contain a SSL_TXT_TLSV1_3, so it’s no
surprise that dovecot does not know this setting. As a quick fix, I
could probably extend struct {…} protocol_versions[] (in
iostream-openssl-common.c again) with an appropriate "TLSv1.3" entry
(and send a patch), though I would also suggest to OpenSSL to add a
SSL_TXT_TLSV1_3 define.
Unfortunately, I have not found a config setting in dovecot to set
SSL_OP_NO_TLSv1_2, or in fact any way to enforce TLS >=1.3, except maybe
via the cipher list string.
I think that dovecot should support setting this, and I’d also gladly
provide a patch.
Thanks,
Thomas
[0]: https://ssl-config.mozilla.org/#server=dovecot&version=2.3.4.1&config=modern&openssl=1.1.1d&guideline=5.4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <https://dovecot.org/pipermail/dovecot/attachments/20200413/6ce6f316/attachment-0001.sig>
More information about the dovecot
mailing list