Unable to set ssl_min_protocol=TLSv1.3
Aki Tuomi
aki.tuomi at open-xchange.com
Mon Apr 13 18:48:56 EEST 2020
> On 13/04/2020 12:35 Thomas Schneider <qsx at chaotikum.eu> wrote:
>
>
> Good $daytime,
>
> as per the recommendations of Mozilla’s SSL config generator[0], I
> wanted to set ssl_min_protocol=TLSv1.3 in my dovecot config. This
> produced the error:
>
> imap-login: Error: Failed to initialize SSL server context: Unknown
> ssl_min_protocol setting 'TLSv1.3'
>
> After some digging, I found the function that parses this setting in
> src/lib-ssl-iostream/iostream-openssl-common.c
> (openssl_min_protocol_to_options()), which maps strings such as
> SSL_TXT_TLSV1_2 == "TLSv1.2" (from openssl/ssl.h) to the appropriate
> version and option defines of OpenSSL.
>
> Said openssl/ssl.h does not contain a SSL_TXT_TLSV1_3, so it’s no
> surprise that dovecot does not know this setting. As a quick fix, I
> could probably extend struct {…} protocol_versions[] (in
> iostream-openssl-common.c again) with an appropriate "TLSv1.3" entry
> (and send a patch), though I would also suggest to OpenSSL to add a
> SSL_TXT_TLSV1_3 define.
>
> Unfortunately, I have not found a config setting in dovecot to set
> SSL_OP_NO_TLSv1_2, or in fact any way to enforce TLS >=1.3, except maybe
> via the cipher list string.
>
> I think that dovecot should support setting this, and I’d also gladly
> provide a patch.
>
> Thanks,
> Thomas
Hi!
What version of Dovecot are you using? What OS/distro are you using?
I'm guessing you're seeing this, see https://dovecot.org/pipermail/dovecot/2019-December/117799.html
Aki
More information about the dovecot
mailing list