Unable to set ssl_min_protocol=TLSv1.3

Aki Tuomi aki.tuomi at open-xchange.com
Mon Apr 13 18:48:56 EEST 2020


> On 13/04/2020 12:35 Thomas Schneider <qsx at chaotikum.eu> wrote:
> 
>  
> Good $daytime,
> 
> as per the recommendations of Mozilla’s SSL config generator[0], I
> wanted to set ssl_min_protocol=TLSv1.3 in my dovecot config.  This
> produced the error:
> 
>   imap-login: Error: Failed to initialize SSL server context: Unknown
>   ssl_min_protocol setting 'TLSv1.3'
> 
> After some digging, I found the function that parses this setting in
> src/lib-ssl-iostream/iostream-openssl-common.c
> (openssl_min_protocol_to_options()), which maps strings such as
> SSL_TXT_TLSV1_2 == "TLSv1.2" (from openssl/ssl.h) to the appropriate
> version and option defines of OpenSSL.
> 
> Said openssl/ssl.h does not contain a SSL_TXT_TLSV1_3, so it’s no
> surprise that dovecot does not know this setting.  As a quick fix, I
> could probably extend struct {…} protocol_versions[] (in
> iostream-openssl-common.c again) with an appropriate "TLSv1.3" entry
> (and send a patch), though I would also suggest to OpenSSL to add a
> SSL_TXT_TLSV1_3 define.
> 
> Unfortunately, I have not found a config setting in dovecot to set
> SSL_OP_NO_TLSv1_2, or in fact any way to enforce TLS >=1.3, except maybe
> via the cipher list string.
> 
> I think that dovecot should support setting this, and I’d also gladly
> provide a patch.
> 
> Thanks,
> Thomas

Hi!

What version of Dovecot are you using? What OS/distro are you using?

I'm guessing you're seeing this, see https://dovecot.org/pipermail/dovecot/2019-December/117799.html

Aki


More information about the dovecot mailing list