BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
Aki Tuomi
aki.tuomi at open-xchange.com
Tue Sep 22 20:51:40 EEST 2020
> On 22/09/2020 20:05 PGNet Dev <pgnet.dev at gmail.com> wrote:
>
>
> bump
>
> On 8/24/20 5:17 PM, PGNet Dev wrote:
> > I've
> >
> > dovecot --version
> > 2.3.10.1 (a3d0e1171)
> > openssl version
> > OpenSSL 1.1.1g FIPS 21 Apr 2020
> >
> > , atm on Fedora32.
> >
> > I configure
> >
> > /etc/pki/tls/openssl.cnf
> >
> > to set preferences for apps' usage, e.g. Postfix etc; Typically, here
> >
> > cat /etc/pki/tls/openssl.cnf
> >
> > openssl_conf = default_conf
> >
> > [default_conf]
> > ssl_conf = ssl_sect
> >
> > [ssl_sect]
> > system_default = system_default_sect
> >
> > [system_default_sect]
> > MinProtocol = TLSv1.2
> > Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
> > CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
> > Options = PrioritizeChaCha,ServerPreference
> >
> > However, any/all sends from local client via Dovecot submission -- from an instance on the same server -- FAILS with that^^ openssl.cnf,
> >
> > ==> /var/log/dovecot/dovecot.log <==
> > ...
> > 2020-08-24 17:04:42 submission(testuser at example.com)<D4c5c6itUg2sHgsH>: Error: smtp-client: conn int.mx.example.net:465 (10.0.4.65:465) [1]: connect(int.mx.example.net:465) failed: Failed to initialize SSL: Couldn't initialize SSL context: Can't load SSL certificate: error:14187180:SSL routines:ssl_do_config:bad value: section=system_default, cmd=Options, arg=ServerPreference,PrioritizeChaCha
> > 2020-08-24 17:04:42 submission(testuser at example.com)<D4c5c6itUg2sHgsH>: Error: Failed to establish relay connection: Failed to connect to remote server
> > ...
> >
> > editing,
> >
> > - Options = PrioritizeChaCha,ServerPreference
> > + Options = PrioritizeChaCha
> >
> > cures the error
> >
> > ==> /var/log/dovecot/dovecot.log <==
> > ...
> > 2020-08-24 17:08:04 submission(testuser at example.com)<Uow+f6itZg2sHgsH>: Info: Successfully relayed message: from=<testuser at example.com>, size=433, id=Mh4pJWRWRF9jHQAAVDn7pA, nrcpt=1, reply=`250 2.0.0 Ok: queued as 4Bb8TJ4VQbz7v6t'
> > ...
> >
> > checking ssl docs
> >
> > https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html
> >
> > BOTH are valid 'Options',
> >
> > ...
> > ServerPreference: use server and not client preference order when determining which cipher suite, signature algorithm or elliptic curve to use for an incoming connection. Equivalent to SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers.
> >
> > PrioritizeChaCha: prioritizes ChaCha ciphers when the client has a ChaCha20 cipher at the top of its preference list. This usually indicates a mobile client is in use. Equivalent to SSL_OP_PRIORITIZE_CHACHA. Only used by servers.
> > ...
> >
> >
> > The mere presence of that option in a system-wide openssl.cnf shouldn't cause a Dovecot submission failure.
> >
Well, dovecot does not actually do any parsing for system-wide openssl.cnf. This sounds more like OpenSSL issue than dovecot issue.
Aki
More information about the dovecot
mailing list