ssl_curve_list seems to be ignored with Dovecot 2.3

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

ssl_curve_list seems to be ignored with Dovecot 2.3

Marcel Menzel
Hi all,


after upgrading to Dovecot 2.3, I've noticed the new "ssl_curve_list"
TLS option in 10-ssl.conf.
Setting it to "ssl_curve_list = X25519:P-256" or leaving it blank (auto)
does not change anything, Dovecot keeps on negotiating P-384: Server
Temp Key: ECDH, P-384, 384 bits

When using "-curves X25519" in s_client, it does a fallback to DH:
Server Temp Key: DH, 4096 bits

I'm on Dovecot 2.3.0 (c8b89eb) with OpenSSL 1.1.0g  2 Nov 2017 on Arch
Linux 4.14.8-1-ARCH.

Am I missing something here? OpenSSL 1.1 defaults to Curve25519 when
leaving it on auto.



Greetings,

Marcel Menzel