ssl_min_protocol = TLSv1.3 does not work

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ssl_min_protocol = TLSv1.3 does not work

Dovecot mailing list
Hi all,

I'm trying to set up my server with support for TLS 1.3 only, but that does not seem to be supported.
First off, TLS 1.3 itself does work fine, so it's not the config or ssl library, and 1.3-only works fine with Postfix. The problem is only in disabling TLS 1.2 for Dovecot.
On connection, I'm getting an error that 1.3 is an "Unknown ssl_min_protocol setting".
Reading the source code, it seems that `openssl_min_protocol_to_options` in `src/lib-ssl-iostream/iostream-openssl-common.c` is simply missing an entry like

{ SSL_TXT_TLSV1_3, TLS1_3_VERSION, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 }

Is this a bug, something intentional, or has it simply not been added yet because nobody has been crazy enough to ask for it?

Kind regards,

Laurens
Reply | Threaded
Open this post in threaded view
|

Re: ssl_min_protocol = TLSv1.3 does not work

Dovecot mailing list

On 26.11.2019 19.34, Laurens Post via dovecot wrote:

> Hi all,
>
> I'm trying to set up my server with support for TLS 1.3 only, but that
> does not seem to be supported.
> First off, TLS 1.3 itself does work fine, so it's not the config or
> ssl library, and 1.3-only works fine with Postfix. The problem is only
> in disabling TLS 1.2 for Dovecot.
> On connection, I'm getting an error that 1.3 is an "Unknown
> ssl_min_protocol setting".
> Reading the source code, it seems that
> `openssl_min_protocol_to_options` in
> `src/lib-ssl-iostream/iostream-openssl-common.c` is simply missing an
> entry like
>
> { SSL_TXT_TLSV1_3, TLS1_3_VERSION, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
> SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 }
>
> Is this a bug, something intentional, or has it simply not been added
> yet because nobody has been crazy enough to ask for it?
>
> Kind regards,
>
> Laurens


Hi!

Just haven't gotten round to implement this yet. Will get there.

Aki

Reply | Threaded
Open this post in threaded view
|

Re: ssl_min_protocol = TLSv1.3 does not work

Dovecot mailing list


On 27/11/2019 08:13, Aki Tuomi via dovecot wrote:

> On 26.11.2019 19.34, Laurens Post via dovecot wrote:
>> Hi all,
>>
>> I'm trying to set up my server with support for TLS 1.3 only, but that
>> does not seem to be supported.
>> First off, TLS 1.3 itself does work fine, so it's not the config or
>> ssl library, and 1.3-only works fine with Postfix. The problem is only
>> in disabling TLS 1.2 for Dovecot.
>> On connection, I'm getting an error that 1.3 is an "Unknown
>> ssl_min_protocol setting".
>> Reading the source code, it seems that
>> `openssl_min_protocol_to_options` in
>> `src/lib-ssl-iostream/iostream-openssl-common.c` is simply missing an
>> entry like
>>
>> { SSL_TXT_TLSV1_3, TLS1_3_VERSION, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
>> SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 }
>>
>> Is this a bug, something intentional, or has it simply not been added
>> yet because nobody has been crazy enough to ask for it?
>>
>> Kind regards,
>>
>> Laurens
> Just haven't gotten round to implement this yet. Will get there.

Tracking as DOP-1592.

Fix would likely be something like this (not tested):

diff --git a/src/lib-ssl-iostream/iostream-openssl-common.c
b/src/lib-ssl-iostream/iostream-openssl-common.c
index d79c986ed8..e2a4c42ccb 100644
--- a/src/lib-ssl-iostream/iostream-openssl-common.c
+++ b/src/lib-ssl-iostream/iostream-openssl-common.c
@@ -9,6 +9,14 @@
  #include <openssl/err.h>
  #include <arpa/inet.h>

+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+/* Weirdly, OpenSSL fails to define this constant, even though TLSv1.3 is
+   supported. */
+#ifndef SSL_TXT_TLSV1_3
+#define SSL_TXT_TLSV1_3 "TLSv1.3"
+#endif
+#endif
+
  /* openssl_min_protocol_to_options() scans this array for name and returns
     version and opt. opt is used with SSL_set_options() and version is
used with
     SSL_set_min_proto_version(). Using either method should enable the same
@@ -23,6 +31,10 @@ static const struct {
         { SSL_TXT_TLSV1_1, TLS1_1_VERSION, SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1 },
         { SSL_TXT_TLSV1_2, TLS1_2_VERSION,
                 SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 },
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+       { SSL_TXT_TLSV1_3, TLS1_3_VERSION, SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1 |
+         SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 },
+#endif
  };
  int openssl_min_protocol_to_options(const char *min_protocol, long *opt_r,
                                     int *version_r)



Regards,

Stephan.