On 27/11/2019 08:13, Aki Tuomi via dovecot wrote:> On 26.11.2019 19.34, Laurens Post via dovecot wrote:
>> Hi all,
>>
>> I'm trying to set up my server with support for TLS 1.3 only, but
that
>> does not seem to be supported.
>> First off, TLS 1.3 itself does work fine, so it's not the config or
>> ssl library, and 1.3-only works fine with Postfix. The problem is only
>> in disabling TLS 1.2 for Dovecot.
>> On connection, I'm getting an error that 1.3 is an "Unknown
>> ssl_min_protocol setting".
>> Reading the source code, it seems that
>> `openssl_min_protocol_to_options` in
>> `src/lib-ssl-iostream/iostream-openssl-common.c` is simply missing an
>> entry like
>>
>> { SSL_TXT_TLSV1_3, TLS1_3_VERSION, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
>> SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 }
>>
>> Is this a bug, something intentional, or has it simply not been added
>> yet because nobody has been crazy enough to ask for it?
>>
>> Kind regards,
>>
>> Laurens
> Just haven't gotten round to implement this yet. Will get there.
Tracking as DOP-1592.
Fix would likely be something like this (not tested):
diff --git a/src/lib-ssl-iostream/iostream-openssl-common.c
b/src/lib-ssl-iostream/iostream-openssl-common.c
index d79c986ed8..e2a4c42ccb 100644
--- a/src/lib-ssl-iostream/iostream-openssl-common.c
+++ b/src/lib-ssl-iostream/iostream-openssl-common.c
@@ -9,6 +9,14 @@
?#include <openssl/err.h>
?#include <arpa/inet.h>
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+/* Weirdly, OpenSSL fails to define this constant, even though TLSv1.3 is
+?? supported. */
+#ifndef SSL_TXT_TLSV1_3
+#define SSL_TXT_TLSV1_3 "TLSv1.3"
+#endif
+#endif
+
?/* openssl_min_protocol_to_options() scans this array for name and returns
??? version and opt. opt is used with SSL_set_options() and version is
used with
??? SSL_set_min_proto_version(). Using either method should enable the same
@@ -23,6 +31,10 @@ static const struct {
??????? { SSL_TXT_TLSV1_1, TLS1_1_VERSION, SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1 },
??????? { SSL_TXT_TLSV1_2, TLS1_2_VERSION,
??????????????? SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 },
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+?????? { SSL_TXT_TLSV1_3, TLS1_3_VERSION, SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1 |
+???????? SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 },
+#endif
?};
?int openssl_min_protocol_to_options(const char *min_protocol, long *opt_r,
??????????????????????????????????? int *version_r)
Regards,
Stephan.