Steve Egbert
2020-May-08 15:50 UTC
Unable to disable TLSv1.3 or fallback to TLSv1.2 when 1 cipher is disabled
I have an operational need to disable TLSv1.3 due to inadequate support to exclude certain ciphers. Much to my dismay, the `ssl_protocols` had been renamed and re-functionalized into `ssl_min_protocol`. Now, there is no way to exclude a specific group of one or more TLS versions. For a new bug report, I think we need two new settings: * `ssl_tls13_ciphersuite` and * `ssl_tls10_cipher` settings introduced into Dovecot for better granularity. ALong with support for fallback to TLSv1.2 as outlined in https://bugzilla.mozilla.org/show_bug.cgi?id=1250568 I'm still being hammered with the following error with Thunderbird 76.0b3, Dovecot 2.3.4.1-5+deb10u1, Debian 11: May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL alert: where=0x4008, ret=582: fatal protocol version May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol May 8 11:15:47 ns1 dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=XX.XX.XX.XX, lip=XX.XX.XX.XX, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol, session=<GN/GeCSlYuhEhl2U> May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL error: SSL_accept() syscall failed: Invalid argument This occurred when specifying one TLSv1.3 cipher to be excluded in ssl_cipher via an exclamation mark. On a side note of IMAP client, Latest Mozilla Thunderbird had its pref setting security.tls.version.fallback-limit to 4 (TLSv1.3), of which I have adjusted it to 3 (TLSv1.2) and it .... works when Dovecot is set to TLSv1.2. (Details of Thunderbird security.tls.version.fallback-limit is given in http://kb.mozillazine.org/Security.tls.version.* ) Steve
Steve Egbert
2020-May-08 16:04 UTC
Unable to disable TLSv1.3 or fallback to TLSv1.2 when 1 cipher is disabled
Also, more testimony to the same problem (by others) is posted over at ServerFault (StackOverflow): https://serverfault.com/questions/975871/forcing-dovecot-2-3-4-1-to-use-tlsv1-2 On 5/8/20 11:50 AM, Steve Egbert wrote:> I have an operational need to disable TLSv1.3 due to inadequate support > to exclude certain ciphers. > > Much to my dismay, the `ssl_protocols` had been renamed and > re-functionalized into `ssl_min_protocol`. > > Now, there is no way to exclude a specific group of one or more TLS > versions. > > For a new bug report, I think we need two new settings: > > * `ssl_tls13_ciphersuite` and > * `ssl_tls10_cipher` > > settings introduced into Dovecot for better granularity. > > ALong with support for fallback to TLSv1.2 as outlined in > https://bugzilla.mozilla.org/show_bug.cgi?id=1250568 > > I'm still being hammered with the following error with Thunderbird > 76.0b3, Dovecot 2.3.4.1-5+deb10u1, Debian 11: > > May? 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x10, ret=1: > before SSL initialization > May? 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2001, > ret=1: before SSL initialization > May? 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2002, > ret=-1: before SSL initialization > May? 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2001, > ret=1: before SSL initialization > May? 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL alert: where=0x4008, > ret=582: fatal protocol version > May? 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2002, > ret=-1: error > May? 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL error: SSL_accept() > failed: error:14209102:SSL > routines:tls_early_post_process_client_hello:unsupported protocol > May? 8 11:15:47 ns1 dovecot: imap-login: Disconnected (disconnected > before auth was ready, waited 0 secs): user=<>, rip=XX.XX.XX.XX, > lip=XX.XX.XX.XX, TLS handshaking: SSL_accept() failed: > error:14209102:SSL > routines:tls_early_post_process_client_hello:unsupported protocol, > session=<GN/GeCSlYuhEhl2U> > May? 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL error: SSL_accept() > syscall failed: Invalid argument > > This occurred when specifying one TLSv1.3 cipher to be excluded in > ssl_cipher via an exclamation mark. > > On a side note of IMAP client,? Latest Mozilla Thunderbird had its pref > setting security.tls.version.fallback-limit to 4 (TLSv1.3), of which I > have adjusted it to 3 (TLSv1.2) and it .... works when Dovecot is set to > TLSv1.2. > > (Details of Thunderbird security.tls.version.fallback-limit is given in > http://kb.mozillazine.org/Security.tls.version.* ) > > > Steve > >
Reasonably Related Threads
- Unable to disable TLSv1.3 or fallback to TLSv1.2 when 1 cipher is disabled
- Unable to disable TLSv1.3 or fallback to TLSv1.2 when 1 cipher is disabled
- Unable to disable TLSv1.3 or fallback to TLSv1.2 when 1 cipher is disabled
- Unable to disable TLSv1.3 or fallback to TLSv1.2 when 1 cipher is disabled
- Unable to disable TLSv1.3 or fallback to TLSv1.2 when 1 cipher is disabled