PGNet Dev
2020-Sep-24 02:24 UTC
dovecot TSL 1.3 config option 'ssl_ciphersuites' causes fatal error on launch. not supported, bad config, or bug?
I've installed grep PRETTY /etc/os-release PRETTY_NAME="Fedora 32 (Server Edition)" dovecot --version 2.3.10.1 (a3d0e1171) openssl version OpenSSL 1.1.1g FIPS 21 Apr 2020 iiuc, Dovecot has apparently had support for setting TLS 1.3 ciphersuites since v2.3.9, per this commit lib-ssl-iostream: Support TLSv1.3 ciphersuites https://github.com/dovecot/core/commit/8f6f04eb21276f28b81695dd0d3df57c7b8f43e4 checking openssl rpm -ql openssl-devel-1.1.1g-1.fc32.x86_64 | grep -i ciphersuites /usr/share/man/man3/SSL_CTX_set_ciphersuites.3ssl.gz /usr/share/man/man3/SSL_set_ciphersuites.3ssl.gz man SSL_set_ciphersuites ... SSL_set_cipher_list() sets the list of ciphers (TLSv1.2 and below) only for ssl. SSL_CTX_set_ciphersuites() is used to configure the available TLSv1.3 ciphersuites for ctx. This is a simple colon (":") separated list of TLSv1.3 ciphersuite names in order of preference. Valid TLSv1.3 ciphersuite names are: TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_8_SHA256 An empty list is permissible. The default value for the this setting is: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" SSL_set_ciphersuites() is the same as SSL_CTX_set_ciphersuites() except it configures the ciphersuites for ssl. ... checkin in dovecot tag 2.3.10.1's src, m4/ssl.m4 (m4) ... AC_CHECK_LIB(ssl, SSL_CTX_set_ciphersuites, [ AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES,, [Build with SSL_CTX_set_ciphersuites() support]) ],, $SSL_LIBS) ... and, src/lib-ssl-iostream/iostream-openssl.c ... #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES if (set->ciphersuites != NULL && strcmp(ctx_set->ciphersuites, set->ciphersuites) != 0) { if (SSL_set_ciphersuitesl(ssl_io->ssl, set->ciphersuites) == 0) { *error_r = t_strdup_printf( "Can't set ciphersuites to '%s': %s", set->ciphersuites, openssl_iostream_error()); return -1; } } #endif ... suggests that ciphersuite support exists. bug, checking in ./src/lib-master/master-service-ssl.c ... void master_service_ssl_ctx_init(struct master_service *service) { const struct master_service_ssl_settings *set; struct ssl_iostream_settings ssl_set; const char *error; if (service->ssl_ctx_initialized) return; service->ssl_ctx_initialized = TRUE; /* must be called after master_service_init_finish() so that if initialization fails we can close the SSL listeners */ i_assert(service->listeners != NULL || service->socket_count == 0); set = master_service_ssl_settings_get(service); if (strcmp(set->ssl, "no") == 0) { /* SSL disabled, don't use it */ return; } i_zero(&ssl_set); ssl_set.min_protocol = set->ssl_min_protocol; ssl_set.cipher_list = set->ssl_cipher_list; ssl_set.curve_list = set->ssl_curve_list; ssl_set.ca = set->ssl_ca; ... there's only mention of set->ssl_cipher_list , not set->ssl_ciphersuites or equivalent, afaict. if in dovecot's 10-ssl.conf I set ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 + ssl_ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 on restart journalctl -f -u dovecot -- Logs begin at Sun 2020-09-20 14:30:30 PDT. -- Sep 23 18:28:42 mx.example.com dovecot[4269]: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 92: Unknown setting: ssl_ciphersuites _is_ setting TLS 1.3 ssl_ciphersuites in fact currently supported, and usage is wrong here^?
Arjen de Korte
2020-Sep-24 06:23 UTC
dovecot TSL 1.3 config option 'ssl_ciphersuites' causes fatal error on launch. not supported, bad config, or bug?
Citeren PGNet Dev <pgnet.dev at gmail.com>:> I've installed > > grep PRETTY /etc/os-release > PRETTY_NAME="Fedora 32 (Server Edition)" > dovecot --version > 2.3.10.1 (a3d0e1171) > openssl version > OpenSSL 1.1.1g FIPS 21 Apr 2020 > > iiuc, Dovecot has apparently had support for setting TLS 1.3 > ciphersuites since v2.3.9, per this commit > > lib-ssl-iostream: Support TLSv1.3 ciphersuites > > https://github.com/dovecot/core/commit/8f6f04eb21276f28b81695dd0d3df57c7b8f43e4There is a pull request for TLSv1.3 sitting in the queue: https://github.com/dovecot/core/pull/126, maybe this helps?
Aki Tuomi
2020-Sep-24 06:29 UTC
dovecot TSL 1.3 config option 'ssl_ciphersuites' causes fatal error on launch. not supported, bad config, or bug?
> On 24/09/2020 05:24 PGNet Dev <pgnet.dev at gmail.com> wrote: > > > I've installed > > grep PRETTY /etc/os-release > PRETTY_NAME="Fedora 32 (Server Edition)" > dovecot --version > 2.3.10.1 (a3d0e1171) > openssl version > OpenSSL 1.1.1g FIPS 21 Apr 2020 > > iiuc, Dovecot has apparently had support for setting TLS 1.3 ciphersuites since v2.3.9, per this commit > > lib-ssl-iostream: Support TLSv1.3 ciphersuites > https://github.com/dovecot/core/commit/8f6f04eb21276f28b81695dd0d3df57c7b8f43e4 > > checking openssl >Hi! The config option is still missing, but it's in our backlog along with other stuff we would like to add. Aki
PGNet Dev
2020-Sep-24 14:14 UTC
dovecot TSL 1.3 config option 'ssl_ciphersuites' causes fatal error on launch. not supported, bad config, or bug?
On 9/23/20 11:29 PM, Aki Tuomi wrote:> The config option is still missing, but it's in our backlog along with other stuff we would like to add.Is that pegged to any version/milestone yet? In the meantime, what state is Dovecot's cipher support IN? What behavior should be expected when (all of our) other/external services are offering/using/expecting TLSv1.3 ciphers? A clean fallback from Dovecot to v1.2 protocols/ciphers? &/or must TLSv1.3 be _explicitly_ disabled/excluded in Dovecot configs?
Reasonably Related Threads
- dovecot TSL 1.3 config option 'ssl_ciphersuites' causes fatal error on launch. not supported, bad config, or bug?
- Unable to disable TLSv1.3 or fallback to TLSv1.2 when 1 cipher is disabled
- your mail
- FreeBSD-SA-04:05.openssl question
- BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."