Hi,
the actual OpenSSL version detection in dovecot is insufficient.
The implementation only checks for SSL_CTRL_SET_ECDH_AUTO.
That was effective for OpenSSL 1.0.2, but in 1.1.0 it is removed.
Thats the code part:
#ifdef SSL_CTRL_SET_ECDH_AUTO
/* OpenSSL >= 1.0.2 automatically handles ECDH temporary key
parameter
selection. */
SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
#else
/* For OpenSSL < 1.0.2, ECDH temporary key parameter selection
must be
performed manually. Attempt to select the same curve as that used
in the server's private EC key file. Otherwise fall back to the
NIST P-384 (secp384r1) curve to be compliant with RFC 6460 when
AES-256 TLS cipher suites are in use. This fall back option does
however make Dovecot non-compliant with RFC 6460 which requires
curve NIST P-256 (prime256v1) be used when AES-128 TLS cipher
suites are in use. At least the non-compliance is in the form of
providing too much security rather than too little. */
nid = ssl_proxy_ctx_get_pkey_ec_curve_name(set);
ecdh = EC_KEY_new_by_curve_name(nid);
if (ecdh == NULL) {
/* Fall back option */
nid = NID_secp384r1;
ecdh = EC_KEY_new_by_curve_name(nid);
}
if ((curve_name = OBJ_nid2sn(nid)) != NULL &&
set->verbose_ssl)
i_debug("SSL: elliptic curve %s will be used for ECDH
and"
" ECDHE key exchanges", curve_name);
if (ecdh != NULL) {
SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
EC_KEY_free(ecdh);
}
#endif
The OpenSSL CHANGES file says for version 1.1.0:
Changes between 1.0.2h and 1.1.0 [25 Aug 2016]
...
...
*) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
always enabled now. If you want to disable the support you should
exclude it using the list of supported ciphers. This also means
that the
"-no_ecdhe" option has been removed from s_server.
[Kurt Roeckx]
So when the check for OpenSSL 1.1.0 fails, the curve selection will be
forced to use secp384r1 like it would be on older versions.
This curve change during negotiation breaks the connect for Android7
devices. They are not able to negotiate any ECDHE cipher.
The dovecot log shows:
...SSL_accept() failed: error:1417A0C1:SSL
routines:tls_post_process_client_hello:no shared cipher...
but here it is not a cipher problem. Instead it is a curve problem.
This is most relevant if the server is suited with an ECDSA-Certificate.
Than no TLS negotiation is possible.
There should be added a more sufficient check for the OpenSSL version.
If using OpenSSL 1.1.0*, the easiest way the have auto curve selection
again is to remove the whole check for testing purpose which results in
a working auto curve offering installation and allows also Android7
devices again to connect with TLS & ECDHE ciphers.
Regards Torsten
