dovecot - Jul 2018 - ssl_dh required, even though DH is disabled.

Here's my config:

# 2.3.2 (582970113): /etc/dovecot/dovecot.conf
# OS: Linux 4.17.5-1-ARCH x86_64 Arch Linux
# Hostname: vault
passdb {
? driver = pam
}
protocols = imap
service imap-login {
? inet_listener imap {
??? port = 0
? }
}
ssl = required
ssl_cert = </etc/letsencrypt/live/myhostname.com/fullchain.pem
ssl_cipher_list
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384
ssl_key =? # hidden, use -P to show it
ssl_min_protocol = TLSv1.2

My filesystem is ext4.

Even though I use ssl_cipher_list to forbid DH, dovecot still doesn't
work unless I provide an ssl_dh, delivering the following error:


Jul 14 21:48:08 vault dovecot[8349]: imap-login: Error: Failed to
initialize SSL server context: Couldn't parse DH parameters:
error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: DH
PARAMETERS: user=<>, rip=10.0.0.1, lip=10.0.0.2,
session=<4sGi5/9w3pwKAAAB>

While providing an ssl_dh is only a minor annoyance, it would be nice if
I didn't have to.

This is a known issue, but thanks for reporting it.


---Aki TuomiDovecot oy
-------- Original message --------From: Eric Toombs <ewtoombs at
uwaterloo.ca> Date: 16/07/2018  08:41  (GMT+02:00) To: dovecot at dovecot.org
Subject: ssl_dh required, even though DH is disabled.
Here's my config:

# 2.3.2 (582970113): /etc/dovecot/dovecot.conf
# OS: Linux 4.17.5-1-ARCH x86_64 Arch Linux
# Hostname: vault
passdb {
? driver = pam
}
protocols = imap
service imap-login {
? inet_listener imap {
??? port = 0
? }
}
ssl = required
ssl_cert = </etc/letsencrypt/live/myhostname.com/fullchain.pem
ssl_cipher_list
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384
ssl_key =? # hidden, use -P to show it
ssl_min_protocol = TLSv1.2

My filesystem is ext4.

Even though I use ssl_cipher_list to forbid DH, dovecot still doesn't
work unless I provide an ssl_dh, delivering the following error:


Jul 14 21:48:08 vault dovecot[8349]: imap-login: Error: Failed to
initialize SSL server context: Couldn't parse DH parameters:
error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: DH
PARAMETERS: user=<>, rip=10.0.0.1, lip=10.0.0.2,
session=<4sGi5/9w3pwKAAAB>

While providing an ssl_dh is only a minor annoyance, it would be nice if
I didn't have to.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20180716/00c184dd/attachment.html>