dovecot - May 2020 - Unable to disable TLSv1.3 or fallback to TLSv1.2 when 1 cipher is disabled

I have an operational need to disable TLSv1.3 due to inadequate support 
to exclude certain ciphers.

Much to my dismay, the `ssl_protocols` had been renamed and 
re-functionalized into `ssl_min_protocol`.

Now, there is no way to exclude a specific group of one or more TLS 
versions.

For a new bug report, I think we need two new settings:

* `ssl_tls13_ciphersuite` and
* `ssl_tls10_cipher`

settings introduced into Dovecot for better granularity.

ALong with support for fallback to TLSv1.2 as outlined in 
https://bugzilla.mozilla.org/show_bug.cgi?id=1250568

I'm still being hammered with the following error with Thunderbird 
76.0b3, Dovecot 2.3.4.1-5+deb10u1, Debian 11:

May  8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x10, ret=1: 
before SSL initialization
May  8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2001, 
ret=1: before SSL initialization
May  8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2002, 
ret=-1: before SSL initialization
May  8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2001, 
ret=1: before SSL initialization
May  8 11:15:47 ns1 dovecot: imap-login: Debug: SSL alert: where=0x4008, 
ret=582: fatal protocol version
May  8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2002, 
ret=-1: error
May  8 11:15:47 ns1 dovecot: imap-login: Debug: SSL error: SSL_accept() 
failed: error:14209102:SSL 
routines:tls_early_post_process_client_hello:unsupported protocol
May  8 11:15:47 ns1 dovecot: imap-login: Disconnected (disconnected 
before auth was ready, waited 0 secs): user=<>, rip=XX.XX.XX.XX, 
lip=XX.XX.XX.XX, TLS handshaking: SSL_accept() failed: 
error:14209102:SSL 
routines:tls_early_post_process_client_hello:unsupported protocol, 
session=<GN/GeCSlYuhEhl2U>
May  8 11:15:47 ns1 dovecot: imap-login: Debug: SSL error: SSL_accept() 
syscall failed: Invalid argument

This occurred when specifying one TLSv1.3 cipher to be excluded in 
ssl_cipher via an exclamation mark.

On a side note of IMAP client,  Latest Mozilla Thunderbird had its pref 
setting security.tls.version.fallback-limit to 4 (TLSv1.3), of which I 
have adjusted it to 3 (TLSv1.2) and it .... works when Dovecot is set to 
TLSv1.2.

(Details of Thunderbird security.tls.version.fallback-limit is given in 
http://kb.mozillazine.org/Security.tls.version.* )


Steve

On 08 May 2020, at 09:43, Steve Egbert <s.egbert at sbcglobal.net>
wrote:
> I have an operational need to disable TLSv1.3 due to inadequate support to
exclude certain ciphers.
There is no need to disable TLSv1.3 and attempts to do so will be flagged as
?downgrade attacks?.
> Much to my dismay, the `ssl_protocols` had been renamed and
re-functionalized into `ssl_min_protocol`.
> 
> Now, there is no way to exclude a specific group of one or more TLS
versions.
There is no way to disable a more secure protocol, that is correct. This is how
it should be and I am sure this decision was intentional to prevent many many
different attack vectors.
> I'm still being hammered with the following error with Thunderbird
76.0b3, Dovecot 2.3.4.1-5+deb10u1, Debian 11:
> 
> May  8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x10, ret=1:
before SSL initialization
> May  8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
before SSL initialization
> May  8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:
before SSL initialization
> May  8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
before SSL initialization
> May  8 11:15:47 ns1 dovecot: imap-login: Debug: SSL alert: where=0x4008,
ret=582: fatal protocol version
> May  8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:
error
> May  8 11:15:47 ns1 dovecot: imap-login: Debug: SSL error: SSL_accept()
failed: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol
> May  8 11:15:47 ns1 dovecot: imap-login: Disconnected (disconnected before
auth was ready, waited 0 secs): user=<>, rip=XX.XX.XX.XX, lip=XX.XX.XX.XX,
TLS handshaking: SSL_accept() failed: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol,
session=<GN/GeCSlYuhEhl2U>
> May  8 11:15:47 ns1 dovecot: imap-login: Debug: SSL error: SSL_accept()
syscall failed: Invalid argument
Thunderbird 76 works fine with dovecot 2.3.10 (I just checked). Not sure what
you did to your config or if this was something fixed since 2.3.4
> This occurred when specifying one TLSv1.3 cipher to be excluded in
ssl_cipher via an exclamation mark.
If you disable a cipher that causes Tbird to drop from TLSv1.3 to TLSv1.2 this
will probably be seen as a downgrade attack. What cipher are you disabling and
why?
> On a side note of IMAP client,  Latest Mozilla Thunderbird had its pref
setting security.tls.version.fallback-limit to 4 (TLSv1.3), of which I have
adjusted it to 3 (TLSv1.2) and it .... works when Dovecot is set to TLSv1.2.
AFAIK you cannot force TLSv1.2 when you have TLSv1.3 available.


-- 
I WILL NOT EXPOSE THE IGNORANCE OF THE FACULTY Bart chalkboard Ep.
	8F15

>> I have an operational need to disable TLSv1.3 due to inadequate support
to exclude certain ciphers.
> 
> There is no need to disable TLSv1.3 and attempts to do so will be flagged
as ?downgrade attacks?.
Let us ignore TLSv1.2 as a downgrade option. And focus on TLSv1.3 for 
its entirety of this thread.

If the ciphersuite (not cipher for that's a TLSv1.2 term), but a 
ciphersuite for TLSv1.3.... needs to have its set of ciphers:

* Reordered, or
* disabled

We cannot do it at the moment given this snapshot of Dovecot.