Steve Egbert
2020-May-08 15:43 UTC
Unable to disable TLSv1.3 or fallback to TLSv1.2 when 1 cipher is disabled
I have an operational need to disable TLSv1.3 due to inadequate support to exclude certain ciphers. Much to my dismay, the `ssl_protocols` had been renamed and re-functionalized into `ssl_min_protocol`. Now, there is no way to exclude a specific group of one or more TLS versions. For a new bug report, I think we need two new settings: * `ssl_tls13_ciphersuite` and * `ssl_tls10_cipher` settings introduced into Dovecot for better granularity. ALong with support for fallback to TLSv1.2 as outlined in https://bugzilla.mozilla.org/show_bug.cgi?id=1250568 I'm still being hammered with the following error with Thunderbird 76.0b3, Dovecot 2.3.4.1-5+deb10u1, Debian 11: May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL alert: where=0x4008, ret=582: fatal protocol version May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol May 8 11:15:47 ns1 dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=XX.XX.XX.XX, lip=XX.XX.XX.XX, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol, session=<GN/GeCSlYuhEhl2U> May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL error: SSL_accept() syscall failed: Invalid argument This occurred when specifying one TLSv1.3 cipher to be excluded in ssl_cipher via an exclamation mark. On a side note of IMAP client, Latest Mozilla Thunderbird had its pref setting security.tls.version.fallback-limit to 4 (TLSv1.3), of which I have adjusted it to 3 (TLSv1.2) and it .... works when Dovecot is set to TLSv1.2. (Details of Thunderbird security.tls.version.fallback-limit is given in http://kb.mozillazine.org/Security.tls.version.* ) Steve
@lbutlr
2020-May-09 07:48 UTC
Unable to disable TLSv1.3 or fallback to TLSv1.2 when 1 cipher is disabled
On 08 May 2020, at 09:43, Steve Egbert <s.egbert at sbcglobal.net> wrote:> I have an operational need to disable TLSv1.3 due to inadequate support to exclude certain ciphers.There is no need to disable TLSv1.3 and attempts to do so will be flagged as ?downgrade attacks?.> Much to my dismay, the `ssl_protocols` had been renamed and re-functionalized into `ssl_min_protocol`. > > Now, there is no way to exclude a specific group of one or more TLS versions.There is no way to disable a more secure protocol, that is correct. This is how it should be and I am sure this decision was intentional to prevent many many different attack vectors.> I'm still being hammered with the following error with Thunderbird 76.0b3, Dovecot 2.3.4.1-5+deb10u1, Debian 11: > > May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization > May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization > May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization > May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization > May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL alert: where=0x4008, ret=582: fatal protocol version > May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error > May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol > May 8 11:15:47 ns1 dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=XX.XX.XX.XX, lip=XX.XX.XX.XX, TLS handshaking: SSL_accept() failed: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol, session=<GN/GeCSlYuhEhl2U> > May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL error: SSL_accept() syscall failed: Invalid argumentThunderbird 76 works fine with dovecot 2.3.10 (I just checked). Not sure what you did to your config or if this was something fixed since 2.3.4> This occurred when specifying one TLSv1.3 cipher to be excluded in ssl_cipher via an exclamation mark.If you disable a cipher that causes Tbird to drop from TLSv1.3 to TLSv1.2 this will probably be seen as a downgrade attack. What cipher are you disabling and why?> On a side note of IMAP client, Latest Mozilla Thunderbird had its pref setting security.tls.version.fallback-limit to 4 (TLSv1.3), of which I have adjusted it to 3 (TLSv1.2) and it .... works when Dovecot is set to TLSv1.2.AFAIK you cannot force TLSv1.2 when you have TLSv1.3 available. -- I WILL NOT EXPOSE THE IGNORANCE OF THE FACULTY Bart chalkboard Ep. 8F15
Steve Egbert
2020-May-09 23:18 UTC
Unable to disable TLSv1.3 or fallback to TLSv1.2 when 1 cipher is disabled
>> I have an operational need to disable TLSv1.3 due to inadequate support to exclude certain ciphers. > > There is no need to disable TLSv1.3 and attempts to do so will be flagged as ?downgrade attacks?.Let us ignore TLSv1.2 as a downgrade option. And focus on TLSv1.3 for its entirety of this thread. If the ciphersuite (not cipher for that's a TLSv1.2 term), but a ciphersuite for TLSv1.3.... needs to have its set of ciphers: * Reordered, or * disabled We cannot do it at the moment given this snapshot of Dovecot.
Maybe Matching Threads
- Unable to disable TLSv1.3 or fallback to TLSv1.2 when 1 cipher is disabled
- Unable to disable TLSv1.3 or fallback to TLSv1.2 when 1 cipher is disabled
- Unable to disable TLSv1.3 or fallback to TLSv1.2 when 1 cipher is disabled
- Unable to disable TLSv1.3 or fallback to TLSv1.2 when 1 cipher is disabled
- Unable to disable TLSv1.3 or fallback to TLSv1.2 when 1 cipher is disabled