PGNet Dev
2020-Aug-25 00:17 UTC
BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
I've dovecot --version 2.3.10.1 (a3d0e1171) openssl version OpenSSL 1.1.1g FIPS 21 Apr 2020 , atm on Fedora32. I configure /etc/pki/tls/openssl.cnf to set preferences for apps' usage, e.g. Postfix etc; Typically, here cat /etc/pki/tls/openssl.cnf openssl_conf = default_conf [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] MinProtocol = TLSv1.2 Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 Options = PrioritizeChaCha,ServerPreference However, any/all sends from local client via Dovecot submission -- from an instance on the same server -- FAILS with that^^ openssl.cnf, ==> /var/log/dovecot/dovecot.log <= ... 2020-08-24 17:04:42 submission(testuser at example.com)<D4c5c6itUg2sHgsH>: Error: smtp-client: conn int.mx.example.net:465 (10.0.4.65:465) [1]: connect(int.mx.example.net:465) failed: Failed to initialize SSL: Couldn't initialize SSL context: Can't load SSL certificate: error:14187180:SSL routines:ssl_do_config:bad value: section=system_default, cmd=Options, arg=ServerPreference,PrioritizeChaCha 2020-08-24 17:04:42 submission(testuser at example.com)<D4c5c6itUg2sHgsH>: Error: Failed to establish relay connection: Failed to connect to remote server ... editing, - Options = PrioritizeChaCha,ServerPreference + Options = PrioritizeChaCha cures the error ==> /var/log/dovecot/dovecot.log <= ... 2020-08-24 17:08:04 submission(testuser at example.com)<Uow+f6itZg2sHgsH>: Info: Successfully relayed message: from=<testuser at example.com>, size=433, id=Mh4pJWRWRF9jHQAAVDn7pA, nrcpt=1, reply=`250 2.0.0 Ok: queued as 4Bb8TJ4VQbz7v6t' ... checking ssl docs https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html BOTH are valid 'Options', ... ServerPreference: use server and not client preference order when determining which cipher suite, signature algorithm or elliptic curve to use for an incoming connection. Equivalent to SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers. PrioritizeChaCha: prioritizes ChaCha ciphers when the client has a ChaCha20 cipher at the top of its preference list. This usually indicates a mobile client is in use. Equivalent to SSL_OP_PRIORITIZE_CHACHA. Only used by servers. ... The mere presence of that option in a system-wide openssl.cnf shouldn't cause a Dovecot submission failure.
PGNet Dev
2020-Sep-22 17:05 UTC
BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
bump On 8/24/20 5:17 PM, PGNet Dev wrote:> I've > > dovecot --version > 2.3.10.1 (a3d0e1171) > openssl version > OpenSSL 1.1.1g FIPS 21 Apr 2020 > > , atm on Fedora32. > > I configure > > /etc/pki/tls/openssl.cnf > > to set preferences for apps' usage, e.g. Postfix etc; Typically, here > > cat /etc/pki/tls/openssl.cnf > > openssl_conf = default_conf > > [default_conf] > ssl_conf = ssl_sect > > [ssl_sect] > system_default = system_default_sect > > [system_default_sect] > MinProtocol = TLSv1.2 > Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 > CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 > Options = PrioritizeChaCha,ServerPreference > > However, any/all sends from local client via Dovecot submission -- from an instance on the same server -- FAILS with that^^ openssl.cnf, > > ==> /var/log/dovecot/dovecot.log <=> ... > 2020-08-24 17:04:42 submission(testuser at example.com)<D4c5c6itUg2sHgsH>: Error: smtp-client: conn int.mx.example.net:465 (10.0.4.65:465) [1]: connect(int.mx.example.net:465) failed: Failed to initialize SSL: Couldn't initialize SSL context: Can't load SSL certificate: error:14187180:SSL routines:ssl_do_config:bad value: section=system_default, cmd=Options, arg=ServerPreference,PrioritizeChaCha > 2020-08-24 17:04:42 submission(testuser at example.com)<D4c5c6itUg2sHgsH>: Error: Failed to establish relay connection: Failed to connect to remote server > ... > > editing, > > - Options = PrioritizeChaCha,ServerPreference > + Options = PrioritizeChaCha > > cures the error > > ==> /var/log/dovecot/dovecot.log <=> ... > 2020-08-24 17:08:04 submission(testuser at example.com)<Uow+f6itZg2sHgsH>: Info: Successfully relayed message: from=<testuser at example.com>, size=433, id=Mh4pJWRWRF9jHQAAVDn7pA, nrcpt=1, reply=`250 2.0.0 Ok: queued as 4Bb8TJ4VQbz7v6t' > ... > > checking ssl docs > > https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html > > BOTH are valid 'Options', > > ... > ServerPreference: use server and not client preference order when determining which cipher suite, signature algorithm or elliptic curve to use for an incoming connection. Equivalent to SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers. > > PrioritizeChaCha: prioritizes ChaCha ciphers when the client has a ChaCha20 cipher at the top of its preference list. This usually indicates a mobile client is in use. Equivalent to SSL_OP_PRIORITIZE_CHACHA. Only used by servers. > ... > > > The mere presence of that option in a system-wide openssl.cnf shouldn't cause a Dovecot submission failure. >
Aki Tuomi
2020-Sep-22 17:51 UTC
BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
> On 22/09/2020 20:05 PGNet Dev <pgnet.dev at gmail.com> wrote: > > > bump > > On 8/24/20 5:17 PM, PGNet Dev wrote: > > I've > > > > dovecot --version > > 2.3.10.1 (a3d0e1171) > > openssl version > > OpenSSL 1.1.1g FIPS 21 Apr 2020 > > > > , atm on Fedora32. > > > > I configure > > > > /etc/pki/tls/openssl.cnf > > > > to set preferences for apps' usage, e.g. Postfix etc; Typically, here > > > > cat /etc/pki/tls/openssl.cnf > > > > openssl_conf = default_conf > > > > [default_conf] > > ssl_conf = ssl_sect > > > > [ssl_sect] > > system_default = system_default_sect > > > > [system_default_sect] > > MinProtocol = TLSv1.2 > > Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 > > CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 > > Options = PrioritizeChaCha,ServerPreference > > > > However, any/all sends from local client via Dovecot submission -- from an instance on the same server -- FAILS with that^^ openssl.cnf, > > > > ==> /var/log/dovecot/dovecot.log <=> > ... > > 2020-08-24 17:04:42 submission(testuser at example.com)<D4c5c6itUg2sHgsH>: Error: smtp-client: conn int.mx.example.net:465 (10.0.4.65:465) [1]: connect(int.mx.example.net:465) failed: Failed to initialize SSL: Couldn't initialize SSL context: Can't load SSL certificate: error:14187180:SSL routines:ssl_do_config:bad value: section=system_default, cmd=Options, arg=ServerPreference,PrioritizeChaCha > > 2020-08-24 17:04:42 submission(testuser at example.com)<D4c5c6itUg2sHgsH>: Error: Failed to establish relay connection: Failed to connect to remote server > > ... > > > > editing, > > > > - Options = PrioritizeChaCha,ServerPreference > > + Options = PrioritizeChaCha > > > > cures the error > > > > ==> /var/log/dovecot/dovecot.log <=> > ... > > 2020-08-24 17:08:04 submission(testuser at example.com)<Uow+f6itZg2sHgsH>: Info: Successfully relayed message: from=<testuser at example.com>, size=433, id=Mh4pJWRWRF9jHQAAVDn7pA, nrcpt=1, reply=`250 2.0.0 Ok: queued as 4Bb8TJ4VQbz7v6t' > > ... > > > > checking ssl docs > > > > https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html > > > > BOTH are valid 'Options', > > > > ... > > ServerPreference: use server and not client preference order when determining which cipher suite, signature algorithm or elliptic curve to use for an incoming connection. Equivalent to SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers. > > > > PrioritizeChaCha: prioritizes ChaCha ciphers when the client has a ChaCha20 cipher at the top of its preference list. This usually indicates a mobile client is in use. Equivalent to SSL_OP_PRIORITIZE_CHACHA. Only used by servers. > > ... > > > > > > The mere presence of that option in a system-wide openssl.cnf shouldn't cause a Dovecot submission failure. > >Well, dovecot does not actually do any parsing for system-wide openssl.cnf. This sounds more like OpenSSL issue than dovecot issue. Aki
Possibly Parallel Threads
- BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
- BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
- BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
- BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
- Dovecot won't accept IMAP TLS 1 connections from older devices [SOLVED]