search for: ssl_curve_list

Hi all, after upgrading to Dovecot 2.3, I've noticed the new "ssl_curve_list" TLS option in 10-ssl.conf. Setting it to "ssl_curve_list = X25519:P-256" or leaving it blank (auto) does not change anything, Dovecot keeps on negotiating P-384: Server Temp Key: ECDH, P-384, 384 bits When using "-curves X25519" in s_client, it does a fallback to DH: Serv...

...with the OpenSSL API and only roughly gather > that the app (dovecot) would have to make the API call [ > SSL_CTX_set1_groups_list ] > (https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html) > in order to support those curves. > > Whoops. We have a setting called `ssl_curve_list` in dovecot, and I tried using that when I was testing. Turns out that there is a bug preventing that setting from being used. If you are compiling yourself, you can use the attached patch to fix this. After applying, you can set ssl_curve_list = brainpoolP512r1 And then you can connect again....

>>>> I did some local testing and it seems that you are using a curve >>>> that is not acceptable for openssl as a server key. >>>> I tested with openssl s_server -cert ec-cert.pem -key ec-key.pem >>>> -port 5555 >>>> using cert generated with brainpool. Everything works if I use >>>> prime256v1 or secp521r1. This is a

...gather >> that the app (dovecot) would have to make the API call [ >> SSL_CTX_set1_groups_list ] >> (https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html) >> in order to support those curves. >> >> > Whoops. > > We have a setting called `ssl_curve_list` in dovecot, and I tried using > that when I was testing. Turns out that there is a bug preventing that > setting from being used. If you are compiling yourself, you can use the > attached patch to fix this. > > After applying, you can set > > ssl_curve_list = brainpoolP512r1 &...

...ovecot) would have to make the API call [ >>> SSL_CTX_set1_groups_list ] >>> (https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html) >>> in order to support those curves. >>> >>> >> Whoops. >> >> We have a setting called `ssl_curve_list` in dovecot, and I tried using >> that when I was testing. Turns out that there is a bug preventing that >> setting from being used. If you are compiling yourself, you can use the >> attached patch to fix this. >> >> After applying, you can set >> >> ssl_cu...

...CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA ssl_client_ca_dir = /etc/ssl/certs ssl_curve_list = X25519:P-256 ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 ssl_options = no_compression, no_ticket ssl_prefer_server_ciphers = yes userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol lmtp { mail_plugins = quota ol...

My opinion is that security by RFC is not security, it's mommy medicine. Standards have had a terrible time keeping up with security realities. NITS's curves leak side channel information all over the place. I don't have details on what implementations are set to calculate the NIST curves in constant time, and that's not an easy feat to do anyway so I don't want to depend

...mode = 0660 user = vmail } } service welcome { executable = script /usr/local/etc/dovecot/welcome.sh unix_listener welcome { user = vmail } user = vmail } ssl = required ssl_cert = </usr/local/etc/ssl/acme.sh/example.com/fullchain.crt ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM ssl_curve_list = P-256 ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 ssl_options = no_ticket ssl_prefer_server_ciphers = yes userdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol lmtp { mail_fsync = optimized mail_plugin...

...0 user = vhostname } } service welcome { executable = script /usr/local/etc/dovecot/welcome.sh unix_listener welcome { user = vhostname } user = vhostname } ssl = required ssl_cert = </usr/local/etc/ssl/acme.sh/example.com/fullchain.crt ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM ssl_curve_list = P-256 ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 ssl_options = no_ticket ssl_prefer_server_ciphers = yes userdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol lmtp { hostname_fsync = optimized hostnam...

...ice_ssl_settings_get(service); if (strcmp(set->ssl, "no") == 0) { /* SSL disabled, don't use it */ return; } i_zero(&ssl_set); ssl_set.min_protocol = set->ssl_min_protocol; ssl_set.cipher_list = set->ssl_cipher_list; ssl_set.curve_list = set->ssl_curve_list; ssl_set.ca = set->ssl_ca; ... there's only mention of set->ssl_cipher_list , not set->ssl_ciphersuites or equivalent, afaict. if in dovecot's 10-ssl.conf I set ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA2...

...list = > TLS-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:TLS-AES-256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256 > ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt > ssl_curve_list = X25519:secp521r1:secp384r1 > ssl_key = # hidden, use -P to show it > ssl_min_protocol = TLSv1.2 > ssl_options = no_ticket > ssl_prefer_server_ciphers = yes > submission_client_workarounds = whitespace-before-path > submission_max_mail_size = 50000 k > submission_relay_host =...

...mode = 0660 user = vmail } } service welcome { executable = script /usr/local/etc/dovecot/welcome.sh unix_listener welcome { user = vmail } user = vmail } ssl = required ssl_cert = </usr/local/etc/ssl/acme.sh/domain.com/fullchain.crt ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM ssl_curve_list = P-256 ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 ssl_options = no_ticket ssl_prefer_server_ciphers = yes userdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol lmtp { mail_fsync = optimized mail_plugin...

...executable = script /usr/local/etc/dovecot/welcome.sh > unix_listener welcome { > user = vhostname > } > user = vhostname > } > ssl = required > ssl_cert = </usr/local/etc/ssl/acme.sh/example.com/fullchain.crt > ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM > ssl_curve_list = P-256 > ssl_dh = # hidden, use -P to show it > ssl_key = # hidden, use -P to show it > ssl_min_protocol = TLSv1.2 > ssl_options = no_ticket > ssl_prefer_server_ciphers = yes > userdb { > args = /usr/local/etc/dovecot/dovecot-sql.conf.ext > driver = sql > } > pr...

...vice welcome { > executable = script /usr/local/etc/dovecot/welcome.sh > unix_listener welcome { > user = vmail > } > user = vmail >} >ssl = required >ssl_cert = </usr/local/etc/ssl/acme.sh/example.com/fullchain.crt >ssl_cipher_list = EECDH+AESGCM:EDH+AESGCM >ssl_curve_list = P-256 >ssl_dh = # hidden, use -P to show it >ssl_key = # hidden, use -P to show it >ssl_min_protocol = TLSv1.2 >ssl_options = no_ticket >ssl_prefer_server_ciphers = yes >userdb { > args = /usr/local/etc/dovecot/dovecot-sql.conf.ext > driver = sql >} >protocol lmtp...

...rvice welcome { executable = script /usr/local/etc/dovecot/welcome.sh unix_listener welcome { user = vmail } user = vmail } ssl = required ssl_cert = </usr/local/etc/ssl/acme.sh/example.net/fullchain.crt ssl_cipher_list = ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1 ssl_curve_list = P-256 ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 ssl_options = no_ticket ssl_prefer_server_ciphers = yes userdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol lmtp { info_log_path = /var/log/dovecot/dov...

...CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA ssl_client_ca_dir = /etc/ssl/certs ssl_curve_list = X25519:P-256 ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 ssl_options = no_compression, no_ticket ssl_prefer_server_ciphers = yes userdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } protocol lmtp { mail_plugins = quota ol...

....pemssl_cipher_list = TLS-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA- CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:TLS-AES-256-GCM- SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:TLS- AES-128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crtssl_curve_list = X25519:secp521r1:secp384r1ssl_key = # hidden, use -P to show itssl_min_protocol = TLSv1.2ssl_options = no_ticketssl_prefer_server_ciphers = yessubmission_client_workarounds = whitespace-before-pathsubmission_max_mail_size = 50000 ksubmission_relay_host = mta2.example.comsubmission_relay_ssl = sta...

...cert_username_field = commonName | ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH | ssl_client_ca_dir = | ssl_client_ca_file = | ssl_client_cert = | ssl_client_key = | ssl_client_require_valid_cert = yes | ssl_crypto_device = | ssl_curve_list = | ssl_dh = # hidden, use -P to show it | ssl_key = # hidden, use -P to show it | ssl_key_password = | ssl_min_protocol = TLSv1 | ssl_options = | ssl_prefer_server_ciphers = no | ssl_require_crl = yes | ssl_verify_client_cert = no | state_dir = /var/lib/dovecot | stats_writer_socket_path = stat...

> On 25/08/2020 14:35 Robert Nowotny <rnowotny at rotek.at> wrote: > > > I get ZLIB Errors after dovecot upgrade from 2.3.10.1 to 2.3.11.3 > > > Aug 21 15:27:34 lxc-imap dovecot: imap(acsida)<63870><jZk...>: Error: Mailbox Sent: UID=40826: read(zlib(/home/vmail/virtualmailboxes/acsida/storage/m.2409)) failed:

...lt_cert = ssl_alt_key = ssl_ca = ssl_cert = </etc/letsencrypt/fullchain.pem ssl_cert_username_field = commonName ssl_cipher_list = ALL:!LOW:!EXP:!aNULL:!RC4::!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS ssl_client_ca_dir = ssl_client_ca_file = ssl_client_cert = ssl_client_key = ssl_crypto_device = ssl_curve_list = ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_key_password = ssl_min_protocol = TLSv1 ssl_options = ssl_prefer_server_ciphers = yes ssl_require_crl = yes ssl_verify_client_cert = no state_dir = /var/lib/dovecot stats_writer_socket_path = stats-writer submission_cl...