search for: ssl_op_no_tlsv1

...n, I'm getting an error that 1.3 is an "Unknown ssl_min_protocol setting". Reading the source code, it seems that `openssl_min_protocol_to_options` in `src/lib-ssl-iostream/iostream-openssl-common.c` is simply missing an entry like { SSL_TXT_TLSV1_3, TLS1_3_VERSION, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 } Is this a bug, something intentional, or has it simply not been added yet because nobody has been crazy enough to ask for it? Kind regards, Laurens -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pi...

....3 is an "Unknown > ssl_min_protocol setting". > Reading the source code, it seems that > `openssl_min_protocol_to_options` in > `src/lib-ssl-iostream/iostream-openssl-common.c` is simply missing an > entry like > > { SSL_TXT_TLSV1_3, TLS1_3_VERSION, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | > SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 } > > Is this a bug, something intentional, or has it simply not been added > yet because nobody has been crazy enough to ask for it? > > Kind regards, > > Laurens Hi! Just haven't gotten round to implement this yet. Will get...

On 27 August 2017 08:32:06 CEST, Timo Sirainen <tss at iki.fi> wrote: >> DEF(SET_STR, ssl_protocols), >> DEF(SET_STR, ssl_cert_username_field), >> DEF(SET_STR, ssl_crypto_device), >> + DEF(SET_STR, ssl_lowest_version), > >Does it really require a new setting? Couldn't it use the existing >ssl_protocols setting? You need to set a minimal version.

Hi, I came up with the following patch while trying to figure out a good solution for the situation described in Debian bug #871987[1]. In short, OpenSSL in Debian unstable has disabled TLSv1.0 and TLSv1.1 *by default*. That means that unless an application requests otherwise, only TLSv1.2 is supported. In the world of e-mail this is seemingly an issue, as there are still way too many old clients