search for: ssl_op_no_tlsv1_2

...s an "Unknown ssl_min_protocol setting". Reading the source code, it seems that `openssl_min_protocol_to_options` in `src/lib-ssl-iostream/iostream-openssl-common.c` is simply missing an entry like { SSL_TXT_TLSV1_3, TLS1_3_VERSION, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 } Is this a bug, something intentional, or has it simply not been added yet because nobody has been crazy enough to ask for it? Kind regards, Laurens -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20191126/821...

..., I could probably extend struct {?} protocol_versions[] (in iostream-openssl-common.c again) with an appropriate "TLSv1.3" entry (and send a patch), though I would also suggest to OpenSSL to add a SSL_TXT_TLSV1_3 define. Unfortunately, I have not found a config setting in dovecot to set SSL_OP_NO_TLSv1_2, or in fact any way to enforce TLS >=1.3, except maybe via the cipher list string. I think that dovecot should support setting this, and I?d also gladly provide a patch. Thanks, Thomas [0]: https://ssl-config.mozilla.org/#server=dovecot&version=2.3.4.1&config=modern&openssl=1.1.1d...

...l setting". > Reading the source code, it seems that > `openssl_min_protocol_to_options` in > `src/lib-ssl-iostream/iostream-openssl-common.c` is simply missing an > entry like > > { SSL_TXT_TLSV1_3, TLS1_3_VERSION, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | > SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 } > > Is this a bug, something intentional, or has it simply not been added > yet because nobody has been crazy enough to ask for it? > > Kind regards, > > Laurens Hi! Just haven't gotten round to implement this yet. Will get there. Aki

...ct {?} protocol_versions[] (in > iostream-openssl-common.c again) with an appropriate "TLSv1.3" entry > (and send a patch), though I would also suggest to OpenSSL to add a > SSL_TXT_TLSV1_3 define. > > Unfortunately, I have not found a config setting in dovecot to set > SSL_OP_NO_TLSv1_2, or in fact any way to enforce TLS >=1.3, except maybe > via the cipher list string. > > I think that dovecot should support setting this, and I?d also gladly > provide a patch. > > Thanks, > Thomas Hi! What version of Dovecot are you using? What OS/distro are you using?...