On 31.07.2018 03:32, ѽ҉ᶬḳ℠ wrote: >> Perhaps for whose interested - IETF RFC 7027 specifies for TLS use: >> >> [ brainpoolP256r1 | brainpoolP384r1 | brainpoolP512r1 ] >> >> And thus t1 would not work anyway. However, having tested r1 the result >> was just the same. >> >> A tcpdump during the openssl test [ s_server | s_client ] then revealed >> (TLSv1.2 Record Layer: Handshake Protocol: Client Hello) : >> >> Extension: supported_groups (len=10) >> Type: supported_groups (10) >> Length: 10 >> Supported Groups List Length: 8 >> Supported Groups (4 groups) >> Supported Group: x25519 (0x001d) >> Supported Group: secp256r1 (0x0017) >> Supported Group: secp521r1 (0x0019) >> Supported Group: secp384r1 (0x0018) >> >> Apparently [ brainpool ] would apparently not fit into any of those >> groups. Perhaps a bug in OpenSSL 1.1.0h thus. >> >> > Turned out not being a bug in OpenSSL after all. From the cli it works > with no issues this way: > > [ openssl s_server -cert ec.cert.pem -key ec.key.pem -port 5555 -curves > brainpoolP512r1 ] > [ openssl s_client -connect localhost:5555 -curves brainpoolP512r1 ] > > I am not familiar really with the OpenSSL API and only roughly gather > that the app (dovecot) would have to make the API call [ > SSL_CTX_set1_groups_list ] > (https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html) > in order to support those curves. > > Whoops.
We have a setting called `ssl_curve_list` in dovecot, and I tried using that when I was testing. Turns out that there is a bug preventing that setting from being used. If you are compiling yourself, you can use the attached patch to fix this. After applying, you can set ssl_curve_list = brainpoolP512r1 And then you can connect again. Aki
>From 71ceeaaed73af48eb2cdfd2e1d953ee645c2e9b2 Mon Sep 17 00:00:00 2001 From: Aki Tuomi <aki.tu...@dovecot.fi> Date: Tue, 31 Jul 2018 08:45:29 +0300 Subject: [PATCH] lib-master: Copy ssl_curve_list setting Otherwise it won't get used. Broken in 30dca95419 --- src/lib-master/master-service-ssl-settings.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/lib-master/master-service-ssl-settings.c b/src/lib-master/master-service-ssl-settings.c index 2434e3632c..2bc59b0f4d 100644 --- a/src/lib-master/master-service-ssl-settings.c +++ b/src/lib-master/master-service-ssl-settings.c @@ -213,4 +213,5 @@ void master_service_ssl_settings_to_iostream_set( set_r->prefer_server_ciphers = ssl_set->ssl_prefer_server_ciphers; set_r->compression = ssl_set->parsed_opts.compression; set_r->tickets = ssl_set->parsed_opts.tickets; + set_r->curve_list = p_strdup(pool, ssl_set->ssl_curve_list); } -- 2.14.3
