> On 13/04/2020 12:35 Thomas Schneider <q...@chaotikum.eu> wrote: > > > Good $daytime, > > as per the recommendations of Mozilla’s SSL config generator[0], I > wanted to set ssl_min_protocol=TLSv1.3 in my dovecot config. This > produced the error: > > imap-login: Error: Failed to initialize SSL server context: Unknown > ssl_min_protocol setting 'TLSv1.3' > > After some digging, I found the function that parses this setting in > src/lib-ssl-iostream/iostream-openssl-common.c > (openssl_min_protocol_to_options()), which maps strings such as > SSL_TXT_TLSV1_2 == "TLSv1.2" (from openssl/ssl.h) to the appropriate > version and option defines of OpenSSL. > > Said openssl/ssl.h does not contain a SSL_TXT_TLSV1_3, so it’s no > surprise that dovecot does not know this setting. As a quick fix, I > could probably extend struct {…} protocol_versions[] (in > iostream-openssl-common.c again) with an appropriate "TLSv1.3" entry > (and send a patch), though I would also suggest to OpenSSL to add a > SSL_TXT_TLSV1_3 define. > > Unfortunately, I have not found a config setting in dovecot to set > SSL_OP_NO_TLSv1_2, or in fact any way to enforce TLS >=1.3, except maybe > via the cipher list string. > > I think that dovecot should support setting this, and I’d also gladly > provide a patch. > > Thanks, > Thomas
Hi! What version of Dovecot are you using? What OS/distro are you using? I'm guessing you're seeing this, see https://dovecot.org/pipermail/dovecot/2019-December/117799.html Aki