> On 22/09/2020 20:05 PGNet Dev <pgnet....@gmail.com> wrote: > > > bump > > On 8/24/20 5:17 PM, PGNet Dev wrote: > > I've > > > > dovecot --version > > 2.3.10.1 (a3d0e1171) > > openssl version > > OpenSSL 1.1.1g FIPS 21 Apr 2020 > > > > , atm on Fedora32. > > > > I configure > > > > /etc/pki/tls/openssl.cnf > > > > to set preferences for apps' usage, e.g. Postfix etc; Typically, here > > > > cat /etc/pki/tls/openssl.cnf > > > > openssl_conf = default_conf > > > > [default_conf] > > ssl_conf = ssl_sect > > > > [ssl_sect] > > system_default = system_default_sect > > > > [system_default_sect] > > MinProtocol = TLSv1.2 > > Ciphersuites = > > TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 > > CipherString = > > ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 > > Options = PrioritizeChaCha,ServerPreference > > > > However, any/all sends from local client via Dovecot submission -- from an > > instance on the same server -- FAILS with that^^ openssl.cnf, > > > > ==> /var/log/dovecot/dovecot.log <== > > ... > > 2020-08-24 17:04:42 > > submission(testu...@example.com)<D4c5c6itUg2sHgsH>: Error: smtp-client: > > conn int.mx.example.net:465 (10.0.4.65:465) [1]: > > connect(int.mx.example.net:465) failed: Failed to initialize SSL: Couldn't > > initialize SSL context: Can't load SSL certificate: error:14187180:SSL > > routines:ssl_do_config:bad value: section=system_default, cmd=Options, > > arg=ServerPreference,PrioritizeChaCha > > 2020-08-24 17:04:42 > > submission(testu...@example.com)<D4c5c6itUg2sHgsH>: Error: Failed to > > establish relay connection: Failed to connect to remote server > > ... > > > > editing, > > > > - Options = PrioritizeChaCha,ServerPreference > > + Options = PrioritizeChaCha > > > > cures the error > > > > ==> /var/log/dovecot/dovecot.log <== > > ... > > 2020-08-24 17:08:04 > > submission(testu...@example.com)<Uow+f6itZg2sHgsH>: Info: Successfully > > relayed message: from=<testu...@example.com>, size=433, > > id=Mh4pJWRWRF9jHQAAVDn7pA, nrcpt=1, reply=`250 2.0.0 Ok: queued as > > 4Bb8TJ4VQbz7v6t' > > ... > > > > checking ssl docs > > > > https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html > > > > BOTH are valid 'Options', > > > > ... > > ServerPreference: use server and not client preference order when > > determining which cipher suite, signature algorithm or elliptic curve to > > use for an incoming connection. Equivalent to > > SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers. > > > > PrioritizeChaCha: prioritizes ChaCha ciphers when the client has a > > ChaCha20 cipher at the top of its preference list. This usually indicates a > > mobile client is in use. Equivalent to SSL_OP_PRIORITIZE_CHACHA. Only used > > by servers. > > ... > > > > > > The mere presence of that option in a system-wide openssl.cnf shouldn't > > cause a Dovecot submission failure. > >
Well, dovecot does not actually do any parsing for system-wide openssl.cnf. This sounds more like OpenSSL issue than dovecot issue. Aki