Fun with dovecot and openssl 1.1

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Fun with dovecot and openssl 1.1

Christian Boltz-5
Hello,

openssl 1.1 brought some fun with dovecot:

dovecot[4381]: lmtp(19209): Fatal: Invalid ssl_protocols setting:
Unknown protocol 'SSLv2'

The reason was this line in /etc/dovecot/conf.d/10-ssl.conf:

    ssl_protocols = !SSLv2 !SSLv3

Looks like support for SSLv2 was removed from openssl 1.1 completely
(not a bad move, it's known to be insecure since years) - but no longer
recognizing it as excluded protocol is (at least) a bit annoying ;-)

After removing the   !SSLv2   part, dovecot starts again.

I'm not sure if this is worth a bugreport on the openssl side, or if it
will be closed as "works as designed" instantly.

OTOH, the line I quoted matches the default dovecot config, so if this
change is intentional on the openssl side, the default config needs to
be updated.

So - who should receive a bugreport? openssl for breaking backward
compability, or dovecot to adjust the default config?


Regards,

Christian Boltz
--
Reason why a bot: the bot is just less 'stressed' any makes less
mistakes for such obvious things. And people can discuss with the bot
as much as they want. [Dominique Leuenberger in opensuse-packaging]

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Fun with dovecot and openssl 1.1

Jan Engelhardt-4

On Sunday 2017-12-03 00:42, Christian Boltz wrote:
>The reason was this line in /etc/dovecot/conf.d/10-ssl.conf:
>
>    ssl_protocols = !SSLv2 !SSLv3
>
>Looks like support for SSLv2 was removed from openssl 1.1 completely
>(not a bad move, it's known to be insecure since years) - but no longer
>recognizing it as excluded protocol is (at least) a bit annoying ;-)

>So - who should receive a bugreport? openssl for breaking backward
>compability, or dovecot to adjust the default config?

Even though openssl removed the SSL_TXT_SSLV2 macro, one could also argue the
fault lies with the application. Compare this (non-dovecot) sample exhibiting
the same issue:

https://github.com/Kopano-dev/kopano-core/blob/master/common/ECChannel.cpp#L127

Note the distinct lack of a

#else
    else if (strcasecmp(ssl_name, "SSLv2") == 0) {
        ec_log_debug("OpenSSL does not know about SSLv2, and I don't either");
        continue;
    }
#endif

section that would have addressed the issue one way or another.
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Fun with dovecot and openssl 1.1

Marcus Meissner
On Sun, Dec 03, 2017 at 12:53:41AM +0100, Jan Engelhardt wrote:

>
> On Sunday 2017-12-03 00:42, Christian Boltz wrote:
> >The reason was this line in /etc/dovecot/conf.d/10-ssl.conf:
> >
> >    ssl_protocols = !SSLv2 !SSLv3
> >
> >Looks like support for SSLv2 was removed from openssl 1.1 completely
> >(not a bad move, it's known to be insecure since years) - but no longer
> >recognizing it as excluded protocol is (at least) a bit annoying ;-)
>
> >So - who should receive a bugreport? openssl for breaking backward
> >compability, or dovecot to adjust the default config?
>
> Even though openssl removed the SSL_TXT_SSLV2 macro, one could also argue the
> fault lies with the application. Compare this (non-dovecot) sample exhibiting
> the same issue:
>
> https://github.com/Kopano-dev/kopano-core/blob/master/common/ECChannel.cpp#L127
>
> Note the distinct lack of a
>
> #else
>     else if (strcasecmp(ssl_name, "SSLv2") == 0) {
>         ec_log_debug("OpenSSL does not know about SSLv2, and I don't either");
>         continue;
>     }
> #endif
>
> section that would have addressed the issue one way or another.

This needs either a bugreport and/or a fix submission please.

Cioa, Marcus
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Fun with dovecot and openssl 1.1

Freek de Kruijf
Op zondag 3 december 2017 09:11:48 CET schreef Marcus Meissner:

> On Sun, Dec 03, 2017 at 12:53:41AM +0100, Jan Engelhardt wrote:
> > On Sunday 2017-12-03 00:42, Christian Boltz wrote:
> > >The reason was this line in /etc/dovecot/conf.d/10-ssl.conf:
> > >    ssl_protocols = !SSLv2 !SSLv3
> > >
> > >Looks like support for SSLv2 was removed from openssl 1.1 completely
> > >(not a bad move, it's known to be insecure since years) - but no longer
> > >recognizing it as excluded protocol is (at least) a bit annoying ;-)
> > >
> > >So - who should receive a bugreport? openssl for breaking backward
> > >compability, or dovecot to adjust the default config?
> >
> > Even though openssl removed the SSL_TXT_SSLV2 macro, one could also argue
> > the fault lies with the application. Compare this (non-dovecot) sample
> > exhibiting the same issue:
> >
> > https://github.com/Kopano-dev/kopano-core/blob/master/common/ECChannel.cpp
> > #L127
> >
> > Note the distinct lack of a
> >
> > #else
> >
> >     else if (strcasecmp(ssl_name, "SSLv2") == 0) {
> >    
> >         ec_log_debug("OpenSSL does not know about SSLv2, and I don't
> >         either");
> >         continue;
> >    
> >     }
> >
> > #endif
> >
> > section that would have addressed the issue one way or another.
>
> This needs either a bugreport and/or a fix submission please.
>
> Cioa, Marcus

Bug report already in https://bugzilla.opensuse.org/show_bug.cgi?id=1070761

--
fr.gr.

Freek de Kruijf
member open SUSE

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]