On 08 May 2020, at 09:43, Steve Egbert <s.egb...@sbcglobal.net> wrote:
> I have an operational need to disable TLSv1.3 due to inadequate support to
> exclude certain ciphers.
There is no need to disable TLSv1.3 and attempts to do so will be flagged as
“downgrade attacks”.
> Much to my dismay, the `ssl_protocols` had been renamed and re-functionalized
> into `ssl_min_protocol`.
>
> Now, there is no way to exclude a specific group of one or more TLS versions.
There is no way to disable a more secure protocol, that is correct. This is how
it should be and I am sure this decision was intentional to prevent many many
different attack vectors.
> I'm still being hammered with the following error with Thunderbird 76.0b3,
> Dovecot 2.3.4.1-5+deb10u1, Debian 11:
>
> May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x10, ret=1:
> before SSL initialization
> May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
> before SSL initialization
> May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:
> before SSL initialization
> May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
> before SSL initialization
> May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL alert: where=0x4008,
> ret=582: fatal protocol version
> May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:
> error
> May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL error: SSL_accept()
> failed: error:14209102:SSL
> routines:tls_early_post_process_client_hello:unsupported protocol
> May 8 11:15:47 ns1 dovecot: imap-login: Disconnected (disconnected before
> auth was ready, waited 0 secs): user=<>, rip=XX.XX.XX.XX, lip=XX.XX.XX.XX,
> TLS handshaking: SSL_accept() failed: error:14209102:SSL
> routines:tls_early_post_process_client_hello:unsupported protocol,
> session=<GN/GeCSlYuhEhl2U>
> May 8 11:15:47 ns1 dovecot: imap-login: Debug: SSL error: SSL_accept()
> syscall failed: Invalid argument
Thunderbird 76 works fine with dovecot 2.3.10 (I just checked). Not sure what
you did to your config or if this was something fixed since 2.3.4
> This occurred when specifying one TLSv1.3 cipher to be excluded in ssl_cipher
> via an exclamation mark.
If you disable a cipher that causes Tbird to drop from TLSv1.3 to TLSv1.2 this
will probably be seen as a downgrade attack. What cipher are you disabling and
why?
> On a side note of IMAP client, Latest Mozilla Thunderbird had its pref
> setting security.tls.version.fallback-limit to 4 (TLSv1.3), of which I have
> adjusted it to 3 (TLSv1.2) and it .... works when Dovecot is set to TLSv1.2.
AFAIK you cannot force TLSv1.2 when you have TLSv1.3 available.
--
I WILL NOT EXPOSE THE IGNORANCE OF THE FACULTY Bart chalkboard Ep.
8F15
