BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."

Mon, 24 Aug 2020 17:19:02 -0700 

 I've

        dovecot --version
                2.3.10.1 (a3d0e1171)
        openssl version
                OpenSSL 1.1.1g FIPS  21 Apr 2020

, atm on Fedora32.

I configure

        /etc/pki/tls/openssl.cnf

to set preferences for apps' usage, e.g. Postfix etc; Typically, here

        cat /etc/pki/tls/openssl.cnf

                openssl_conf = default_conf

                [default_conf]
                ssl_conf = ssl_sect

                [ssl_sect]
                system_default = system_default_sect

                [system_default_sect]
                MinProtocol = TLSv1.2
                Ciphersuites = 
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
                CipherString = 
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
                Options = PrioritizeChaCha,ServerPreference

However, any/all sends from local client via Dovecot submission -- from an 
instance on the same server --  FAILS with that^^ openssl.cnf,

        ==> /var/log/dovecot/dovecot.log <==
                ...
                2020-08-24 17:04:42 
submission(testu...@example.com)<D4c5c6itUg2sHgsH>: Error: smtp-client: conn 
int.mx.example.net:465 (10.0.4.65:465) [1]: connect(int.mx.example.net:465) 
failed: Failed to initialize SSL: Couldn't initialize SSL context: Can't load 
SSL certificate: error:14187180:SSL routines:ssl_do_config:bad value: 
section=system_default, cmd=Options, arg=ServerPreference,PrioritizeChaCha
                2020-08-24 17:04:42 
submission(testu...@example.com)<D4c5c6itUg2sHgsH>: Error: Failed to establish 
relay connection: Failed to connect to remote server
                ...

editing,

-               Options = PrioritizeChaCha,ServerPreference
+               Options = PrioritizeChaCha

cures the error

        ==> /var/log/dovecot/dovecot.log <==
                ...
                2020-08-24 17:08:04 
submission(testu...@example.com)<Uow+f6itZg2sHgsH>: Info: Successfully relayed 
message: from=<testu...@example.com>, size=433, id=Mh4pJWRWRF9jHQAAVDn7pA, 
nrcpt=1, reply=`250 2.0.0 Ok: queued as 4Bb8TJ4VQbz7v6t'
                ...

checking ssl docs

        https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html

BOTH are valid 'Options',

        ...
        ServerPreference: use server and not client preference order when 
determining which cipher suite, signature algorithm or elliptic curve to use 
for an incoming connection. Equivalent to SSL_OP_CIPHER_SERVER_PREFERENCE. Only 
used by servers.

        PrioritizeChaCha: prioritizes ChaCha ciphers when the client has a 
ChaCha20 cipher at the top of its preference list. This usually indicates a 
mobile client is in use. Equivalent to SSL_OP_PRIORITIZE_CHACHA. Only used by 
servers.
        ...


The mere presence of that option in a system-wide openssl.cnf shouldn't cause a 
Dovecot submission failure.

Reply via email to