Bug 1786382

Summary: Support for TLSv1.3 in dovecot
Product: Red Hat Enterprise Linux 8 Reporter: Dimitris <centos>
Component: dovecotAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: mpoole, onatalen, reupke
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-20 14:36:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dimitris 2019-12-24 22:41:37 UTC 
Description of problem:

If we try to use dovecot with TLS v1.3, it fails to accept connections.


Version-Release number of selected component (if applicable):

dovecot-2.2.36-5.el8_0.1.x86_64


How reproducible:

always


Steps to Reproduce:
1. modify /etc/dovecot/conf.d/10-ssl.conf with: ssl_protocols = TLSv1.2 TLSv1.3
2. systemctl restart dovecot
3. openssl s_client -connect localhost:993


Actual results:

dovecot[14857]: imap-login: Fatal: Unknown ssl_protocols setting: Unrecognized protocol 'TLSv1.3'


Expected results:

connection ok

Additional info:

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 336 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
Comment 1 Dimitris 2019-12-24 22:46:05 UTC 
I believe I did not make this clear, if I replace the "TLSv1.3" setting with "TLSv1.2" then the connection is successful and shows the following:

Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384

For some reason, focing TLS v1.2 results in v1.3.

Bug or "feature"?
Comment 3 Martin Poole 2020-06-05 14:44:43 UTC 
dovecot on RHEL8 has been updated to v2.3.8

Part of the update include changes to protocol setting

    "ssl_protocols setting was replaced by ssl_min_protocol. Now you only specify the minimum ssl protocol version Dovecot accepts, defaulting to TLSv1."

Modulo the limits enforced by crypto-policies simply setting "ssl_min_protocol = TLSv1.2" should give the desired result.
Comment 5 Michal Hlavinka 2020-10-20 14:36:52 UTC 
Closing, based on comment #3, as it provides the requested functionality and it's the route upstream went.