Control: tags -1 + confirmed

Hi Joey,

Thanks for the report!

On 11:45 Thu 14 Mar     , Joey Hess wrote:
> My dovecot installation dates from 2014 (2.2.13) and on upgrade to 
> this
> version, it started failing on ssl connections:
> 
> Mar 13 19:01:40 kite dovecot[9278]: imap-login: Error: Failed to initialize 
> SSL server context: Can't load DH parameters: error:1408518A:SSL 
> routines:ssl3_ctx_ctrl:dh key too small: user=<>, rip=xxx, lip=xxx, 
> session=<45XeyQGEZOzOSmkw>
> 
> Fixing this involved adding this line to the config:
> ssl_dh = </usr/share/dovecot/dh.pem
> 
> There was no ssl_dh setting in my config before, so I guess it was using
> some other file by default which no longer provides valid DH params.

The old setting was called ssl_parameters and apart from the name 
change, the file format has also changed from DER to PEM. This is 
documented in the dovecot wiki[1], which is also being pointed to from 
within NEWS.Debian.

[1] https://wiki2.dovecot.org/Upgrading/2.3#dhparams

I'll give it some more thought, but I'm afraid that trying to resolve 
this automatically is not trivial, especially since the SSL config was 
managed outside the conffiles system for many years. I think the best 
thing to do is document this in the release notes, what do you think?

> 
> I also moved /var/lib/dovecot/ssl-parameters.dat out of the way, 
> which may or may not have been needed.

It was not needed, but the file is not useful anymore anyway.

> 
> This seems like the kind of upgrade breakage that would be worth documenting,
> or avoiding, rather than leave the user to diff conffiles and scratch their
> head.

Cheers,
Apollon

Reply via email to