[Bug 1836180] Re: TLS1.2 and newer not available in dovecot
[Expired for dovecot (Ubuntu) because there has been no activity for 60 days.] ** Changed in: dovecot (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1836180 Title: TLS1.2 and newer not available in dovecot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1836180/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1836180] Re: TLS1.2 and newer not available in dovecot
With or without this line in /etc/dovecot/conf.d/10-ssl.conf, openssl s_client -connect localhost:993 uses TLSv1.3: ssl_protocols = !SSLv2 !SSLv3 Could you perhaps "grep ssl -r /etc/dovecot" and see if it's being changed elsewhere? And perhaps paste this if you can (in terms of sanitization): # cat conf.d/10-ssl.conf |grep -vE "^(#|$)" ssl = yes ssl_cert = https://bugs.launchpad.net/bugs/1836180 Title: TLS1.2 and newer not available in dovecot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1836180/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1836180] Re: TLS1.2 and newer not available in dovecot
With or without this line in /etc/dovecot/conf.d/10-ssl.conf, openssl s_client -connect localhost:993 uses TLSv1.3: ssl_protocols = !SSLv2 !SSLv3 Could you perhaps "grep ssl -r /etc/dovecot" and see if it's being changed elsewhere? And perhaps paste this if you can (in terms of sanitization): # cat conf.d/10-ssl.conf |grep -vE "^(#|$)" ssl = yes ssl_cert = https://bugs.launchpad.net/bugs/1836180 Title: TLS1.2 and newer not available in dovecot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1836180/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1836180] Re: TLS1.2 and newer not available in dovecot
Thanks for testing on your end, Christian. I've did the same and can confirm that it works without any issues with default packages and default configuration files. I've played around a bit more with the (identical) configuration files (of both 14.04 and 18.04) and noticed, if I comment out the "ssl_protocols" directive ("#ssl_protocols = !SSLv2 !SSLv3") then it TLSv1.2 is offered without any issues. As soon as I enable it again, only TLSv1.0 and TLSv1.1 is available. So I am certain this is somehow a configuration issue and not a software bug/issue. Again thanks for reproducing on your end. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1836180 Title: TLS1.2 and newer not available in dovecot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1836180/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1836180] Re: TLS1.2 and newer not available in dovecot
I took a new system (one bionic and one eoan to check the latest) $ apt install dovecot-imapd nmap $ nmap -Pn --script ssl-enum-ciphers -p 993 localhost They BOTH reported TLS 1.0/1.1/1.2 Full logs: Bionic: http://paste.ubuntu.com/p/rYCzQ5Xwkw/ Eoan: https://paste.ubuntu.com/p/fDP6y8WbKP/ I don't know what happened to disable TLS 1.2 for your 18.04 system. But since the default install works out of the box I'd assume some configuration change? Maybe you could start fresh and check on which config change (starting with the base install) it goes away. About TLS 1.3 - this was a rather new addition to Bionic (openssl 1.1.1), I first expected that one might need to recompile dovecot to pick things up? But that alone can't be it, the version in Eoan was built against 1.1.1b-2ubuntu1 and also reports only up to TLS 1.2. Then I realized it might be nmap just not knowing about things. Since Dovecot just says "relies on openssl" (all you can configure is the minimum in /etc/dovecot/conf.d/10-ssl.conf). And it turns out it works fine $ openssl s_client -connect localhost:993 -crlf Returns having set up a TLS 1.3 connection in both cases Bionic: http://paste.ubuntu.com/p/cD8gZY5Jpj/ Eoan: https://paste.ubuntu.com/p/5MBpwRtcXG/ I think this is no issue at all, could you take a look again at your systems if it is either config or just nmap not understanding all of it? ** Changed in: dovecot (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1836180 Title: TLS1.2 and newer not available in dovecot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1836180/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1836180] Re: TLS1.2 and newer not available in dovecot
** Attachment added: "[14.04] "dovecot -n" output" https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1836180/+attachment/5276445/+files/14-04.mail.hostname-dovecot-n.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1836180 Title: TLS1.2 and newer not available in dovecot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1836180/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1836180] Re: TLS1.2 and newer not available in dovecot
** Attachment added: "[18.04] "dovecot -n" output" https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1836180/+attachment/5276444/+files/18-04.mail.hostname-dovecot-n.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1836180 Title: TLS1.2 and newer not available in dovecot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/1836180/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs