From 2bf24e4c08dd652f9f4d2bdef639978ad7406d30 Mon Sep 17 00:00:00 2001
From: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
Date: Thu, 16 Sep 2021 01:28:42 +1200
Subject: [PATCH] fix: Relax openssl security level for `intermediate`
 TLS_LEVEL (#2193)

Although these two config lines have not changed since `debian:buster-slim` image, Dovecot seems to now be affected by it which results in rejecting cipher suites below TLS v1.2.

To continue supporting the `intermediate` TLS_LEVEL, we now need to relax the global config. Dovecot could alternatively be given a modified openssl config to only affect it's interaction with openssl.

Postfix is unaffected and continues to support TLS <1.2 cipher suites when configured to.
---
 target/scripts/startup/setup-stack.sh | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/target/scripts/startup/setup-stack.sh b/target/scripts/startup/setup-stack.sh
index cd20a5e6..8f4f00b6 100644
--- a/target/scripts/startup/setup-stack.sh
+++ b/target/scripts/startup/setup-stack.sh
@@ -896,6 +896,14 @@ function _setup_ssl
 
       _apply_tls_level "${TLS_INTERMEDIATE_SUITE}" "${TLS_INTERMEDIATE_IGNORE}" "${TLS_INTERMEDIATE_MIN}"
 
+      # Lowers the minimum acceptable TLS version connection to `TLS 1.0` (from Debian upstream `TLS 1.2`)
+      # Lowers Security Level to `1` (from Debian upstream `2`)
+      # https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1
+      # https://dovecot.org/pipermail/dovecot/2020-October/120225.html
+      # TODO: This is a fix for Debian Bullseye Dovecot. Deprecate TLS <1.2 to resolve properly.
+      sedfile -i 's|^MinProtocol = .*|MinProtocol = TLSv1|' /usr/lib/ssl/openssl.cnf
+      sedfile -i 's|^CipherString = .*|CipherString = DEFAULT@SECLEVEL=1|' /usr/lib/ssl/openssl.cnf
+
       _notify 'inf' "TLS configured with 'intermediate' ciphers"
       ;;