fix: Relax openssl security level for intermediate TLS_LEVEL (#2193)

Although these two config lines have not changed since `debian:buster-slim` image, Dovecot seems to now be affected by it which results in rejecting cipher suites below TLS v1.2.

To continue supporting the `intermediate` TLS_LEVEL, we now need to relax the global config. Dovecot could alternatively be given a modified openssl config to only affect it's interaction with openssl.

Postfix is unaffected and continues to support TLS <1.2 cipher suites when configured to.
This commit is contained in:
Brennan Kinney 2021-09-16 01:28:42 +12:00 committed by GitHub
parent 08cd4d3371
commit 2bf24e4c08
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -896,6 +896,14 @@ function _setup_ssl
_apply_tls_level "${TLS_INTERMEDIATE_SUITE}" "${TLS_INTERMEDIATE_IGNORE}" "${TLS_INTERMEDIATE_MIN}" _apply_tls_level "${TLS_INTERMEDIATE_SUITE}" "${TLS_INTERMEDIATE_IGNORE}" "${TLS_INTERMEDIATE_MIN}"
# Lowers the minimum acceptable TLS version connection to `TLS 1.0` (from Debian upstream `TLS 1.2`)
# Lowers Security Level to `1` (from Debian upstream `2`)
# https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1
# https://dovecot.org/pipermail/dovecot/2020-October/120225.html
# TODO: This is a fix for Debian Bullseye Dovecot. Deprecate TLS <1.2 to resolve properly.
sedfile -i 's|^MinProtocol = .*|MinProtocol = TLSv1|' /usr/lib/ssl/openssl.cnf
sedfile -i 's|^CipherString = .*|CipherString = DEFAULT@SECLEVEL=1|' /usr/lib/ssl/openssl.cnf
_notify 'inf' "TLS configured with 'intermediate' ciphers" _notify 'inf' "TLS configured with 'intermediate' ciphers"
;; ;;