TLS1.3 only

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS1.3 only

A. Schulze
Hello,

postfix-3.3.1 + openssl-1.1.1pre8

For fun I tried to disable all TLS protocol versions other then TLS1.3

master.cf:
  submission.local inet n - - - - smtpd
   -o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2

but I'm still able to connect using TLS1.2

        $ openssl version
        OpenSSL 1.1.1-pre8 (beta) 20 Jun 2018

        $ openssl s_client -connect submission.local:587 -starttls smtp -tls1_2
        ...
            Start Time: 1531425453
            Timeout   : 7200 (sec)
            Verify return code: 0 (ok)
            Extended master secret: yes
        ---
        250 SMTPUTF8

Shouldn't that fail like this one?

        $ openssl11 s_client -connect submission.example:587 -starttls smtp -tls1_1
        CONNECTED(00000003)
        140205388985856:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1557:SSL alert number 70
        ...

Andreas

Reply | Threaded
Open this post in threaded view
|

Re: TLS1.3 only

Wietse Venema
A. Schulze:
> Hello,
>
> postfix-3.3.1 + openssl-1.1.1pre8
>
> For fun I tried to disable all TLS protocol versions other then TLS1.3
>
> master.cf:
>   submission.local inet n - - - - smtpd
>    -o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2

That setting is ONLY in effect with 'smtpd_tls_security_level = may'.

> but I'm still able to connect using TLS1.2

Insufficient information.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: TLS1.3 only

A. Schulze


Am 12.07.2018 um 22:39 schrieb Wietse Venema:

> A. Schulze:
>> Hello,
>>
>> postfix-3.3.1 + openssl-1.1.1pre8
>>
>> For fun I tried to disable all TLS protocol versions other then TLS1.3
>>
>> master.cf:
>>   submission.local inet n - - - - smtpd
>>    -o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2
>
> That setting is ONLY in effect with 'smtpd_tls_security_level = may'.
>
>> but I'm still able to connect using TLS1.2
>
> Insufficient information.
>
> Wietse
>

ok, will simply my setup to provide more settings ( maybe it's also my fault, we'll see )
but not today, it's late here ...

Andreas
Reply | Threaded
Open this post in threaded view
|

Re: TLS1.3 only

Viktor Dukhovni
In reply to this post by Wietse Venema
On Thu, Jul 12, 2018 at 04:39:20PM -0400, Wietse Venema wrote:

> > For fun I tried to disable all TLS protocol versions other then TLS1.3
> >
> > master.cf:
> >   submission.local inet n - - - - smtpd
> >    -o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2
>
> That setting is ONLY in effect with 'smtpd_tls_security_level = may'.

That is, you'd need to use "smtpd_tls_mandatory_protocols", assuming
that for the subission service you also have:

  -o smtpd_tls_security_level=encrypt

> > but I'm still able to connect using TLS1.2
>
> Insufficient information.

The most likely explanation based on the minimal description is
that you have mandatory TLS.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: TLS1.3 only

A. Schulze
Am 13.07.2018 um 02:43 schrieb Viktor Dukhovni:
> That is, you'd need to use "smtpd_tls_mandatory_protocols", assuming
> that for the subission service you also have:
>
>   -o smtpd_tls_security_level=encrypt


Hello,

like assumed it was my mistake.

yes, on the submission port I do have "-o smtpd_tls_security_level=encrypt"
and if I set "-o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2"
I really could connect *only* using TLS1.3.

-> everything works like documented :-)

Thanks Viktor!
Andreas