-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Request] Easy way to disable TLS v1.0 & v1.1 #208
Comments
Any news on this? Would be nice to at least have the option to disable unsecure encryption :) Thanks! |
Hi @MartinHotmann |
Hi, thanks for the heads-up! I guess adding the mentioned config snippets to the config, would solve this issue - apparently I could not overwrite the config with docker volumes as the container crashed, when I mapped in my own (modified config) due to some weird fs errors. A short sumit what could have caused the SSL errors in alpine v3.17: But in fact I think this does not address the insecure TLS & SSL issue directly, since v3 of openssl also is capable of using them, it must be disabled in the application itself, so it that the application does not accept these insecure versions and rejects them. Both mda & mta would need it - snippets are mentioned in the first post, I guess just copying them in the config-template will work if it is done at build time of the image. |
Just for reference I will link this tutorial, where it is described how to disable the insecure SSL & TLS versions: I realised, that dovecot now does have the |
Hi @MartinHotmann I've committed the changes in d65ff03. My testing library imap-tester is not able to connect to TLS1.2, as described in this bugreport. I'll keep you updated. |
Hi @MartinHotmann |
Thank you very much! I will test it immediately and report back :) |
Sooo. I'm back to report back:
This is all I expected. Sadly I forgot to add something, but the substance of this request is fullfilled, so I will create a new one. New Ticket: #228 |
@jeboehm actually it seems, that TLSv1 & TLSv1.1 are not disabled.
So it seems it is still offered and not disabled completely. |
I tested it like this:
|
I think that at dovecot the config
I tbh don't know if it is
I hope that can make it a little more secure :) |
Thank you @MartinHotmann! |
Is your feature request related to a problem? Please describe.
These days SSL v2, v3, TLSv1 & v1.1 are considered insecure and therefore should be disabled by default - with the option to enable it, for those who really want to. I anyway don't see any reason since littlerally all programms that support TLSv1.0 also support 1.2 and mostly also v1.3.
Describe the solution you'd like
By default all insecure TLS & SSL Versions to be disabled.
Describe alternatives you've considered
Disableing by default, but giving an option in
.env
to enable insecure stuff.Additional context
I tried to add the config manually to
main.cf
andmain.cf.proto
in postfix, but all this just resultet in the container throwing errors.The config I used was:
The config seems valid, but overwriting the config files through docker-volumes (for persistent storage) was not possible.
For the dovecot I added this:
to
/etc/dovecot/conf.d/10-ssl.conf
but I don't know if it is enough to force TLS >= v1.2Best regards & thanks in advance!
The text was updated successfully, but these errors were encountered: