Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TODO]: Deprecate TLS_LEVEL=intermediate #3892

Open
polarathene opened this issue Feb 17, 2024 · 0 comments
Open

[TODO]: Deprecate TLS_LEVEL=intermediate #3892

polarathene opened this issue Feb 17, 2024 · 0 comments
Labels
area/features area/networking area/security kind/update Update an existing feature, configuration file or the documentation service/dovecot service/postfix stale-bot/ignore Indicates that this issue / PR shall not be closed by our stale-checking CI

Comments

@polarathene
Copy link
Member

polarathene commented Feb 17, 2024
edited

Description

Despite what the docs presently say for TLS_LEVEL, intermediate does not offer TLS 1.0/1.2 anymore:

docker-mailserver/target/scripts/helpers/ssl.sh

Lines 145 to 148 in a815bf5

( "intermediate" )
local TLS_INTERMEDIATE_SUITE='ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256'
local TLS_INTERMEDIATE_IGNORE='!SSLv2,!SSLv3,!TLSv1,!TLSv1.1'
local TLS_INTERMEDIATE_MIN='TLSv1.2'

This was removed in #2945 but I have noticed that we have a user forking to carry a patch to revert back the support along with the required OpenSSL config.

From v15 (or perhaps v14 if someone wants to tackle it in time), we could add this support back via an alternative TLS_LEVEL=legacy or alternative opt-in like LEGACY_TLS=1.

I'm not sure if there is any value in us maintaining the separate intermediate list, the cipher lists could be unset back to defaults from Postfix/Dovecot. TLS_LEVEL would then be deprecated so that we only offer modern, as it's really only exists for legacy requirements to use intermediate for broader compatibility 🤷‍♂️

We don't presently document to users how to bring back TLS <1.2 support, although we could do take this approach instead with a user-patches.sh if maintainers do not want to continue carrying such support within DMS officially for user convenience.
@polarathene polarathene added service/dovecot service/postfix area/security area/features kind/update Update an existing feature, configuration file or the documentation area/networking labels Feb 17, 2024
@polarathene polarathene mentioned this issue Feb 17, 2024
Merged
7 tasks
@github-actions github-actions bot added the meta/stale This issue / PR has become stale and will be closed if there is no further activity label Mar 9, 2024
@docker-mailserver docker-mailserver deleted a comment from github-actions bot Mar 9, 2024
@polarathene polarathene added stale-bot/ignore Indicates that this issue / PR shall not be closed by our stale-checking CI and removed meta/stale This issue / PR has become stale and will be closed if there is no further activity labels Mar 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/features area/networking area/security kind/update Update an existing feature, configuration file or the documentation service/dovecot service/postfix stale-bot/ignore Indicates that this issue / PR shall not be closed by our stale-checking CI
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@polarathene