Date: Sat, 04 Feb 2017 19:24:11 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 216790] mail/postfix-current smtpd_tls_eecdh_grade = auto and X25519 not working with LibreSSL 2.5.1 Message-ID: <bug-216790-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D216790 Bug ID: 216790 Summary: mail/postfix-current smtpd_tls_eecdh_grade =3D auto and X25519 not working with LibreSSL 2.5.1 Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: ohauer@FreeBSD.org Reporter: olivierw1+bugzilla-freebsd@hotmail.com Flags: maintainer-feedback?(ohauer@FreeBSD.org) Assignee: ohauer@FreeBSD.org Created attachment 179608 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D179608&action= =3Dedit Add debug messages to postfix. Not to be released! Hello, Sorry, it's long and I'm a bit lost trying to fix the auto selection of EC curves. Last version of postfix-current has this default values: "smtpd_tls_eecdh_grade =3D auto tls_eecdh_auto_curves =3D X25519 X448 prime256v1 secp521r1 secp384r1" LibreSSL 2.5.1 implements SSL_CTX_set1_curves() so this feature should work. Unfortunaletly, in postfix's log, I'm getting this: "warning: Invalid TLS e= ecdh grade "auto": EECDH disabled" and when I'm trying to connect to my postfix with: "/usr/local/bin/openssl s_client -starttls smtp -crlf -connect my-server:25= ", I can find: "Server Temp Key: DH, 2048 bits" In previous postfix version with LibreSSL 2.5.0 (so no EC autodetect featur= e), I was getting: "Server Temp Key: ECDH, P-256, 256 bits" or "Server Temp Key: ECDH, P-384, 384 bits" To fix this (EECDH disabled), we can use in postfix's main.cf: "smtpd_tls_eecdh_grade =3D ultra" or "smtpd_tls_eecdh_grade =3D strong" ins= tead of "auto" (will use secp384r1 or prime256v1) I've also tried to use X25519 with this setup: "smtpd_tls_eecdh_grade =3D ultra tls_eecdh_ultra_curve =3D X25519", unfortunately I'm getting this warning: "warning: unable to use curve "X25519": disabling EECDH support" If I try a random name for the curve, like "blahblah", I'm getting this different warning: "warning: unknown curve "blahblah": disabling EECDH support" Meaning X25519 is recognized but not usable for some reasons. Then I tried to make "auto" works... and I've been lost in postfix and libr= essl source code. I have no idea if the problem comes from postfix or libressl (important: autoselection of EC curves does work with nginx-devel + LibreSSL 2.5.1). So, in this patch https://svnweb.freebsd.org/ports/head/mail/postfix-current/files/patch-src_= tls_tls__dh.c?revision=3D433285&view=3Dmarkup I changed every "&& !defined(LIBRESSL_VERSION_NUMBER)" to "&& (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >=3D 0x205010= 0fUL)" I think it's the correct way to detect LibreSSL 2.5.1 without breaking old versions. This way, I'm not getting anymore the: "warning: Invalid TLS eecdh grade "auto": EECDH disabled" message, but I'm still getting: "Server Temp Key: D= H, 2048 bits" while trying to connect to my postfix server with LibreSSL. So EECDH support is still silently disabled. I tried to add debug message in "src/tls/tls_dh.c" around line 274, but couldn't find where was the problem. In this piece of code, postfix correct= ly detect X25519, prime256v1, secp521r1, secp384r1 and ignore X448. If someone want to dig this problem, I've attached my patch which add 3 deb= ug message. Maybe it's an easy fix for someone who know postfix and libressl code well.= On my side I don't know how to help more. Best Regards. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-216790-13>