Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 04 Feb 2017 19:24:11 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   [Bug 216790] mail/postfix-current smtpd_tls_eecdh_grade = auto and X25519 not working with LibreSSL 2.5.1
Message-ID:  <bug-216790-13@https.bugs.freebsd.org/bugzilla/>

next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D216790

            Bug ID: 216790
           Summary: mail/postfix-current smtpd_tls_eecdh_grade =3D auto and
                    X25519 not working with LibreSSL 2.5.1
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: ohauer@FreeBSD.org
          Reporter: olivierw1+bugzilla-freebsd@hotmail.com
             Flags: maintainer-feedback?(ohauer@FreeBSD.org)
          Assignee: ohauer@FreeBSD.org

Created attachment 179608
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D179608&action=
=3Dedit
Add debug messages to postfix. Not to be released!

Hello,

Sorry, it's long and I'm a bit lost trying to fix the auto selection of EC
curves.


Last version of postfix-current has this default values:
"smtpd_tls_eecdh_grade =3D auto
tls_eecdh_auto_curves =3D X25519 X448 prime256v1 secp521r1 secp384r1"

LibreSSL 2.5.1 implements SSL_CTX_set1_curves() so this feature should work.


Unfortunaletly, in postfix's log, I'm getting this: "warning: Invalid TLS e=
ecdh
grade "auto": EECDH disabled" and when I'm trying to connect to my postfix
with:
"/usr/local/bin/openssl s_client -starttls smtp -crlf -connect my-server:25=
",
I can find: "Server Temp Key: DH, 2048 bits"

In previous postfix version with LibreSSL 2.5.0 (so no EC autodetect featur=
e),
I was getting:
"Server Temp Key: ECDH, P-256, 256 bits"
or
"Server Temp Key: ECDH, P-384, 384 bits"

To fix this (EECDH disabled), we can use in postfix's main.cf:
"smtpd_tls_eecdh_grade =3D ultra" or "smtpd_tls_eecdh_grade =3D strong" ins=
tead of
"auto" (will use secp384r1 or prime256v1)


I've also tried to use X25519 with this setup:
"smtpd_tls_eecdh_grade =3D ultra
tls_eecdh_ultra_curve =3D X25519",
unfortunately I'm getting this warning:
"warning: unable to use curve "X25519": disabling EECDH support"

If I try a random name for the curve, like "blahblah", I'm getting this
different warning:
"warning: unknown curve "blahblah": disabling EECDH support"
Meaning X25519 is recognized but not usable for some reasons.





Then I tried to make "auto" works... and I've been lost in postfix and libr=
essl
source code. I have no idea if the problem comes from postfix or libressl
(important: autoselection of EC curves does work with nginx-devel + LibreSSL
2.5.1).

So, in this patch
https://svnweb.freebsd.org/ports/head/mail/postfix-current/files/patch-src_=
tls_tls__dh.c?revision=3D433285&view=3Dmarkup
I changed every "&& !defined(LIBRESSL_VERSION_NUMBER)" to "&&
(!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >=3D 0x205010=
0fUL)"

I think it's the correct way to detect LibreSSL 2.5.1 without breaking old
versions.

This way, I'm not getting anymore the: "warning: Invalid TLS eecdh grade
"auto": EECDH disabled" message, but I'm still getting: "Server Temp Key: D=
H,
2048 bits" while trying to connect to my postfix server with LibreSSL.
So EECDH support is still silently disabled.

I tried to add debug message in "src/tls/tls_dh.c" around line 274, but
couldn't find where was the problem. In this piece of code, postfix correct=
ly
detect X25519, prime256v1, secp521r1, secp384r1 and ignore X448.

If someone want to dig this problem, I've attached my patch which add 3 deb=
ug
message.

Maybe it's an easy fix for someone who know postfix and libressl code well.=
 On
my side I don't know how to help more.

Best Regards.

--=20
You are receiving this mail because:
You are the assignee for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-216790-13>