From owner-freebsd-ports-bugs@freebsd.org Sat Feb 4 19:24:12 2017 Return-Path: Delivered-To: freebsd-ports-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 73956CD0E9C for ; Sat, 4 Feb 2017 19:24:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 622761BD3 for ; Sat, 4 Feb 2017 19:24:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v14JOB01046861 for ; Sat, 4 Feb 2017 19:24:12 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 216790] mail/postfix-current smtpd_tls_eecdh_grade = auto and X25519 not working with LibreSSL 2.5.1 Date: Sat, 04 Feb 2017 19:24:11 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: olivierw1+bugzilla-freebsd@hotmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ohauer@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter flagtypes.name attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Feb 2017 19:24:12 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D216790 Bug ID: 216790 Summary: mail/postfix-current smtpd_tls_eecdh_grade =3D auto and X25519 not working with LibreSSL 2.5.1 Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: ohauer@FreeBSD.org Reporter: olivierw1+bugzilla-freebsd@hotmail.com Flags: maintainer-feedback?(ohauer@FreeBSD.org) Assignee: ohauer@FreeBSD.org Created attachment 179608 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D179608&action= =3Dedit Add debug messages to postfix. Not to be released! Hello, Sorry, it's long and I'm a bit lost trying to fix the auto selection of EC curves. Last version of postfix-current has this default values: "smtpd_tls_eecdh_grade =3D auto tls_eecdh_auto_curves =3D X25519 X448 prime256v1 secp521r1 secp384r1" LibreSSL 2.5.1 implements SSL_CTX_set1_curves() so this feature should work. Unfortunaletly, in postfix's log, I'm getting this: "warning: Invalid TLS e= ecdh grade "auto": EECDH disabled" and when I'm trying to connect to my postfix with: "/usr/local/bin/openssl s_client -starttls smtp -crlf -connect my-server:25= ", I can find: "Server Temp Key: DH, 2048 bits" In previous postfix version with LibreSSL 2.5.0 (so no EC autodetect featur= e), I was getting: "Server Temp Key: ECDH, P-256, 256 bits" or "Server Temp Key: ECDH, P-384, 384 bits" To fix this (EECDH disabled), we can use in postfix's main.cf: "smtpd_tls_eecdh_grade =3D ultra" or "smtpd_tls_eecdh_grade =3D strong" ins= tead of "auto" (will use secp384r1 or prime256v1) I've also tried to use X25519 with this setup: "smtpd_tls_eecdh_grade =3D ultra tls_eecdh_ultra_curve =3D X25519", unfortunately I'm getting this warning: "warning: unable to use curve "X25519": disabling EECDH support" If I try a random name for the curve, like "blahblah", I'm getting this different warning: "warning: unknown curve "blahblah": disabling EECDH support" Meaning X25519 is recognized but not usable for some reasons. Then I tried to make "auto" works... and I've been lost in postfix and libr= essl source code. I have no idea if the problem comes from postfix or libressl (important: autoselection of EC curves does work with nginx-devel + LibreSSL 2.5.1). So, in this patch https://svnweb.freebsd.org/ports/head/mail/postfix-current/files/patch-src_= tls_tls__dh.c?revision=3D433285&view=3Dmarkup I changed every "&& !defined(LIBRESSL_VERSION_NUMBER)" to "&& (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >=3D 0x205010= 0fUL)" I think it's the correct way to detect LibreSSL 2.5.1 without breaking old versions. This way, I'm not getting anymore the: "warning: Invalid TLS eecdh grade "auto": EECDH disabled" message, but I'm still getting: "Server Temp Key: D= H, 2048 bits" while trying to connect to my postfix server with LibreSSL. So EECDH support is still silently disabled. I tried to add debug message in "src/tls/tls_dh.c" around line 274, but couldn't find where was the problem. In this piece of code, postfix correct= ly detect X25519, prime256v1, secp521r1, secp384r1 and ignore X448. If someone want to dig this problem, I've attached my patch which add 3 deb= ug message. Maybe it's an easy fix for someone who know postfix and libressl code well.= On my side I don't know how to help more. Best Regards. --=20 You are receiving this mail because: You are the assignee for the bug.=