Author Topic: roudcube 1.4 Beta / Debian 9 / Dovecot - SSLV2 issue  (Read 7157 times)

Offline pexus

  • Jr. Member
  • **
  • Posts: 10
roudcube 1.4 Beta / Debian 9 / Dovecot - SSLV2 issue
« on: January 03, 2019, 08:36:48 AM »
Hello
I see the following error in the /var/log/mail.log when trying to login on Roundcube beta 1.4.

dovecot: imap-login: Fatal: Invalid ssl_protocols setting: Unknown protocol 'SSLv2'

I have disabled SSLv2, SSLv3, TLS1.0, TLS1.1 in my dovecot configuration  10-ssl.conf

If I allow SSLv2 I can login fine.  However I don't want to enable SSLv2 as it has know vulnerabilities.

I am trying to find out why roundcube is insisting on SSLv2 ?

Thanks in advance

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,876
    • SKaero - Custom Roundcube development
Re: roudcube 1.4 Beta / Debian 9 / Dovecot - SSLV2 issue
« Reply #1 on: January 03, 2019, 09:28:23 AM »
You can set the connect options in the Roundcube config:
Code: [Select]
// IMAP socket context options
// See http://php.net/manual/en/context.ssl.php
// The example below enables server certificate validation
//$config['imap_conn_options'] = array(
//  'ssl'         => array(
//     'verify_peer'  => true,
//     'verify_depth' => 3,
//     'cafile'       => '/etc/openssl/certs/ca.crt',
//   ),
// );
// Note: These can be also specified as an array of options indexed by hostname
$config['imap_conn_options'] = null;

Offline pexus

  • Jr. Member
  • **
  • Posts: 10
Re: roudcube 1.4 Beta / Debian 9 / Dovecot - SSLV2 issue
« Reply #2 on: January 03, 2019, 10:10:25 AM »
Thanks for the response, however I don't think the issue is with the certificate. It is with the protocol. For some reason unless dovecot enables SSLv2 it does not work. If you notice the error is related with the protocol. Since Roundcube is initiating the imap login, I am wondering if it is defaulting to SSLv2 and if there is a way to use TLS1.2 by default?

Offline pexus

  • Jr. Member
  • **
  • Posts: 10
Re: roudcube 1.4 Beta / Debian 9 / Dovecot - SSLV2 issue
« Reply #3 on: January 03, 2019, 10:12:40 AM »
I will review my config and post here for reference shortly. I believe I have already set the configuration as mentioned above.

Offline pexus

  • Jr. Member
  • **
  • Posts: 10
Re: roudcube 1.4 Beta / Debian 9 / Dovecot - SSLV2 issue
« Reply #4 on: January 03, 2019, 01:17:57 PM »
the Imap connection config in my config.inc.php is as follows. I use self signed certs.

$config['imap_conn_options'] = array(
  'ssl'         => array(
  'verify_peer'  => false,
  'verify_peer_name'  => false,
  'verify_depth' => 3,
  'allow_self_signed' => true,
   ),
 );

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,876
    • SKaero - Custom Roundcube development
Re: roudcube 1.4 Beta / Debian 9 / Dovecot - SSLV2 issue
« Reply #5 on: January 03, 2019, 04:19:58 PM »
In the imap_conn_options set the cipher option.

Offline pexus

  • Jr. Member
  • **
  • Posts: 10
Re: roudcube 1.4 Beta / Debian 9 / Dovecot - SSLV2 issue
« Reply #6 on: January 03, 2019, 10:07:39 PM »
I don't think this is an issue with ciphers. I had tried that also but did not help.
I believe this is a dovecot issue in debian 9 as per this debian bug post :
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844271
Need to do some more research  on the above. I do have the latest dovecot though.

Offline pexus

  • Jr. Member
  • **
  • Posts: 10
Re: roudcube 1.4 Beta / Debian 9 / Dovecot - SSLV2 issue
« Reply #7 on: January 03, 2019, 11:29:11 PM »
I have opened a bug on dovecot on Debian 9 : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844347
Will wait and see if there is any update from above.
I would like to know if others are facing the same issue running Roundcube Beta 1.4 on Debian 9.6 (stretch) with postfix, dovecot.
Thanks

Offline pexus

  • Jr. Member
  • **
  • Posts: 10
Re: roudcube 1.4 Beta / Debian 9 / Dovecot - SSLV2 issue
« Reply #8 on: January 04, 2019, 10:34:48 AM »
Awaiting response to the bug reported for Debian 9.6 : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918184

Offline rm13

  • Full Member
  • ***
  • Posts: 129
Re: roudcube 1.4 Beta / Debian 9 / Dovecot - SSLV2 issue
« Reply #9 on: January 04, 2019, 05:22:55 PM »
What does your
Code: [Select]
doveconf -n look like?

Are you able to connect with a client other than Roundcube? To be sure the IMAP config is correct.

Offline pexus

  • Jr. Member
  • **
  • Posts: 10
Re: roudcube 1.4 Beta / Debian 9 / Dovecot - SSLV2 issue
« Reply #10 on: January 05, 2019, 10:08:20 AM »
Here is the output of dovecot -n :

--------------
# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.9.0-8-amd64 x86_64 Debian 9.6 ext4
auth_mechanisms = digest-md5 plain login
first_valid_uid = 150
last_valid_uid = 150
mail_gid = mail
mail_location = maildir:/var/vmail/%d/%n
mail_uid = vmail
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
postmaster_address = XXXX-masked-XXXXX
protocols = " imap pop3"
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  unix_listener auth-userdb {
    group = mail
    mode = 0600
    user = vmail
  }
}
ssl = required
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
ssl_key =  # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
userdb {
  args = /etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}

--------

I will provide the test results of trying to connect to IMAP using a different mail client shortly.

Offline pexus

  • Jr. Member
  • **
  • Posts: 10
Re: roudcube 1.4 Beta / Debian 9 / Dovecot - SSLV2 issue
« Reply #11 on: January 05, 2019, 10:32:42 AM »
The symptoms are similar with another mail client such as Thunderbird.
I get the same error when SSLv2 is disabled in the dovecot 10-ssl.conf configuration file:

dovecot: imap-login: Fatal: Invalid ssl_protocols setting: Unknown protocol 'SSLv2'

So I think this is a dovecot / Debian 9.6  issue. Need to follow up on the reported bug on debian : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918184
It would be good if others are also seeing the same issue that would help raise the severity of the dovecot package in Debian so the maintainer can fix this quickly.

Offline pexus

  • Jr. Member
  • **
  • Posts: 10
Re: roudcube 1.4 Beta / Debian 9 / Dovecot - SSLV2 issue
« Reply #12 on: January 05, 2019, 09:34:23 PM »
As per debian dovecot maintainer (see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918184 ) this is not an issue. SSLv2 has been completely removed from openssl library in Debian 9.6 (Stretch) and hence it is safe to remove the !SSLv2 from the ssl_protocol configuration.

This issue is resolved.

Thanks