diff --git a/NEWS b/NEWS index ef795a8..18e4f13 100644 --- a/NEWS +++ b/NEWS @@ -4,6 +4,8 @@ The 'isync' compatibility wrapper was removed. The IMAP '$Forwarded' / Maildir 'P' (passed) flag is supported now. +Support for configuring a TLS cipher string was added. + [1.3.0] Network timeout handling has been added. diff --git a/src/drv_imap.c b/src/drv_imap.c index e2d5fce..b6f7278 100644 --- a/src/drv_imap.c +++ b/src/drv_imap.c @@ -3295,6 +3295,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep ) cfg->file, cfg->line, server->sconf.client_keyfile ); cfg->err = 1; } + } else if (!strcasecmp( "CipherString", cfg->cmd )) { + server->sconf.cipher_string = nfstrdup( cfg->val ); } else if (!strcasecmp( "SSLType", cfg->cmd )) { if (!strcasecmp( "None", cfg->val )) { server->ssl_type = SSL_None; diff --git a/src/mbsync.1 b/src/mbsync.1 index c8c8736..325385f 100644 --- a/src/mbsync.1 +++ b/src/mbsync.1 @@ -414,6 +414,13 @@ so it is unlikely that you need this option. File containing the private key corresponding to \fBClientCertificate\fR. . .TP +\fBCipherString\fR \fIstring\fR +Specify OpenSSL cipher string for connections secured with TLS up to +version 1.2 (but not 1.3 and above). +The format is described in \fBciphers\fR\|(1). +(Default: empty, which implies system wide policy). +. +.TP \fBPipelineDepth\fR \fIdepth\fR Maximum number of IMAP commands which can be simultaneously in flight. Setting this to \fI1\fR disables pipelining. diff --git a/src/socket.c b/src/socket.c index 4034d9d..feb6511 100644 --- a/src/socket.c +++ b/src/socket.c @@ -263,6 +263,11 @@ init_ssl_ctx( const server_conf_t *conf ) SSL_CTX_set_options( mconf->SSLContext, options ); + if (conf->cipher_string && !SSL_CTX_set_cipher_list( mconf->SSLContext, conf->cipher_string )) { + print_ssl_errors( "setting cipher string '%s'", conf->cipher_string ); + return 0; + } + if (conf->cert_file && !SSL_CTX_load_verify_locations( mconf->SSLContext, conf->cert_file, 0 )) { print_ssl_errors( "loading certificate file '%s'", conf->cert_file ); return 0; diff --git a/src/socket.h b/src/socket.h index d760c56..f8f25b1 100644 --- a/src/socket.h +++ b/src/socket.h @@ -49,6 +49,7 @@ typedef struct { char *cert_file; char *client_certfile; char *client_keyfile; + char *cipher_string; char system_certs; char ssl_versions;