Add support for specifying cipher string used for ssl connection
Some distributions (e.g. Fedora) added support for system wide crypto policies. This is supported in most common crypto libraries including OpenSSL. Applications can override this policy using their own cipher string. This commit adds support for specifying the cipher string in the mbsync configuration. For example, to exclude Diffie-Hellman, the user can specify CipherString "DEFAULT:!DH" in the IMAP Account's configuration.
This commit is contained in:
parent
25b1c2b9e7
commit
07cb422cbb
2
NEWS
2
NEWS
|
@ -4,6 +4,8 @@ The 'isync' compatibility wrapper was removed.
|
||||||
|
|
||||||
The IMAP '$Forwarded' / Maildir 'P' (passed) flag is supported now.
|
The IMAP '$Forwarded' / Maildir 'P' (passed) flag is supported now.
|
||||||
|
|
||||||
|
Support for configuring a TLS cipher string was added.
|
||||||
|
|
||||||
[1.3.0]
|
[1.3.0]
|
||||||
|
|
||||||
Network timeout handling has been added.
|
Network timeout handling has been added.
|
||||||
|
|
|
@ -3295,6 +3295,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
|
||||||
cfg->file, cfg->line, server->sconf.client_keyfile );
|
cfg->file, cfg->line, server->sconf.client_keyfile );
|
||||||
cfg->err = 1;
|
cfg->err = 1;
|
||||||
}
|
}
|
||||||
|
} else if (!strcasecmp( "CipherString", cfg->cmd )) {
|
||||||
|
server->sconf.cipher_string = nfstrdup( cfg->val );
|
||||||
} else if (!strcasecmp( "SSLType", cfg->cmd )) {
|
} else if (!strcasecmp( "SSLType", cfg->cmd )) {
|
||||||
if (!strcasecmp( "None", cfg->val )) {
|
if (!strcasecmp( "None", cfg->val )) {
|
||||||
server->ssl_type = SSL_None;
|
server->ssl_type = SSL_None;
|
||||||
|
|
|
@ -414,6 +414,13 @@ so it is unlikely that you need this option.
|
||||||
File containing the private key corresponding to \fBClientCertificate\fR.
|
File containing the private key corresponding to \fBClientCertificate\fR.
|
||||||
.
|
.
|
||||||
.TP
|
.TP
|
||||||
|
\fBCipherString\fR \fIstring\fR
|
||||||
|
Specify OpenSSL cipher string for connections secured with TLS up to
|
||||||
|
version 1.2 (but not 1.3 and above).
|
||||||
|
The format is described in \fBciphers\fR\|(1).
|
||||||
|
(Default: empty, which implies system wide policy).
|
||||||
|
.
|
||||||
|
.TP
|
||||||
\fBPipelineDepth\fR \fIdepth\fR
|
\fBPipelineDepth\fR \fIdepth\fR
|
||||||
Maximum number of IMAP commands which can be simultaneously in flight.
|
Maximum number of IMAP commands which can be simultaneously in flight.
|
||||||
Setting this to \fI1\fR disables pipelining.
|
Setting this to \fI1\fR disables pipelining.
|
||||||
|
|
|
@ -263,6 +263,11 @@ init_ssl_ctx( const server_conf_t *conf )
|
||||||
|
|
||||||
SSL_CTX_set_options( mconf->SSLContext, options );
|
SSL_CTX_set_options( mconf->SSLContext, options );
|
||||||
|
|
||||||
|
if (conf->cipher_string && !SSL_CTX_set_cipher_list( mconf->SSLContext, conf->cipher_string )) {
|
||||||
|
print_ssl_errors( "setting cipher string '%s'", conf->cipher_string );
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
if (conf->cert_file && !SSL_CTX_load_verify_locations( mconf->SSLContext, conf->cert_file, 0 )) {
|
if (conf->cert_file && !SSL_CTX_load_verify_locations( mconf->SSLContext, conf->cert_file, 0 )) {
|
||||||
print_ssl_errors( "loading certificate file '%s'", conf->cert_file );
|
print_ssl_errors( "loading certificate file '%s'", conf->cert_file );
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
@ -49,6 +49,7 @@ typedef struct {
|
||||||
char *cert_file;
|
char *cert_file;
|
||||||
char *client_certfile;
|
char *client_certfile;
|
||||||
char *client_keyfile;
|
char *client_keyfile;
|
||||||
|
char *cipher_string;
|
||||||
char system_certs;
|
char system_certs;
|
||||||
char ssl_versions;
|
char ssl_versions;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user