lobo/isync
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

remove support for SSLv3

Browse Source 
it's insecure and default builds of openssl don't include it any more.
This commit is contained in:
Oswald Buddenhagen 2019-11-26 16:18:58 +01:00
parent d09f988c70
commit 234becf530
4 changed files with 7 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
NEWS
View File

@ -3,6 +3,7 @@
The 'isync' compatibility wrapper was removed. The 'isync' compatibility wrapper was removed.
Added support for disabling TLS v1.3 - adjust SSLVersions if you set it. Added support for disabling TLS v1.3 - adjust SSLVersions if you set it.
Removed support for obsolete/insecure SSL v3.
The IMAP '$Forwarded' / Maildir 'P' (passed) flag is supported now. The IMAP '$Forwarded' / Maildir 'P' (passed) flag is supported now.

11
src/drv_imap.c
View File

@ -3194,7 +3194,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
#ifdef HAVE_LIBSSL #ifdef HAVE_LIBSSL
/* Legacy SSL options */ /* Legacy SSL options */
int require_ssl = -1, use_imaps = -1; int require_ssl = -1, use_imaps = -1;
int use_sslv3 = -1, use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1, use_tlsv13 = -1; int use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1, use_tlsv13 = -1;
#endif #endif
/* Legacy SASL option */ /* Legacy SASL option */
int require_cram = -1; int require_cram = -1;
@ -3234,7 +3234,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
arg += 6; arg += 6;
server->ssl_type = SSL_IMAPS; server->ssl_type = SSL_IMAPS;
if (server->sconf.ssl_versions == -1) if (server->sconf.ssl_versions == -1)
server->sconf.ssl_versions = SSLv3 | TLSv1 | TLSv1_1 | TLSv1_2 | TLSv1_3; server->sconf.ssl_versions = TLSv1 | TLSv1_1 | TLSv1_2 | TLSv1_3;
} else } else
#endif #endif
if (starts_with( arg, -1, "imap:", 5 )) if (starts_with( arg, -1, "imap:", 5 ))
@ -3326,7 +3326,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
if (!strcasecmp( "SSLv2", arg )) { if (!strcasecmp( "SSLv2", arg )) {
warn( "Warning: SSLVersion SSLv2 is no longer supported\n" ); warn( "Warning: SSLVersion SSLv2 is no longer supported\n" );
} else if (!strcasecmp( "SSLv3", arg )) { } else if (!strcasecmp( "SSLv3", arg )) {
server->sconf.ssl_versions |= SSLv3; warn( "Warning: SSLVersion SSLv3 is no longer supported\n" );
} else if (!strcasecmp( "TLSv1", arg )) { } else if (!strcasecmp( "TLSv1", arg )) {
server->sconf.ssl_versions |= TLSv1; server->sconf.ssl_versions |= TLSv1;
} else if (!strcasecmp( "TLSv1.1", arg )) { } else if (!strcasecmp( "TLSv1.1", arg )) {
@ -3347,7 +3347,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
else if (!strcasecmp( "UseSSLv2", cfg->cmd )) else if (!strcasecmp( "UseSSLv2", cfg->cmd ))
warn( "Warning: UseSSLv2 is no longer supported\n" ); warn( "Warning: UseSSLv2 is no longer supported\n" );
else if (!strcasecmp( "UseSSLv3", cfg->cmd )) else if (!strcasecmp( "UseSSLv3", cfg->cmd ))
use_sslv3 = parse_bool( cfg ); warn( "Warning: UseSSLv3 is no longer supported\n" );
else if (!strcasecmp( "UseTLSv1", cfg->cmd )) else if (!strcasecmp( "UseTLSv1", cfg->cmd ))
use_tlsv1 = parse_bool( cfg ); use_tlsv1 = parse_bool( cfg );
else if (!strcasecmp( "UseTLSv1.1", cfg->cmd )) else if (!strcasecmp( "UseTLSv1.1", cfg->cmd ))
@ -3416,7 +3416,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
return 1; return 1;
} }
#ifdef HAVE_LIBSSL #ifdef HAVE_LIBSSL
if ((use_sslv3 & use_tlsv1 & use_tlsv11 & use_tlsv12 & use_tlsv13) != -1 || use_imaps >= 0 || require_ssl >= 0) { if ((use_tlsv1 & use_tlsv11 & use_tlsv12 & use_tlsv13) != -1 || use_imaps >= 0 || require_ssl >= 0) {
if (server->ssl_type >= 0 || server->sconf.ssl_versions >= 0) { if (server->ssl_type >= 0 || server->sconf.ssl_versions >= 0) {
error( "%s '%s': The deprecated UseSSL*, UseTLS*, UseIMAPS, and RequireSSL options are mutually exclusive with SSLType and SSLVersions.\n", type, name ); error( "%s '%s': The deprecated UseSSL*, UseTLS*, UseIMAPS, and RequireSSL options are mutually exclusive with SSLType and SSLVersions.\n", type, name );
cfg->err = 1; cfg->err = 1;
@ -3424,7 +3424,6 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
} }
warn( "Notice: %s '%s': UseSSL*, UseTLS*, UseIMAPS, and RequireSSL are deprecated. Use SSLType and SSLVersions instead.\n", type, name ); warn( "Notice: %s '%s': UseSSL*, UseTLS*, UseIMAPS, and RequireSSL are deprecated. Use SSLType and SSLVersions instead.\n", type, name );
server->sconf.ssl_versions = server->sconf.ssl_versions =
(use_sslv3 != 1 ? 0 : SSLv3) |
(use_tlsv1 == 0 ? 0 : TLSv1) | (use_tlsv1 == 0 ? 0 : TLSv1) |
(use_tlsv11 != 1 ? 0 : TLSv1_1) | (use_tlsv11 != 1 ? 0 : TLSv1_1) |
(use_tlsv12 != 1 ? 0 : TLSv1_2) | (use_tlsv12 != 1 ? 0 : TLSv1_2) |

4
src/socket.c
View File

@ -233,7 +233,6 @@ static int
init_ssl_ctx( const server_conf_t *conf ) init_ssl_ctx( const server_conf_t *conf )
{ {
server_conf_t *mconf = (server_conf_t *)conf; server_conf_t *mconf = (server_conf_t *)conf;
int options = 0;
if (conf->SSLContext) if (conf->SSLContext)
return conf->ssl_ctx_valid; return conf->ssl_ctx_valid;
@ -248,8 +247,7 @@ init_ssl_ctx( const server_conf_t *conf )
return 0; return 0;
} }
if (!(conf->ssl_versions & SSLv3)) int options = SSL_OP_NO_SSLv3;
options |= SSL_OP_NO_SSLv3;
if (!(conf->ssl_versions & TLSv1)) if (!(conf->ssl_versions & TLSv1))
options |= SSL_OP_NO_TLSv1; options |= SSL_OP_NO_TLSv1;
#ifdef SSL_OP_NO_TLSv1_1 #ifdef SSL_OP_NO_TLSv1_1

1
src/socket.h
View File

@ -33,7 +33,6 @@
# include <openssl/ssl.h> # include <openssl/ssl.h>
enum { enum {
SSLv3 = 2,
TLSv1 = 4, TLSv1 = 4,
TLSv1_1 = 8, TLSv1_1 = 8,
TLSv1_2 = 16, TLSv1_2 = 16,