remove support for SSLv3

it's insecure and default builds of openssl don't include it any more.
This commit is contained in:
Oswald Buddenhagen 2019-11-26 16:18:58 +01:00
parent d09f988c70
commit 234becf530
4 changed files with 7 additions and 10 deletions

1
NEWS
View File

@ -3,6 +3,7 @@
The 'isync' compatibility wrapper was removed. The 'isync' compatibility wrapper was removed.
Added support for disabling TLS v1.3 - adjust SSLVersions if you set it. Added support for disabling TLS v1.3 - adjust SSLVersions if you set it.
Removed support for obsolete/insecure SSL v3.
The IMAP '$Forwarded' / Maildir 'P' (passed) flag is supported now. The IMAP '$Forwarded' / Maildir 'P' (passed) flag is supported now.

View File

@ -3194,7 +3194,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
#ifdef HAVE_LIBSSL #ifdef HAVE_LIBSSL
/* Legacy SSL options */ /* Legacy SSL options */
int require_ssl = -1, use_imaps = -1; int require_ssl = -1, use_imaps = -1;
int use_sslv3 = -1, use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1, use_tlsv13 = -1; int use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1, use_tlsv13 = -1;
#endif #endif
/* Legacy SASL option */ /* Legacy SASL option */
int require_cram = -1; int require_cram = -1;
@ -3234,7 +3234,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
arg += 6; arg += 6;
server->ssl_type = SSL_IMAPS; server->ssl_type = SSL_IMAPS;
if (server->sconf.ssl_versions == -1) if (server->sconf.ssl_versions == -1)
server->sconf.ssl_versions = SSLv3 | TLSv1 | TLSv1_1 | TLSv1_2 | TLSv1_3; server->sconf.ssl_versions = TLSv1 | TLSv1_1 | TLSv1_2 | TLSv1_3;
} else } else
#endif #endif
if (starts_with( arg, -1, "imap:", 5 )) if (starts_with( arg, -1, "imap:", 5 ))
@ -3326,7 +3326,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
if (!strcasecmp( "SSLv2", arg )) { if (!strcasecmp( "SSLv2", arg )) {
warn( "Warning: SSLVersion SSLv2 is no longer supported\n" ); warn( "Warning: SSLVersion SSLv2 is no longer supported\n" );
} else if (!strcasecmp( "SSLv3", arg )) { } else if (!strcasecmp( "SSLv3", arg )) {
server->sconf.ssl_versions |= SSLv3; warn( "Warning: SSLVersion SSLv3 is no longer supported\n" );
} else if (!strcasecmp( "TLSv1", arg )) { } else if (!strcasecmp( "TLSv1", arg )) {
server->sconf.ssl_versions |= TLSv1; server->sconf.ssl_versions |= TLSv1;
} else if (!strcasecmp( "TLSv1.1", arg )) { } else if (!strcasecmp( "TLSv1.1", arg )) {
@ -3347,7 +3347,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
else if (!strcasecmp( "UseSSLv2", cfg->cmd )) else if (!strcasecmp( "UseSSLv2", cfg->cmd ))
warn( "Warning: UseSSLv2 is no longer supported\n" ); warn( "Warning: UseSSLv2 is no longer supported\n" );
else if (!strcasecmp( "UseSSLv3", cfg->cmd )) else if (!strcasecmp( "UseSSLv3", cfg->cmd ))
use_sslv3 = parse_bool( cfg ); warn( "Warning: UseSSLv3 is no longer supported\n" );
else if (!strcasecmp( "UseTLSv1", cfg->cmd )) else if (!strcasecmp( "UseTLSv1", cfg->cmd ))
use_tlsv1 = parse_bool( cfg ); use_tlsv1 = parse_bool( cfg );
else if (!strcasecmp( "UseTLSv1.1", cfg->cmd )) else if (!strcasecmp( "UseTLSv1.1", cfg->cmd ))
@ -3416,7 +3416,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
return 1; return 1;
} }
#ifdef HAVE_LIBSSL #ifdef HAVE_LIBSSL
if ((use_sslv3 & use_tlsv1 & use_tlsv11 & use_tlsv12 & use_tlsv13) != -1 || use_imaps >= 0 || require_ssl >= 0) { if ((use_tlsv1 & use_tlsv11 & use_tlsv12 & use_tlsv13) != -1 || use_imaps >= 0 || require_ssl >= 0) {
if (server->ssl_type >= 0 || server->sconf.ssl_versions >= 0) { if (server->ssl_type >= 0 || server->sconf.ssl_versions >= 0) {
error( "%s '%s': The deprecated UseSSL*, UseTLS*, UseIMAPS, and RequireSSL options are mutually exclusive with SSLType and SSLVersions.\n", type, name ); error( "%s '%s': The deprecated UseSSL*, UseTLS*, UseIMAPS, and RequireSSL options are mutually exclusive with SSLType and SSLVersions.\n", type, name );
cfg->err = 1; cfg->err = 1;
@ -3424,7 +3424,6 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
} }
warn( "Notice: %s '%s': UseSSL*, UseTLS*, UseIMAPS, and RequireSSL are deprecated. Use SSLType and SSLVersions instead.\n", type, name ); warn( "Notice: %s '%s': UseSSL*, UseTLS*, UseIMAPS, and RequireSSL are deprecated. Use SSLType and SSLVersions instead.\n", type, name );
server->sconf.ssl_versions = server->sconf.ssl_versions =
(use_sslv3 != 1 ? 0 : SSLv3) |
(use_tlsv1 == 0 ? 0 : TLSv1) | (use_tlsv1 == 0 ? 0 : TLSv1) |
(use_tlsv11 != 1 ? 0 : TLSv1_1) | (use_tlsv11 != 1 ? 0 : TLSv1_1) |
(use_tlsv12 != 1 ? 0 : TLSv1_2) | (use_tlsv12 != 1 ? 0 : TLSv1_2) |

View File

@ -233,7 +233,6 @@ static int
init_ssl_ctx( const server_conf_t *conf ) init_ssl_ctx( const server_conf_t *conf )
{ {
server_conf_t *mconf = (server_conf_t *)conf; server_conf_t *mconf = (server_conf_t *)conf;
int options = 0;
if (conf->SSLContext) if (conf->SSLContext)
return conf->ssl_ctx_valid; return conf->ssl_ctx_valid;
@ -248,8 +247,7 @@ init_ssl_ctx( const server_conf_t *conf )
return 0; return 0;
} }
if (!(conf->ssl_versions & SSLv3)) int options = SSL_OP_NO_SSLv3;
options |= SSL_OP_NO_SSLv3;
if (!(conf->ssl_versions & TLSv1)) if (!(conf->ssl_versions & TLSv1))
options |= SSL_OP_NO_TLSv1; options |= SSL_OP_NO_TLSv1;
#ifdef SSL_OP_NO_TLSv1_1 #ifdef SSL_OP_NO_TLSv1_1

View File

@ -33,7 +33,6 @@
# include <openssl/ssl.h> # include <openssl/ssl.h>
enum { enum {
SSLv3 = 2,
TLSv1 = 4, TLSv1 = 4,
TLSv1_1 = 8, TLSv1_1 = 8,
TLSv1_2 = 16, TLSv1_2 = 16,