From 3a2e6b3793f0402f1377a6b98da7c9717b73273c Mon Sep 17 00:00:00 2001 From: Oswald Buddenhagen Date: Fri, 11 Aug 2017 09:20:28 +0200 Subject: [PATCH] prune SSL 2 support OpenSSL actually did that a while ago already, so this was dead code. --- src/compat/config.c | 14 +++++--------- src/compat/isync.h | 1 - src/compat/main.c | 1 - src/drv_imap.c | 11 +++++------ src/mbsync.1 | 4 +--- src/socket.c | 2 -- src/socket.h | 1 - 7 files changed, 11 insertions(+), 23 deletions(-) diff --git a/src/compat/config.c b/src/compat/config.c index 9ce9a98..2377961 100644 --- a/src/compat/config.c +++ b/src/compat/config.c @@ -148,7 +148,6 @@ load_config( const char *path, config_t ***stor ) val += 6; cfg->use_imaps = 1; cfg->port = 993; - cfg->use_sslv2 = 1; cfg->use_sslv3 = 1; } cfg->host = nfstrdup( val ); @@ -187,7 +186,7 @@ load_config( const char *path, config_t ***stor ) else if (!strcasecmp( "RequireSSL", cmd )) cfg->require_ssl = is_true( val ); else if (!strcasecmp( "UseSSLv2", cmd )) - cfg->use_sslv2 = is_true( val ); + fprintf( stderr, "Warning: UseSSLv2 is no longer supported\n" ); else if (!strcasecmp( "UseSSLv3", cmd )) cfg->use_sslv3 = is_true( val ); else if (!strcasecmp( "UseTLSv1", cmd )) @@ -316,12 +315,10 @@ write_imap_server( FILE *fp, config_t *cfg ) if (cfg->pass) fprintf( fp, "Pass %s\n", quotify( cfg->pass ) ); fprintf( fp, "RequireCRAM %s\nRequireSSL %s\n" - "UseSSLv2 %s\nUseSSLv3 %s\nUseTLSv1 %s\nUseTLSv1.1 %s\nUseTLSv1.2 %s\n", + "UseSSLv3 %s\nUseTLSv1 %s\nUseTLSv1.1 %s\nUseTLSv1.2 %s\n", tb(cfg->require_cram), tb(cfg->require_ssl), - tb(cfg->use_sslv2), tb(cfg->use_sslv3), - tb(cfg->use_tlsv1), tb(cfg->use_tlsv1), tb(cfg->use_tlsv1) ); - if ((cfg->use_imaps || cfg->use_sslv2 || cfg->use_sslv3 || cfg->use_tlsv1) && - cfg->cert_file) + tb(cfg->use_sslv3), tb(cfg->use_tlsv1), tb(cfg->use_tlsv1), tb(cfg->use_tlsv1) ); + if ((cfg->use_imaps || cfg->use_sslv3 || cfg->use_tlsv1) && cfg->cert_file) fprintf( fp, "CertificateFile %s\n", quotify( cfg->cert_file ) ); fputc( '\n', fp ); } @@ -417,12 +414,11 @@ write_config( int fd ) if (mstrcmp( pbox->user, box->user ) || mstrcmp( pbox->pass, box->pass )) /* nonsense */ continue; - if ((box->use_imaps || box->use_sslv2 || + if ((box->use_imaps || box->use_sslv3 || box->use_tlsv1) && mstrcmp( pbox->cert_file, box->cert_file )) /* nonsense */ continue; if (pbox->use_imaps != box->use_imaps || - pbox->use_sslv2 != box->use_sslv2 || pbox->use_sslv3 != box->use_sslv3 || pbox->use_tlsv1 != box->use_tlsv1) continue; diff --git a/src/compat/isync.h b/src/compat/isync.h index 71d19ea..6af01f2 100644 --- a/src/compat/isync.h +++ b/src/compat/isync.h @@ -55,7 +55,6 @@ typedef struct config { unsigned int require_cram:1; unsigned int require_ssl:1; unsigned int use_imaps:1; - unsigned int use_sslv2:1; unsigned int use_sslv3:1; unsigned int use_tlsv1:1; char *cert_file; diff --git a/src/compat/main.c b/src/compat/main.c index 6b00547..17b4037 100644 --- a/src/compat/main.c +++ b/src/compat/main.c @@ -254,7 +254,6 @@ main( int argc, char **argv ) if (!strncasecmp( "imaps:", optarg, 6 )) { global.use_imaps = 1; global.port = 993; - global.use_sslv2 = 0; global.use_sslv3 = 1; optarg += 6; } diff --git a/src/drv_imap.c b/src/drv_imap.c index 1eb2c20..56d71cb 100644 --- a/src/drv_imap.c +++ b/src/drv_imap.c @@ -3075,7 +3075,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep ) #ifdef HAVE_LIBSSL /* Legacy SSL options */ int require_ssl = -1, use_imaps = -1; - int use_sslv2 = -1, use_sslv3 = -1, use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1; + int use_sslv3 = -1, use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1; #endif /* Legacy SASL option */ int require_cram = -1; @@ -3115,7 +3115,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep ) arg += 6; server->ssl_type = SSL_IMAPS; if (server->sconf.ssl_versions == -1) - server->sconf.ssl_versions = SSLv2 | SSLv3 | TLSv1 | TLSv1_1 | TLSv1_2; + server->sconf.ssl_versions = SSLv3 | TLSv1 | TLSv1_1 | TLSv1_2; } else #endif if (starts_with( arg, -1, "imap:", 5 )) @@ -3197,7 +3197,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep ) arg = cfg->val; do { if (!strcasecmp( "SSLv2", arg )) { - server->sconf.ssl_versions |= SSLv2; + warn( "Warning: SSLVersion SSLv2 is no longer supported\n" ); } else if (!strcasecmp( "SSLv3", arg )) { server->sconf.ssl_versions |= SSLv3; } else if (!strcasecmp( "TLSv1", arg )) { @@ -3216,7 +3216,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep ) else if (!strcasecmp( "UseIMAPS", cfg->cmd )) use_imaps = parse_bool( cfg ); else if (!strcasecmp( "UseSSLv2", cfg->cmd )) - use_sslv2 = parse_bool( cfg ); + warn( "Warning: UseSSLv2 is no longer supported\n" ); else if (!strcasecmp( "UseSSLv3", cfg->cmd )) use_sslv3 = parse_bool( cfg ); else if (!strcasecmp( "UseTLSv1", cfg->cmd )) @@ -3283,7 +3283,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep ) return 1; } #ifdef HAVE_LIBSSL - if ((use_sslv2 & use_sslv3 & use_tlsv1 & use_tlsv11 & use_tlsv12) != -1 || use_imaps >= 0 || require_ssl >= 0) { + if ((use_sslv3 & use_tlsv1 & use_tlsv11 & use_tlsv12) != -1 || use_imaps >= 0 || require_ssl >= 0) { if (server->ssl_type >= 0 || server->sconf.ssl_versions >= 0) { error( "%s '%s': The deprecated UseSSL*, UseTLS*, UseIMAPS, and RequireSSL options are mutually exclusive with SSLType and SSLVersions.\n", type, name ); cfg->err = 1; @@ -3291,7 +3291,6 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep ) } warn( "Notice: %s '%s': UseSSL*, UseTLS*, UseIMAPS, and RequireSSL are deprecated. Use SSLType and SSLVersions instead.\n", type, name ); server->sconf.ssl_versions = - (use_sslv2 != 1 ? 0 : SSLv2) | (use_sslv3 != 1 ? 0 : SSLv3) | (use_tlsv1 == 0 ? 0 : TLSv1) | (use_tlsv11 != 1 ? 0 : TLSv1_1) | diff --git a/src/mbsync.1 b/src/mbsync.1 index c9258a8..d7bd945 100644 --- a/src/mbsync.1 +++ b/src/mbsync.1 @@ -364,10 +364,8 @@ so it is the default (unless a tunnel is used). right after connecting the secure IMAP port 993. .. .TP -\fBSSLVersions\fR [\fBSSLv2\fR] [\fBSSLv3\fR] [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR] +\fBSSLVersions\fR [\fBSSLv3\fR] [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR] Select the acceptable SSL/TLS versions. -Use of SSLv2 is strongly discouraged for security reasons, but might be the -only option on some very old servers. Use old versions only when the server has problems with newer ones. (Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]). .. diff --git a/src/socket.c b/src/socket.c index f021af8..9112dac 100644 --- a/src/socket.c +++ b/src/socket.c @@ -204,8 +204,6 @@ init_ssl_ctx( const server_conf_t *conf ) mconf->SSLContext = SSL_CTX_new( SSLv23_client_method() ); - if (!(conf->ssl_versions & SSLv2)) - options |= SSL_OP_NO_SSLv2; if (!(conf->ssl_versions & SSLv3)) options |= SSL_OP_NO_SSLv3; if (!(conf->ssl_versions & TLSv1)) diff --git a/src/socket.h b/src/socket.h index a63ca74..cd0c632 100644 --- a/src/socket.h +++ b/src/socket.h @@ -35,7 +35,6 @@ typedef struct ssl_ctx_st SSL_CTX; typedef struct stack_st _STACK; enum { - SSLv2 = 1, SSLv3 = 2, TLSv1 = 4, TLSv1_1 = 8,