prune SSL 2 support
OpenSSL actually did that a while ago already, so this was dead code.
This commit is contained in:
parent
d2e5134ebd
commit
3a2e6b3793
|
@ -148,7 +148,6 @@ load_config( const char *path, config_t ***stor )
|
||||||
val += 6;
|
val += 6;
|
||||||
cfg->use_imaps = 1;
|
cfg->use_imaps = 1;
|
||||||
cfg->port = 993;
|
cfg->port = 993;
|
||||||
cfg->use_sslv2 = 1;
|
|
||||||
cfg->use_sslv3 = 1;
|
cfg->use_sslv3 = 1;
|
||||||
}
|
}
|
||||||
cfg->host = nfstrdup( val );
|
cfg->host = nfstrdup( val );
|
||||||
|
@ -187,7 +186,7 @@ load_config( const char *path, config_t ***stor )
|
||||||
else if (!strcasecmp( "RequireSSL", cmd ))
|
else if (!strcasecmp( "RequireSSL", cmd ))
|
||||||
cfg->require_ssl = is_true( val );
|
cfg->require_ssl = is_true( val );
|
||||||
else if (!strcasecmp( "UseSSLv2", cmd ))
|
else if (!strcasecmp( "UseSSLv2", cmd ))
|
||||||
cfg->use_sslv2 = is_true( val );
|
fprintf( stderr, "Warning: UseSSLv2 is no longer supported\n" );
|
||||||
else if (!strcasecmp( "UseSSLv3", cmd ))
|
else if (!strcasecmp( "UseSSLv3", cmd ))
|
||||||
cfg->use_sslv3 = is_true( val );
|
cfg->use_sslv3 = is_true( val );
|
||||||
else if (!strcasecmp( "UseTLSv1", cmd ))
|
else if (!strcasecmp( "UseTLSv1", cmd ))
|
||||||
|
@ -316,12 +315,10 @@ write_imap_server( FILE *fp, config_t *cfg )
|
||||||
if (cfg->pass)
|
if (cfg->pass)
|
||||||
fprintf( fp, "Pass %s\n", quotify( cfg->pass ) );
|
fprintf( fp, "Pass %s\n", quotify( cfg->pass ) );
|
||||||
fprintf( fp, "RequireCRAM %s\nRequireSSL %s\n"
|
fprintf( fp, "RequireCRAM %s\nRequireSSL %s\n"
|
||||||
"UseSSLv2 %s\nUseSSLv3 %s\nUseTLSv1 %s\nUseTLSv1.1 %s\nUseTLSv1.2 %s\n",
|
"UseSSLv3 %s\nUseTLSv1 %s\nUseTLSv1.1 %s\nUseTLSv1.2 %s\n",
|
||||||
tb(cfg->require_cram), tb(cfg->require_ssl),
|
tb(cfg->require_cram), tb(cfg->require_ssl),
|
||||||
tb(cfg->use_sslv2), tb(cfg->use_sslv3),
|
tb(cfg->use_sslv3), tb(cfg->use_tlsv1), tb(cfg->use_tlsv1), tb(cfg->use_tlsv1) );
|
||||||
tb(cfg->use_tlsv1), tb(cfg->use_tlsv1), tb(cfg->use_tlsv1) );
|
if ((cfg->use_imaps || cfg->use_sslv3 || cfg->use_tlsv1) && cfg->cert_file)
|
||||||
if ((cfg->use_imaps || cfg->use_sslv2 || cfg->use_sslv3 || cfg->use_tlsv1) &&
|
|
||||||
cfg->cert_file)
|
|
||||||
fprintf( fp, "CertificateFile %s\n", quotify( cfg->cert_file ) );
|
fprintf( fp, "CertificateFile %s\n", quotify( cfg->cert_file ) );
|
||||||
fputc( '\n', fp );
|
fputc( '\n', fp );
|
||||||
}
|
}
|
||||||
|
@ -417,12 +414,11 @@ write_config( int fd )
|
||||||
if (mstrcmp( pbox->user, box->user ) ||
|
if (mstrcmp( pbox->user, box->user ) ||
|
||||||
mstrcmp( pbox->pass, box->pass )) /* nonsense */
|
mstrcmp( pbox->pass, box->pass )) /* nonsense */
|
||||||
continue;
|
continue;
|
||||||
if ((box->use_imaps || box->use_sslv2 ||
|
if ((box->use_imaps ||
|
||||||
box->use_sslv3 || box->use_tlsv1) &&
|
box->use_sslv3 || box->use_tlsv1) &&
|
||||||
mstrcmp( pbox->cert_file, box->cert_file )) /* nonsense */
|
mstrcmp( pbox->cert_file, box->cert_file )) /* nonsense */
|
||||||
continue;
|
continue;
|
||||||
if (pbox->use_imaps != box->use_imaps ||
|
if (pbox->use_imaps != box->use_imaps ||
|
||||||
pbox->use_sslv2 != box->use_sslv2 ||
|
|
||||||
pbox->use_sslv3 != box->use_sslv3 ||
|
pbox->use_sslv3 != box->use_sslv3 ||
|
||||||
pbox->use_tlsv1 != box->use_tlsv1)
|
pbox->use_tlsv1 != box->use_tlsv1)
|
||||||
continue;
|
continue;
|
||||||
|
|
|
@ -55,7 +55,6 @@ typedef struct config {
|
||||||
unsigned int require_cram:1;
|
unsigned int require_cram:1;
|
||||||
unsigned int require_ssl:1;
|
unsigned int require_ssl:1;
|
||||||
unsigned int use_imaps:1;
|
unsigned int use_imaps:1;
|
||||||
unsigned int use_sslv2:1;
|
|
||||||
unsigned int use_sslv3:1;
|
unsigned int use_sslv3:1;
|
||||||
unsigned int use_tlsv1:1;
|
unsigned int use_tlsv1:1;
|
||||||
char *cert_file;
|
char *cert_file;
|
||||||
|
|
|
@ -254,7 +254,6 @@ main( int argc, char **argv )
|
||||||
if (!strncasecmp( "imaps:", optarg, 6 )) {
|
if (!strncasecmp( "imaps:", optarg, 6 )) {
|
||||||
global.use_imaps = 1;
|
global.use_imaps = 1;
|
||||||
global.port = 993;
|
global.port = 993;
|
||||||
global.use_sslv2 = 0;
|
|
||||||
global.use_sslv3 = 1;
|
global.use_sslv3 = 1;
|
||||||
optarg += 6;
|
optarg += 6;
|
||||||
}
|
}
|
||||||
|
|
|
@ -3075,7 +3075,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
|
||||||
#ifdef HAVE_LIBSSL
|
#ifdef HAVE_LIBSSL
|
||||||
/* Legacy SSL options */
|
/* Legacy SSL options */
|
||||||
int require_ssl = -1, use_imaps = -1;
|
int require_ssl = -1, use_imaps = -1;
|
||||||
int use_sslv2 = -1, use_sslv3 = -1, use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1;
|
int use_sslv3 = -1, use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1;
|
||||||
#endif
|
#endif
|
||||||
/* Legacy SASL option */
|
/* Legacy SASL option */
|
||||||
int require_cram = -1;
|
int require_cram = -1;
|
||||||
|
@ -3115,7 +3115,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
|
||||||
arg += 6;
|
arg += 6;
|
||||||
server->ssl_type = SSL_IMAPS;
|
server->ssl_type = SSL_IMAPS;
|
||||||
if (server->sconf.ssl_versions == -1)
|
if (server->sconf.ssl_versions == -1)
|
||||||
server->sconf.ssl_versions = SSLv2 | SSLv3 | TLSv1 | TLSv1_1 | TLSv1_2;
|
server->sconf.ssl_versions = SSLv3 | TLSv1 | TLSv1_1 | TLSv1_2;
|
||||||
} else
|
} else
|
||||||
#endif
|
#endif
|
||||||
if (starts_with( arg, -1, "imap:", 5 ))
|
if (starts_with( arg, -1, "imap:", 5 ))
|
||||||
|
@ -3197,7 +3197,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
|
||||||
arg = cfg->val;
|
arg = cfg->val;
|
||||||
do {
|
do {
|
||||||
if (!strcasecmp( "SSLv2", arg )) {
|
if (!strcasecmp( "SSLv2", arg )) {
|
||||||
server->sconf.ssl_versions |= SSLv2;
|
warn( "Warning: SSLVersion SSLv2 is no longer supported\n" );
|
||||||
} else if (!strcasecmp( "SSLv3", arg )) {
|
} else if (!strcasecmp( "SSLv3", arg )) {
|
||||||
server->sconf.ssl_versions |= SSLv3;
|
server->sconf.ssl_versions |= SSLv3;
|
||||||
} else if (!strcasecmp( "TLSv1", arg )) {
|
} else if (!strcasecmp( "TLSv1", arg )) {
|
||||||
|
@ -3216,7 +3216,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
|
||||||
else if (!strcasecmp( "UseIMAPS", cfg->cmd ))
|
else if (!strcasecmp( "UseIMAPS", cfg->cmd ))
|
||||||
use_imaps = parse_bool( cfg );
|
use_imaps = parse_bool( cfg );
|
||||||
else if (!strcasecmp( "UseSSLv2", cfg->cmd ))
|
else if (!strcasecmp( "UseSSLv2", cfg->cmd ))
|
||||||
use_sslv2 = parse_bool( cfg );
|
warn( "Warning: UseSSLv2 is no longer supported\n" );
|
||||||
else if (!strcasecmp( "UseSSLv3", cfg->cmd ))
|
else if (!strcasecmp( "UseSSLv3", cfg->cmd ))
|
||||||
use_sslv3 = parse_bool( cfg );
|
use_sslv3 = parse_bool( cfg );
|
||||||
else if (!strcasecmp( "UseTLSv1", cfg->cmd ))
|
else if (!strcasecmp( "UseTLSv1", cfg->cmd ))
|
||||||
|
@ -3283,7 +3283,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
#ifdef HAVE_LIBSSL
|
#ifdef HAVE_LIBSSL
|
||||||
if ((use_sslv2 & use_sslv3 & use_tlsv1 & use_tlsv11 & use_tlsv12) != -1 || use_imaps >= 0 || require_ssl >= 0) {
|
if ((use_sslv3 & use_tlsv1 & use_tlsv11 & use_tlsv12) != -1 || use_imaps >= 0 || require_ssl >= 0) {
|
||||||
if (server->ssl_type >= 0 || server->sconf.ssl_versions >= 0) {
|
if (server->ssl_type >= 0 || server->sconf.ssl_versions >= 0) {
|
||||||
error( "%s '%s': The deprecated UseSSL*, UseTLS*, UseIMAPS, and RequireSSL options are mutually exclusive with SSLType and SSLVersions.\n", type, name );
|
error( "%s '%s': The deprecated UseSSL*, UseTLS*, UseIMAPS, and RequireSSL options are mutually exclusive with SSLType and SSLVersions.\n", type, name );
|
||||||
cfg->err = 1;
|
cfg->err = 1;
|
||||||
|
@ -3291,7 +3291,6 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
|
||||||
}
|
}
|
||||||
warn( "Notice: %s '%s': UseSSL*, UseTLS*, UseIMAPS, and RequireSSL are deprecated. Use SSLType and SSLVersions instead.\n", type, name );
|
warn( "Notice: %s '%s': UseSSL*, UseTLS*, UseIMAPS, and RequireSSL are deprecated. Use SSLType and SSLVersions instead.\n", type, name );
|
||||||
server->sconf.ssl_versions =
|
server->sconf.ssl_versions =
|
||||||
(use_sslv2 != 1 ? 0 : SSLv2) |
|
|
||||||
(use_sslv3 != 1 ? 0 : SSLv3) |
|
(use_sslv3 != 1 ? 0 : SSLv3) |
|
||||||
(use_tlsv1 == 0 ? 0 : TLSv1) |
|
(use_tlsv1 == 0 ? 0 : TLSv1) |
|
||||||
(use_tlsv11 != 1 ? 0 : TLSv1_1) |
|
(use_tlsv11 != 1 ? 0 : TLSv1_1) |
|
||||||
|
|
|
@ -364,10 +364,8 @@ so it is the default (unless a tunnel is used).
|
||||||
right after connecting the secure IMAP port 993.
|
right after connecting the secure IMAP port 993.
|
||||||
..
|
..
|
||||||
.TP
|
.TP
|
||||||
\fBSSLVersions\fR [\fBSSLv2\fR] [\fBSSLv3\fR] [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]
|
\fBSSLVersions\fR [\fBSSLv3\fR] [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]
|
||||||
Select the acceptable SSL/TLS versions.
|
Select the acceptable SSL/TLS versions.
|
||||||
Use of SSLv2 is strongly discouraged for security reasons, but might be the
|
|
||||||
only option on some very old servers.
|
|
||||||
Use old versions only when the server has problems with newer ones.
|
Use old versions only when the server has problems with newer ones.
|
||||||
(Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]).
|
(Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]).
|
||||||
..
|
..
|
||||||
|
|
|
@ -204,8 +204,6 @@ init_ssl_ctx( const server_conf_t *conf )
|
||||||
|
|
||||||
mconf->SSLContext = SSL_CTX_new( SSLv23_client_method() );
|
mconf->SSLContext = SSL_CTX_new( SSLv23_client_method() );
|
||||||
|
|
||||||
if (!(conf->ssl_versions & SSLv2))
|
|
||||||
options |= SSL_OP_NO_SSLv2;
|
|
||||||
if (!(conf->ssl_versions & SSLv3))
|
if (!(conf->ssl_versions & SSLv3))
|
||||||
options |= SSL_OP_NO_SSLv3;
|
options |= SSL_OP_NO_SSLv3;
|
||||||
if (!(conf->ssl_versions & TLSv1))
|
if (!(conf->ssl_versions & TLSv1))
|
||||||
|
|
|
@ -35,7 +35,6 @@ typedef struct ssl_ctx_st SSL_CTX;
|
||||||
typedef struct stack_st _STACK;
|
typedef struct stack_st _STACK;
|
||||||
|
|
||||||
enum {
|
enum {
|
||||||
SSLv2 = 1,
|
|
||||||
SSLv3 = 2,
|
SSLv3 = 2,
|
||||||
TLSv1 = 4,
|
TLSv1 = 4,
|
||||||
TLSv1_1 = 8,
|
TLSv1_1 = 8,
|
||||||
|
|
Loading…
Reference in New Issue
Block a user