prune SSL 2 support

OpenSSL actually did that a while ago already, so this was dead code.
This commit is contained in:
Oswald Buddenhagen 2017-08-11 09:20:28 +02:00
parent d2e5134ebd
commit 3a2e6b3793
7 changed files with 11 additions and 23 deletions

View File

@ -148,7 +148,6 @@ load_config( const char *path, config_t ***stor )
val += 6; val += 6;
cfg->use_imaps = 1; cfg->use_imaps = 1;
cfg->port = 993; cfg->port = 993;
cfg->use_sslv2 = 1;
cfg->use_sslv3 = 1; cfg->use_sslv3 = 1;
} }
cfg->host = nfstrdup( val ); cfg->host = nfstrdup( val );
@ -187,7 +186,7 @@ load_config( const char *path, config_t ***stor )
else if (!strcasecmp( "RequireSSL", cmd )) else if (!strcasecmp( "RequireSSL", cmd ))
cfg->require_ssl = is_true( val ); cfg->require_ssl = is_true( val );
else if (!strcasecmp( "UseSSLv2", cmd )) else if (!strcasecmp( "UseSSLv2", cmd ))
cfg->use_sslv2 = is_true( val ); fprintf( stderr, "Warning: UseSSLv2 is no longer supported\n" );
else if (!strcasecmp( "UseSSLv3", cmd )) else if (!strcasecmp( "UseSSLv3", cmd ))
cfg->use_sslv3 = is_true( val ); cfg->use_sslv3 = is_true( val );
else if (!strcasecmp( "UseTLSv1", cmd )) else if (!strcasecmp( "UseTLSv1", cmd ))
@ -316,12 +315,10 @@ write_imap_server( FILE *fp, config_t *cfg )
if (cfg->pass) if (cfg->pass)
fprintf( fp, "Pass %s\n", quotify( cfg->pass ) ); fprintf( fp, "Pass %s\n", quotify( cfg->pass ) );
fprintf( fp, "RequireCRAM %s\nRequireSSL %s\n" fprintf( fp, "RequireCRAM %s\nRequireSSL %s\n"
"UseSSLv2 %s\nUseSSLv3 %s\nUseTLSv1 %s\nUseTLSv1.1 %s\nUseTLSv1.2 %s\n", "UseSSLv3 %s\nUseTLSv1 %s\nUseTLSv1.1 %s\nUseTLSv1.2 %s\n",
tb(cfg->require_cram), tb(cfg->require_ssl), tb(cfg->require_cram), tb(cfg->require_ssl),
tb(cfg->use_sslv2), tb(cfg->use_sslv3), tb(cfg->use_sslv3), tb(cfg->use_tlsv1), tb(cfg->use_tlsv1), tb(cfg->use_tlsv1) );
tb(cfg->use_tlsv1), tb(cfg->use_tlsv1), tb(cfg->use_tlsv1) ); if ((cfg->use_imaps || cfg->use_sslv3 || cfg->use_tlsv1) && cfg->cert_file)
if ((cfg->use_imaps || cfg->use_sslv2 || cfg->use_sslv3 || cfg->use_tlsv1) &&
cfg->cert_file)
fprintf( fp, "CertificateFile %s\n", quotify( cfg->cert_file ) ); fprintf( fp, "CertificateFile %s\n", quotify( cfg->cert_file ) );
fputc( '\n', fp ); fputc( '\n', fp );
} }
@ -417,12 +414,11 @@ write_config( int fd )
if (mstrcmp( pbox->user, box->user ) || if (mstrcmp( pbox->user, box->user ) ||
mstrcmp( pbox->pass, box->pass )) /* nonsense */ mstrcmp( pbox->pass, box->pass )) /* nonsense */
continue; continue;
if ((box->use_imaps || box->use_sslv2 || if ((box->use_imaps ||
box->use_sslv3 || box->use_tlsv1) && box->use_sslv3 || box->use_tlsv1) &&
mstrcmp( pbox->cert_file, box->cert_file )) /* nonsense */ mstrcmp( pbox->cert_file, box->cert_file )) /* nonsense */
continue; continue;
if (pbox->use_imaps != box->use_imaps || if (pbox->use_imaps != box->use_imaps ||
pbox->use_sslv2 != box->use_sslv2 ||
pbox->use_sslv3 != box->use_sslv3 || pbox->use_sslv3 != box->use_sslv3 ||
pbox->use_tlsv1 != box->use_tlsv1) pbox->use_tlsv1 != box->use_tlsv1)
continue; continue;

View File

@ -55,7 +55,6 @@ typedef struct config {
unsigned int require_cram:1; unsigned int require_cram:1;
unsigned int require_ssl:1; unsigned int require_ssl:1;
unsigned int use_imaps:1; unsigned int use_imaps:1;
unsigned int use_sslv2:1;
unsigned int use_sslv3:1; unsigned int use_sslv3:1;
unsigned int use_tlsv1:1; unsigned int use_tlsv1:1;
char *cert_file; char *cert_file;

View File

@ -254,7 +254,6 @@ main( int argc, char **argv )
if (!strncasecmp( "imaps:", optarg, 6 )) { if (!strncasecmp( "imaps:", optarg, 6 )) {
global.use_imaps = 1; global.use_imaps = 1;
global.port = 993; global.port = 993;
global.use_sslv2 = 0;
global.use_sslv3 = 1; global.use_sslv3 = 1;
optarg += 6; optarg += 6;
} }

View File

@ -3075,7 +3075,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
#ifdef HAVE_LIBSSL #ifdef HAVE_LIBSSL
/* Legacy SSL options */ /* Legacy SSL options */
int require_ssl = -1, use_imaps = -1; int require_ssl = -1, use_imaps = -1;
int use_sslv2 = -1, use_sslv3 = -1, use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1; int use_sslv3 = -1, use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1;
#endif #endif
/* Legacy SASL option */ /* Legacy SASL option */
int require_cram = -1; int require_cram = -1;
@ -3115,7 +3115,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
arg += 6; arg += 6;
server->ssl_type = SSL_IMAPS; server->ssl_type = SSL_IMAPS;
if (server->sconf.ssl_versions == -1) if (server->sconf.ssl_versions == -1)
server->sconf.ssl_versions = SSLv2 | SSLv3 | TLSv1 | TLSv1_1 | TLSv1_2; server->sconf.ssl_versions = SSLv3 | TLSv1 | TLSv1_1 | TLSv1_2;
} else } else
#endif #endif
if (starts_with( arg, -1, "imap:", 5 )) if (starts_with( arg, -1, "imap:", 5 ))
@ -3197,7 +3197,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
arg = cfg->val; arg = cfg->val;
do { do {
if (!strcasecmp( "SSLv2", arg )) { if (!strcasecmp( "SSLv2", arg )) {
server->sconf.ssl_versions |= SSLv2; warn( "Warning: SSLVersion SSLv2 is no longer supported\n" );
} else if (!strcasecmp( "SSLv3", arg )) { } else if (!strcasecmp( "SSLv3", arg )) {
server->sconf.ssl_versions |= SSLv3; server->sconf.ssl_versions |= SSLv3;
} else if (!strcasecmp( "TLSv1", arg )) { } else if (!strcasecmp( "TLSv1", arg )) {
@ -3216,7 +3216,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
else if (!strcasecmp( "UseIMAPS", cfg->cmd )) else if (!strcasecmp( "UseIMAPS", cfg->cmd ))
use_imaps = parse_bool( cfg ); use_imaps = parse_bool( cfg );
else if (!strcasecmp( "UseSSLv2", cfg->cmd )) else if (!strcasecmp( "UseSSLv2", cfg->cmd ))
use_sslv2 = parse_bool( cfg ); warn( "Warning: UseSSLv2 is no longer supported\n" );
else if (!strcasecmp( "UseSSLv3", cfg->cmd )) else if (!strcasecmp( "UseSSLv3", cfg->cmd ))
use_sslv3 = parse_bool( cfg ); use_sslv3 = parse_bool( cfg );
else if (!strcasecmp( "UseTLSv1", cfg->cmd )) else if (!strcasecmp( "UseTLSv1", cfg->cmd ))
@ -3283,7 +3283,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
return 1; return 1;
} }
#ifdef HAVE_LIBSSL #ifdef HAVE_LIBSSL
if ((use_sslv2 & use_sslv3 & use_tlsv1 & use_tlsv11 & use_tlsv12) != -1 || use_imaps >= 0 || require_ssl >= 0) { if ((use_sslv3 & use_tlsv1 & use_tlsv11 & use_tlsv12) != -1 || use_imaps >= 0 || require_ssl >= 0) {
if (server->ssl_type >= 0 || server->sconf.ssl_versions >= 0) { if (server->ssl_type >= 0 || server->sconf.ssl_versions >= 0) {
error( "%s '%s': The deprecated UseSSL*, UseTLS*, UseIMAPS, and RequireSSL options are mutually exclusive with SSLType and SSLVersions.\n", type, name ); error( "%s '%s': The deprecated UseSSL*, UseTLS*, UseIMAPS, and RequireSSL options are mutually exclusive with SSLType and SSLVersions.\n", type, name );
cfg->err = 1; cfg->err = 1;
@ -3291,7 +3291,6 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
} }
warn( "Notice: %s '%s': UseSSL*, UseTLS*, UseIMAPS, and RequireSSL are deprecated. Use SSLType and SSLVersions instead.\n", type, name ); warn( "Notice: %s '%s': UseSSL*, UseTLS*, UseIMAPS, and RequireSSL are deprecated. Use SSLType and SSLVersions instead.\n", type, name );
server->sconf.ssl_versions = server->sconf.ssl_versions =
(use_sslv2 != 1 ? 0 : SSLv2) |
(use_sslv3 != 1 ? 0 : SSLv3) | (use_sslv3 != 1 ? 0 : SSLv3) |
(use_tlsv1 == 0 ? 0 : TLSv1) | (use_tlsv1 == 0 ? 0 : TLSv1) |
(use_tlsv11 != 1 ? 0 : TLSv1_1) | (use_tlsv11 != 1 ? 0 : TLSv1_1) |

View File

@ -364,10 +364,8 @@ so it is the default (unless a tunnel is used).
right after connecting the secure IMAP port 993. right after connecting the secure IMAP port 993.
.. ..
.TP .TP
\fBSSLVersions\fR [\fBSSLv2\fR] [\fBSSLv3\fR] [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR] \fBSSLVersions\fR [\fBSSLv3\fR] [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]
Select the acceptable SSL/TLS versions. Select the acceptable SSL/TLS versions.
Use of SSLv2 is strongly discouraged for security reasons, but might be the
only option on some very old servers.
Use old versions only when the server has problems with newer ones. Use old versions only when the server has problems with newer ones.
(Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]). (Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]).
.. ..

View File

@ -204,8 +204,6 @@ init_ssl_ctx( const server_conf_t *conf )
mconf->SSLContext = SSL_CTX_new( SSLv23_client_method() ); mconf->SSLContext = SSL_CTX_new( SSLv23_client_method() );
if (!(conf->ssl_versions & SSLv2))
options |= SSL_OP_NO_SSLv2;
if (!(conf->ssl_versions & SSLv3)) if (!(conf->ssl_versions & SSLv3))
options |= SSL_OP_NO_SSLv3; options |= SSL_OP_NO_SSLv3;
if (!(conf->ssl_versions & TLSv1)) if (!(conf->ssl_versions & TLSv1))

View File

@ -35,7 +35,6 @@ typedef struct ssl_ctx_st SSL_CTX;
typedef struct stack_st _STACK; typedef struct stack_st _STACK;
enum { enum {
SSLv2 = 1,
SSLv3 = 2, SSLv3 = 2,
TLSv1 = 4, TLSv1 = 4,
TLSv1_1 = 8, TLSv1_1 = 8,