enable TLS 1.1 and 1.2 by default
there is no reason not to, and debian even disabled 1.0 globally, because it's (theoretically) too insecure in some contexts (BEAST attack). in the compat wrapper, the UseTLSv1 option has been re-interpreted as v1.x, to avoid adding new options.
This commit is contained in:
parent
fed0dcc60e
commit
47bdbb4aab
|
@ -316,9 +316,10 @@ write_imap_server( FILE *fp, config_t *cfg )
|
||||||
if (cfg->pass)
|
if (cfg->pass)
|
||||||
fprintf( fp, "Pass %s\n", quotify( cfg->pass ) );
|
fprintf( fp, "Pass %s\n", quotify( cfg->pass ) );
|
||||||
fprintf( fp, "RequireCRAM %s\nRequireSSL %s\n"
|
fprintf( fp, "RequireCRAM %s\nRequireSSL %s\n"
|
||||||
"UseSSLv2 %s\nUseSSLv3 %s\nUseTLSv1 %s\n",
|
"UseSSLv2 %s\nUseSSLv3 %s\nUseTLSv1 %s\nUseTLSv1.1 %s\nUseTLSv1.2 %s\n",
|
||||||
tb(cfg->require_cram), tb(cfg->require_ssl),
|
tb(cfg->require_cram), tb(cfg->require_ssl),
|
||||||
tb(cfg->use_sslv2), tb(cfg->use_sslv3), tb(cfg->use_tlsv1) );
|
tb(cfg->use_sslv2), tb(cfg->use_sslv3),
|
||||||
|
tb(cfg->use_tlsv1), tb(cfg->use_tlsv1), tb(cfg->use_tlsv1) );
|
||||||
if ((cfg->use_imaps || cfg->use_sslv2 || cfg->use_sslv3 || cfg->use_tlsv1) &&
|
if ((cfg->use_imaps || cfg->use_sslv2 || cfg->use_sslv3 || cfg->use_tlsv1) &&
|
||||||
cfg->cert_file)
|
cfg->cert_file)
|
||||||
fprintf( fp, "CertificateFile %s\n", quotify( cfg->cert_file ) );
|
fprintf( fp, "CertificateFile %s\n", quotify( cfg->cert_file ) );
|
||||||
|
|
|
@ -278,7 +278,7 @@ Should \fBisync\fR use SSLv3 for communication with the IMAP server over SSL?
|
||||||
..
|
..
|
||||||
.TP
|
.TP
|
||||||
\fBUseTLSv1\fR \fIyes\fR|\fIno\fR
|
\fBUseTLSv1\fR \fIyes\fR|\fIno\fR
|
||||||
Should \fBisync\fR use TLSv1 for communication with the IMAP server over SSL?
|
Should \fBisync\fR use TLSv1.x for communication with the IMAP server over SSL?
|
||||||
(Default: \fIyes\fR)
|
(Default: \fIyes\fR)
|
||||||
..
|
..
|
||||||
.TP
|
.TP
|
||||||
|
|
|
@ -2767,7 +2767,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
|
||||||
arg += 6;
|
arg += 6;
|
||||||
server->ssl_type = SSL_IMAPS;
|
server->ssl_type = SSL_IMAPS;
|
||||||
if (server->sconf.ssl_versions == -1)
|
if (server->sconf.ssl_versions == -1)
|
||||||
server->sconf.ssl_versions = SSLv2 | SSLv3 | TLSv1;
|
server->sconf.ssl_versions = SSLv2 | SSLv3 | TLSv1 | TLSv1_1 | TLSv1_2;
|
||||||
} else
|
} else
|
||||||
#endif
|
#endif
|
||||||
if (starts_with( arg, -1, "imap:", 5 ))
|
if (starts_with( arg, -1, "imap:", 5 ))
|
||||||
|
@ -2930,7 +2930,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if (server->sconf.ssl_versions < 0)
|
if (server->sconf.ssl_versions < 0)
|
||||||
server->sconf.ssl_versions = TLSv1; /* Most compatible and still reasonably secure. */
|
server->sconf.ssl_versions = TLSv1 | TLSv1_1 | TLSv1_2;
|
||||||
if (server->ssl_type < 0)
|
if (server->ssl_type < 0)
|
||||||
server->ssl_type = server->sconf.tunnel ? SSL_None : SSL_STARTTLS;
|
server->ssl_type = server->sconf.tunnel ? SSL_None : SSL_STARTTLS;
|
||||||
}
|
}
|
||||||
|
|
|
@ -337,8 +337,8 @@ right after connecting the secure IMAP port 993.
|
||||||
Select the acceptable SSL/TLS versions.
|
Select the acceptable SSL/TLS versions.
|
||||||
Use of SSLv2 is strongly discouraged for security reasons, but might be the
|
Use of SSLv2 is strongly discouraged for security reasons, but might be the
|
||||||
only option on some very old servers.
|
only option on some very old servers.
|
||||||
Generally, the newest TLS version is recommended, but as this confuses some
|
Use old versions only when the server has problems with newer ones.
|
||||||
servers, \fBTLSv1\fR is the default.
|
(Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]).
|
||||||
..
|
..
|
||||||
.TP
|
.TP
|
||||||
\fBSystemCertificates\fR \fByes\fR|\fBno\fR
|
\fBSystemCertificates\fR \fByes\fR|\fBno\fR
|
||||||
|
|
Loading…
Reference in New Issue
Block a user