disable TLS 1.0 & 1.1 by default

these were not reasonable defaults any more.
This commit is contained in:
Oswald Buddenhagen 2022-05-16 16:26:15 +02:00
parent e3056b26e9
commit a7f1b86475
3 changed files with 4 additions and 3 deletions

3
NEWS
View File

@ -12,7 +12,8 @@ they are flagged on the source side.
Renamed the ReNew/--renew/-N options to Upgrade/--upgrade/-u Renamed the ReNew/--renew/-N options to Upgrade/--upgrade/-u
and Delete/--delete/-d to Gone/--gone/-g. and Delete/--delete/-d to Gone/--gone/-g.
Superseded SSLVersions option with TLSVersions. Superseded SSLVersions option with TLSVersions, and disabled TLS v1.0
and v1.1 by default.
Made the Channel side to expire with MaxMessages configurable. Made the Channel side to expire with MaxMessages configurable.

View File

@ -3711,7 +3711,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
server->sconf.timeout = 20000; server->sconf.timeout = 20000;
#ifdef HAVE_LIBSSL #ifdef HAVE_LIBSSL
server->ssl_type = -1; server->ssl_type = -1;
server->sconf.ssl_versions = TLSv1 | TLSv1_1 | TLSv1_2 | TLSv1_3; server->sconf.ssl_versions = TLSv1_2 | TLSv1_3;
server->sconf.system_certs = 1; server->sconf.system_certs = 1;
#endif #endif
server->max_in_progress = INT_MAX; server->max_in_progress = INT_MAX;

View File

@ -419,7 +419,7 @@ Add/remove the specified TLS versions to/from the set of acceptable choices.
Use old versions only when the server has problems with newer ones. Use old versions only when the server has problems with newer ones.
Note that new versions are automatically enabled as soon as OpenSSL supports Note that new versions are automatically enabled as soon as OpenSSL supports
them, even if \fBmbsync\fR does not recognize them yet. them, even if \fBmbsync\fR does not recognize them yet.
(Default: All starting with 1.0). (Default: All starting with 1.2).
. .
.TP .TP
\fBSystemCertificates\fR \fByes\fR|\fBno\fR \fBSystemCertificates\fR \fByes\fR|\fBno\fR