add support for (disabling) TLS v1.3
this is actually potentially counterproductive, as people who have set SSLVersions and fail to adjust it will _lose_ tls 1.3 support. however, without the option being there, people (incorrectly) believe that tls 1.3 is not supported.
This commit is contained in:
parent
990cc112f1
commit
d09f988c70
2
NEWS
2
NEWS
|
@ -2,6 +2,8 @@
|
||||||
|
|
||||||
The 'isync' compatibility wrapper was removed.
|
The 'isync' compatibility wrapper was removed.
|
||||||
|
|
||||||
|
Added support for disabling TLS v1.3 - adjust SSLVersions if you set it.
|
||||||
|
|
||||||
The IMAP '$Forwarded' / Maildir 'P' (passed) flag is supported now.
|
The IMAP '$Forwarded' / Maildir 'P' (passed) flag is supported now.
|
||||||
|
|
||||||
Support for configuring a TLS cipher string was added.
|
Support for configuring a TLS cipher string was added.
|
||||||
|
|
|
@ -3194,7 +3194,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
|
||||||
#ifdef HAVE_LIBSSL
|
#ifdef HAVE_LIBSSL
|
||||||
/* Legacy SSL options */
|
/* Legacy SSL options */
|
||||||
int require_ssl = -1, use_imaps = -1;
|
int require_ssl = -1, use_imaps = -1;
|
||||||
int use_sslv3 = -1, use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1;
|
int use_sslv3 = -1, use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1, use_tlsv13 = -1;
|
||||||
#endif
|
#endif
|
||||||
/* Legacy SASL option */
|
/* Legacy SASL option */
|
||||||
int require_cram = -1;
|
int require_cram = -1;
|
||||||
|
@ -3234,7 +3234,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
|
||||||
arg += 6;
|
arg += 6;
|
||||||
server->ssl_type = SSL_IMAPS;
|
server->ssl_type = SSL_IMAPS;
|
||||||
if (server->sconf.ssl_versions == -1)
|
if (server->sconf.ssl_versions == -1)
|
||||||
server->sconf.ssl_versions = SSLv3 | TLSv1 | TLSv1_1 | TLSv1_2;
|
server->sconf.ssl_versions = SSLv3 | TLSv1 | TLSv1_1 | TLSv1_2 | TLSv1_3;
|
||||||
} else
|
} else
|
||||||
#endif
|
#endif
|
||||||
if (starts_with( arg, -1, "imap:", 5 ))
|
if (starts_with( arg, -1, "imap:", 5 ))
|
||||||
|
@ -3333,6 +3333,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
|
||||||
server->sconf.ssl_versions |= TLSv1_1;
|
server->sconf.ssl_versions |= TLSv1_1;
|
||||||
} else if (!strcasecmp( "TLSv1.2", arg )) {
|
} else if (!strcasecmp( "TLSv1.2", arg )) {
|
||||||
server->sconf.ssl_versions |= TLSv1_2;
|
server->sconf.ssl_versions |= TLSv1_2;
|
||||||
|
} else if (!strcasecmp( "TLSv1.3", arg )) {
|
||||||
|
server->sconf.ssl_versions |= TLSv1_3;
|
||||||
} else {
|
} else {
|
||||||
error( "%s:%d: Unrecognized SSL version\n", cfg->file, cfg->line );
|
error( "%s:%d: Unrecognized SSL version\n", cfg->file, cfg->line );
|
||||||
cfg->err = 1;
|
cfg->err = 1;
|
||||||
|
@ -3352,6 +3354,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
|
||||||
use_tlsv11 = parse_bool( cfg );
|
use_tlsv11 = parse_bool( cfg );
|
||||||
else if (!strcasecmp( "UseTLSv1.2", cfg->cmd ))
|
else if (!strcasecmp( "UseTLSv1.2", cfg->cmd ))
|
||||||
use_tlsv12 = parse_bool( cfg );
|
use_tlsv12 = parse_bool( cfg );
|
||||||
|
else if (!strcasecmp( "UseTLSv1.3", cfg->cmd ))
|
||||||
|
use_tlsv13 = parse_bool( cfg );
|
||||||
#endif
|
#endif
|
||||||
else if (!strcasecmp( "AuthMech", cfg->cmd ) ||
|
else if (!strcasecmp( "AuthMech", cfg->cmd ) ||
|
||||||
!strcasecmp( "AuthMechs", cfg->cmd )) {
|
!strcasecmp( "AuthMechs", cfg->cmd )) {
|
||||||
|
@ -3412,7 +3416,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
#ifdef HAVE_LIBSSL
|
#ifdef HAVE_LIBSSL
|
||||||
if ((use_sslv3 & use_tlsv1 & use_tlsv11 & use_tlsv12) != -1 || use_imaps >= 0 || require_ssl >= 0) {
|
if ((use_sslv3 & use_tlsv1 & use_tlsv11 & use_tlsv12 & use_tlsv13) != -1 || use_imaps >= 0 || require_ssl >= 0) {
|
||||||
if (server->ssl_type >= 0 || server->sconf.ssl_versions >= 0) {
|
if (server->ssl_type >= 0 || server->sconf.ssl_versions >= 0) {
|
||||||
error( "%s '%s': The deprecated UseSSL*, UseTLS*, UseIMAPS, and RequireSSL options are mutually exclusive with SSLType and SSLVersions.\n", type, name );
|
error( "%s '%s': The deprecated UseSSL*, UseTLS*, UseIMAPS, and RequireSSL options are mutually exclusive with SSLType and SSLVersions.\n", type, name );
|
||||||
cfg->err = 1;
|
cfg->err = 1;
|
||||||
|
@ -3423,7 +3427,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
|
||||||
(use_sslv3 != 1 ? 0 : SSLv3) |
|
(use_sslv3 != 1 ? 0 : SSLv3) |
|
||||||
(use_tlsv1 == 0 ? 0 : TLSv1) |
|
(use_tlsv1 == 0 ? 0 : TLSv1) |
|
||||||
(use_tlsv11 != 1 ? 0 : TLSv1_1) |
|
(use_tlsv11 != 1 ? 0 : TLSv1_1) |
|
||||||
(use_tlsv12 != 1 ? 0 : TLSv1_2);
|
(use_tlsv12 != 1 ? 0 : TLSv1_2) |
|
||||||
|
(use_tlsv13 != 1 ? 0 : TLSv1_3);
|
||||||
if (use_imaps == 1) {
|
if (use_imaps == 1) {
|
||||||
server->ssl_type = SSL_IMAPS;
|
server->ssl_type = SSL_IMAPS;
|
||||||
} else if (require_ssl) {
|
} else if (require_ssl) {
|
||||||
|
@ -3441,7 +3446,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if (server->sconf.ssl_versions < 0)
|
if (server->sconf.ssl_versions < 0)
|
||||||
server->sconf.ssl_versions = TLSv1 | TLSv1_1 | TLSv1_2;
|
server->sconf.ssl_versions = TLSv1 | TLSv1_1 | TLSv1_2 | TLSv1_3;
|
||||||
if (server->ssl_type < 0)
|
if (server->ssl_type < 0)
|
||||||
server->ssl_type = server->sconf.tunnel ? SSL_None : SSL_STARTTLS;
|
server->ssl_type = server->sconf.tunnel ? SSL_None : SSL_STARTTLS;
|
||||||
}
|
}
|
||||||
|
|
|
@ -363,10 +363,10 @@ so it is the default (unless a tunnel is used).
|
||||||
right after connecting the secure IMAP port 993.
|
right after connecting the secure IMAP port 993.
|
||||||
.
|
.
|
||||||
.TP
|
.TP
|
||||||
\fBSSLVersions\fR [\fBSSLv3\fR] [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]
|
\fBSSLVersions\fR [\fBSSLv3\fR] [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR] [\fBTLSv1.3\fR]
|
||||||
Select the acceptable SSL/TLS versions.
|
Select the acceptable SSL/TLS versions.
|
||||||
Use old versions only when the server has problems with newer ones.
|
Use old versions only when the server has problems with newer ones.
|
||||||
(Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]).
|
(Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR] [\fBTLSv1.3\fR]).
|
||||||
.
|
.
|
||||||
.TP
|
.TP
|
||||||
\fBSystemCertificates\fR \fByes\fR|\fBno\fR
|
\fBSystemCertificates\fR \fByes\fR|\fBno\fR
|
||||||
|
|
|
@ -260,6 +260,10 @@ init_ssl_ctx( const server_conf_t *conf )
|
||||||
if (!(conf->ssl_versions & TLSv1_2))
|
if (!(conf->ssl_versions & TLSv1_2))
|
||||||
options |= SSL_OP_NO_TLSv1_2;
|
options |= SSL_OP_NO_TLSv1_2;
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef SSL_OP_NO_TLSv1_3
|
||||||
|
if (!(conf->ssl_versions & TLSv1_3))
|
||||||
|
options |= SSL_OP_NO_TLSv1_3;
|
||||||
|
#endif
|
||||||
|
|
||||||
SSL_CTX_set_options( mconf->SSLContext, options );
|
SSL_CTX_set_options( mconf->SSLContext, options );
|
||||||
|
|
||||||
|
|
|
@ -36,7 +36,8 @@ enum {
|
||||||
SSLv3 = 2,
|
SSLv3 = 2,
|
||||||
TLSv1 = 4,
|
TLSv1 = 4,
|
||||||
TLSv1_1 = 8,
|
TLSv1_1 = 8,
|
||||||
TLSv1_2 = 16
|
TLSv1_2 = 16,
|
||||||
|
TLSv1_3 = 32
|
||||||
};
|
};
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user