lobo/isync
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add support for (disabling) TLS v1.3

Browse Source 
this is actually potentially counterproductive, as people who have set
SSLVersions and fail to adjust it will _lose_ tls 1.3 support. however,
without the option being there, people (incorrectly) believe that tls
1.3 is not supported.
This commit is contained in:
Oswald Buddenhagen 2019-11-26 16:05:46 +01:00
parent 990cc112f1
commit d09f988c70
5 changed files with 20 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
NEWS
View File

@ -2,6 +2,8 @@
The 'isync' compatibility wrapper was removed. The 'isync' compatibility wrapper was removed.
Added support for disabling TLS v1.3 - adjust SSLVersions if you set it.
The IMAP '$Forwarded' / Maildir 'P' (passed) flag is supported now. The IMAP '$Forwarded' / Maildir 'P' (passed) flag is supported now.
Support for configuring a TLS cipher string was added. Support for configuring a TLS cipher string was added.

15
src/drv_imap.c
View File

@ -3194,7 +3194,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
#ifdef HAVE_LIBSSL #ifdef HAVE_LIBSSL
/* Legacy SSL options */ /* Legacy SSL options */
int require_ssl = -1, use_imaps = -1; int require_ssl = -1, use_imaps = -1;
int use_sslv3 = -1, use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1; int use_sslv3 = -1, use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1, use_tlsv13 = -1;
#endif #endif
/* Legacy SASL option */ /* Legacy SASL option */
int require_cram = -1; int require_cram = -1;
@ -3234,7 +3234,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
arg += 6; arg += 6;
server->ssl_type = SSL_IMAPS; server->ssl_type = SSL_IMAPS;
if (server->sconf.ssl_versions == -1) if (server->sconf.ssl_versions == -1)
server->sconf.ssl_versions = SSLv3 | TLSv1 | TLSv1_1 | TLSv1_2; server->sconf.ssl_versions = SSLv3 | TLSv1 | TLSv1_1 | TLSv1_2 | TLSv1_3;
} else } else
#endif #endif
if (starts_with( arg, -1, "imap:", 5 )) if (starts_with( arg, -1, "imap:", 5 ))
@ -3333,6 +3333,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
server->sconf.ssl_versions |= TLSv1_1; server->sconf.ssl_versions |= TLSv1_1;
} else if (!strcasecmp( "TLSv1.2", arg )) { } else if (!strcasecmp( "TLSv1.2", arg )) {
server->sconf.ssl_versions |= TLSv1_2; server->sconf.ssl_versions |= TLSv1_2;
} else if (!strcasecmp( "TLSv1.3", arg )) {
server->sconf.ssl_versions |= TLSv1_3;
} else { } else {
error( "%s:%d: Unrecognized SSL version\n", cfg->file, cfg->line ); error( "%s:%d: Unrecognized SSL version\n", cfg->file, cfg->line );
cfg->err = 1; cfg->err = 1;
@ -3352,6 +3354,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
use_tlsv11 = parse_bool( cfg ); use_tlsv11 = parse_bool( cfg );
else if (!strcasecmp( "UseTLSv1.2", cfg->cmd )) else if (!strcasecmp( "UseTLSv1.2", cfg->cmd ))
use_tlsv12 = parse_bool( cfg ); use_tlsv12 = parse_bool( cfg );
else if (!strcasecmp( "UseTLSv1.3", cfg->cmd ))
use_tlsv13 = parse_bool( cfg );
#endif #endif
else if (!strcasecmp( "AuthMech", cfg->cmd ) || else if (!strcasecmp( "AuthMech", cfg->cmd ) ||
!strcasecmp( "AuthMechs", cfg->cmd )) { !strcasecmp( "AuthMechs", cfg->cmd )) {
@ -3412,7 +3416,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
return 1; return 1;
} }
#ifdef HAVE_LIBSSL #ifdef HAVE_LIBSSL
if ((use_sslv3 & use_tlsv1 & use_tlsv11 & use_tlsv12) != -1 || use_imaps >= 0 || require_ssl >= 0) { if ((use_sslv3 & use_tlsv1 & use_tlsv11 & use_tlsv12 & use_tlsv13) != -1 || use_imaps >= 0 || require_ssl >= 0) {
if (server->ssl_type >= 0 || server->sconf.ssl_versions >= 0) { if (server->ssl_type >= 0 || server->sconf.ssl_versions >= 0) {
error( "%s '%s': The deprecated UseSSL*, UseTLS*, UseIMAPS, and RequireSSL options are mutually exclusive with SSLType and SSLVersions.\n", type, name ); error( "%s '%s': The deprecated UseSSL*, UseTLS*, UseIMAPS, and RequireSSL options are mutually exclusive with SSLType and SSLVersions.\n", type, name );
cfg->err = 1; cfg->err = 1;
@ -3423,7 +3427,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
(use_sslv3 != 1 ? 0 : SSLv3) | (use_sslv3 != 1 ? 0 : SSLv3) |
(use_tlsv1 == 0 ? 0 : TLSv1) | (use_tlsv1 == 0 ? 0 : TLSv1) |
(use_tlsv11 != 1 ? 0 : TLSv1_1) | (use_tlsv11 != 1 ? 0 : TLSv1_1) |
(use_tlsv12 != 1 ? 0 : TLSv1_2); (use_tlsv12 != 1 ? 0 : TLSv1_2) |
(use_tlsv13 != 1 ? 0 : TLSv1_3);
if (use_imaps == 1) { if (use_imaps == 1) {
server->ssl_type = SSL_IMAPS; server->ssl_type = SSL_IMAPS;
} else if (require_ssl) { } else if (require_ssl) {
@ -3441,7 +3446,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
} }
} else { } else {
if (server->sconf.ssl_versions < 0) if (server->sconf.ssl_versions < 0)
server->sconf.ssl_versions = TLSv1 | TLSv1_1 | TLSv1_2; server->sconf.ssl_versions = TLSv1 | TLSv1_1 | TLSv1_2 | TLSv1_3;
if (server->ssl_type < 0) if (server->ssl_type < 0)
server->ssl_type = server->sconf.tunnel ? SSL_None : SSL_STARTTLS; server->ssl_type = server->sconf.tunnel ? SSL_None : SSL_STARTTLS;
} }

4
src/mbsync.1
View File

@ -363,10 +363,10 @@ so it is the default (unless a tunnel is used).
right after connecting the secure IMAP port 993. right after connecting the secure IMAP port 993.
. .
.TP .TP
\fBSSLVersions\fR [\fBSSLv3\fR] [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR] \fBSSLVersions\fR [\fBSSLv3\fR] [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR] [\fBTLSv1.3\fR]
Select the acceptable SSL/TLS versions. Select the acceptable SSL/TLS versions.
Use old versions only when the server has problems with newer ones. Use old versions only when the server has problems with newer ones.
(Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]). (Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR] [\fBTLSv1.3\fR]).
. .
.TP .TP
\fBSystemCertificates\fR \fByes\fR|\fBno\fR \fBSystemCertificates\fR \fByes\fR|\fBno\fR

4
src/socket.c
View File

@ -260,6 +260,10 @@ init_ssl_ctx( const server_conf_t *conf )
if (!(conf->ssl_versions & TLSv1_2)) if (!(conf->ssl_versions & TLSv1_2))
options |= SSL_OP_NO_TLSv1_2; options |= SSL_OP_NO_TLSv1_2;
#endif #endif
#ifdef SSL_OP_NO_TLSv1_3
if (!(conf->ssl_versions & TLSv1_3))
options |= SSL_OP_NO_TLSv1_3;
#endif
SSL_CTX_set_options( mconf->SSLContext, options ); SSL_CTX_set_options( mconf->SSLContext, options );

3
src/socket.h
View File

@ -36,7 +36,8 @@ enum {
SSLv3 = 2, SSLv3 = 2,
TLSv1 = 4, TLSv1 = 4,
TLSv1_1 = 8, TLSv1_1 = 8,
TLSv1_2 = 16 TLSv1_2 = 16,
TLSv1_3 = 32
}; };
#endif #endif