supersede SSLVersions option with TLSVersions

the new one isn't an exhaustive set anymore, but a delta to the default
(or previous setting). this has the advantage that new versions aren't
automatically disabled anymore as soon as mbsync learns about them if
the user has a setting they fail to adjust.

NEWS

@@ -12,6 +12,8 @@ they are flagged on the source side.
 Renamed the ReNew/--renew/-N options to Upgrade/--upgrade/-u
 and Delete/--delete/-d to Gone/--gone/-g.
 
+Superseded SSLVersions option with TLSVersions.
+
 Made the Channel side to expire with MaxMessages configurable.
 
 MaxMessages and MaxSize can be used together now.

src/drv_imap.c

@@ -3797,8 +3797,44 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
 				error( "%s:%d: Invalid SSL type\n", cfg->file, cfg->line );
 				cfg->err = 1;
 			}
+		} else if (!strcasecmp( "TLSVersions", cfg->cmd )) {
+			arg = cfg->val;
+			do {
+				int or_mask = 0, and_mask = 0, val;
+				if (*arg == '+') {
+					or_mask = ~0;
+				} else if (*arg == '-') {
+					and_mask = ~0;
+				} else {
+					error( "%s:%d: TLSVersions arguments must start with +/-\n", cfg->file, cfg->line );
+					cfg->err = 1;
+					continue;
+				}
+				arg++;
+				if (!strcmp( "1.0", arg )) {
+					val = TLSv1;
+				} else if (!strcmp( "1.1", arg )) {
+					val = TLSv1_1;
+				} else if (!strcmp( "1.2", arg )) {
+					val = TLSv1_2;
+				} else if (!strcmp( "1.3", arg )) {
+					val = TLSv1_3;
+				} else {
+					error( "%s:%d: Unrecognized TLS version '%s'\n", cfg->file, cfg->line, arg );
+					cfg->err = 1;
+					continue;
+				}
+				or_mask &= val;
+				and_mask &= val;
+				server->sconf.ssl_versions = (server->sconf.ssl_versions & ~and_mask) | or_mask;
+			} while ((arg = get_arg( cfg, ARG_OPTIONAL, NULL )));
 		} else if (!strcasecmp( "SSLVersion", cfg->cmd ) ||
 		           !strcasecmp( "SSLVersions", cfg->cmd )) {
+			static int sslv_warned;
+			if (!sslv_warned) {
+				sslv_warned = 1;
+				warn( "Notice: SSLVersions is deprecated. Use TLSVersions instead.\n" );
+			}
 			server->sconf.ssl_versions = 0;
 			arg = cfg->val;
 			do {

src/mbsync.1

@@ -414,10 +414,12 @@ so it is the default (unless a tunnel is used).
 right after connecting the secure IMAP port 993.
 .
 .TP
-\fBSSLVersions\fR [\fBSSLv3\fR] [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR] [\fBTLSv1.3\fR]
+\fBTLSVersions\fR {\fB+\fR|\fB-\fR}{\fB1.0\fR|\fB1.1\fR|\fB1.2\fR|\fB1.3\fR} ...
-Select the acceptable SSL/TLS versions.
+Add/remove the specified TLS versions to/from the set of acceptable choices.
 Use old versions only when the server has problems with newer ones.
-(Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR] [\fBTLSv1.3\fR]).
+Note that new versions are automatically enabled as soon as OpenSSL supports
+them, even if \fBmbsync\fR does not recognize them yet.
+(Default: All starting with 1.0).
 .
 .TP
 \fBSystemCertificates\fR \fByes\fR|\fBno\fR

src/mbsyncrc.sample

@@ -36,7 +36,7 @@ Sync PullNew Push
 IMAPStore personal
 Host host.play.com
 Port 6789
-SSLType None
+TLSType None
 
 Channel personal
 Far :personal:
@@ -66,7 +66,7 @@ CertificateFile ~/.st1-certificate.crt
 IMAPStore st2
 Host imap.another-domain.com
 Path non-standard/
-SSLVersions TLSv1.3
+TLSVersions -1.2
 
 Channel rst
 Far :st1:somebox