supersede SSLVersions option with TLSVersions

the new one isn't an exhaustive set anymore, but a delta to the default
(or previous setting). this has the advantage that new versions aren't
automatically disabled anymore as soon as mbsync learns about them if
the user has a setting they fail to adjust.
This commit is contained in:
Oswald Buddenhagen 2022-05-16 15:57:03 +02:00
parent 7e0e14a686
commit e3056b26e9
4 changed files with 45 additions and 5 deletions

2
NEWS
View File

@ -12,6 +12,8 @@ they are flagged on the source side.
Renamed the ReNew/--renew/-N options to Upgrade/--upgrade/-u Renamed the ReNew/--renew/-N options to Upgrade/--upgrade/-u
and Delete/--delete/-d to Gone/--gone/-g. and Delete/--delete/-d to Gone/--gone/-g.
Superseded SSLVersions option with TLSVersions.
Made the Channel side to expire with MaxMessages configurable. Made the Channel side to expire with MaxMessages configurable.
MaxMessages and MaxSize can be used together now. MaxMessages and MaxSize can be used together now.

View File

@ -3797,8 +3797,44 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
error( "%s:%d: Invalid SSL type\n", cfg->file, cfg->line ); error( "%s:%d: Invalid SSL type\n", cfg->file, cfg->line );
cfg->err = 1; cfg->err = 1;
} }
} else if (!strcasecmp( "TLSVersions", cfg->cmd )) {
arg = cfg->val;
do {
int or_mask = 0, and_mask = 0, val;
if (*arg == '+') {
or_mask = ~0;
} else if (*arg == '-') {
and_mask = ~0;
} else {
error( "%s:%d: TLSVersions arguments must start with +/-\n", cfg->file, cfg->line );
cfg->err = 1;
continue;
}
arg++;
if (!strcmp( "1.0", arg )) {
val = TLSv1;
} else if (!strcmp( "1.1", arg )) {
val = TLSv1_1;
} else if (!strcmp( "1.2", arg )) {
val = TLSv1_2;
} else if (!strcmp( "1.3", arg )) {
val = TLSv1_3;
} else {
error( "%s:%d: Unrecognized TLS version '%s'\n", cfg->file, cfg->line, arg );
cfg->err = 1;
continue;
}
or_mask &= val;
and_mask &= val;
server->sconf.ssl_versions = (server->sconf.ssl_versions & ~and_mask) | or_mask;
} while ((arg = get_arg( cfg, ARG_OPTIONAL, NULL )));
} else if (!strcasecmp( "SSLVersion", cfg->cmd ) || } else if (!strcasecmp( "SSLVersion", cfg->cmd ) ||
!strcasecmp( "SSLVersions", cfg->cmd )) { !strcasecmp( "SSLVersions", cfg->cmd )) {
static int sslv_warned;
if (!sslv_warned) {
sslv_warned = 1;
warn( "Notice: SSLVersions is deprecated. Use TLSVersions instead.\n" );
}
server->sconf.ssl_versions = 0; server->sconf.ssl_versions = 0;
arg = cfg->val; arg = cfg->val;
do { do {

View File

@ -414,10 +414,12 @@ so it is the default (unless a tunnel is used).
right after connecting the secure IMAP port 993. right after connecting the secure IMAP port 993.
. .
.TP .TP
\fBSSLVersions\fR [\fBSSLv3\fR] [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR] [\fBTLSv1.3\fR] \fBTLSVersions\fR {\fB+\fR|\fB-\fR}{\fB1.0\fR|\fB1.1\fR|\fB1.2\fR|\fB1.3\fR} ...
Select the acceptable SSL/TLS versions. Add/remove the specified TLS versions to/from the set of acceptable choices.
Use old versions only when the server has problems with newer ones. Use old versions only when the server has problems with newer ones.
(Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR] [\fBTLSv1.3\fR]). Note that new versions are automatically enabled as soon as OpenSSL supports
them, even if \fBmbsync\fR does not recognize them yet.
(Default: All starting with 1.0).
. .
.TP .TP
\fBSystemCertificates\fR \fByes\fR|\fBno\fR \fBSystemCertificates\fR \fByes\fR|\fBno\fR

View File

@ -36,7 +36,7 @@ Sync PullNew Push
IMAPStore personal IMAPStore personal
Host host.play.com Host host.play.com
Port 6789 Port 6789
SSLType None TLSType None
Channel personal Channel personal
Far :personal: Far :personal:
@ -66,7 +66,7 @@ CertificateFile ~/.st1-certificate.crt
IMAPStore st2 IMAPStore st2
Host imap.another-domain.com Host imap.another-domain.com
Path non-standard/ Path non-standard/
SSLVersions TLSv1.3 TLSVersions -1.2
Channel rst Channel rst
Far :st1:somebox Far :st1:somebox