add support for (disabling) TLS v1.1 and v1.2
This commit is contained in:
Oswald Buddenhagen
parent
c7ebe2da95
commit
fbba8f1cda
|
|
@ -1980,6 +1980,10 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
|
||||||
server->sconf.use_sslv3 = parse_bool( cfg );
|
server->sconf.use_sslv3 = parse_bool( cfg );
|
||||||
else if (!strcasecmp( "UseTLSv1", cfg->cmd ))
|
else if (!strcasecmp( "UseTLSv1", cfg->cmd ))
|
||||||
server->sconf.use_tlsv1 = parse_bool( cfg );
|
server->sconf.use_tlsv1 = parse_bool( cfg );
|
||||||
|
else if (!strcasecmp( "UseTLSv1.1", cfg->cmd ))
|
||||||
|
server->sconf.use_tlsv11 = parse_bool( cfg );
|
||||||
|
else if (!strcasecmp( "UseTLSv1.2", cfg->cmd ))
|
||||||
|
server->sconf.use_tlsv12 = parse_bool( cfg );
|
||||||
else if (!strcasecmp( "RequireCRAM", cfg->cmd ))
|
else if (!strcasecmp( "RequireCRAM", cfg->cmd ))
|
||||||
server->require_cram = parse_bool( cfg );
|
server->require_cram = parse_bool( cfg );
|
||||||
#endif
|
#endif
|
||||||
|
|
|
||||||
|
|
@ -63,6 +63,8 @@ typedef struct server_conf {
|
||||||
unsigned use_sslv2:1;
|
unsigned use_sslv2:1;
|
||||||
unsigned use_sslv3:1;
|
unsigned use_sslv3:1;
|
||||||
unsigned use_tlsv1:1;
|
unsigned use_tlsv1:1;
|
||||||
|
unsigned use_tlsv11:1;
|
||||||
|
unsigned use_tlsv12:1;
|
||||||
|
|
||||||
/* these are actually variables and are leaked at the end */
|
/* these are actually variables and are leaked at the end */
|
||||||
SSL_CTX *SSLContext;
|
SSL_CTX *SSLContext;
|
||||||
|
|
|
||||||
10
src/mbsync.1
10
src/mbsync.1
|
|
@ -294,6 +294,16 @@ Use TLSv1 for communication with the IMAP server over SSL?
|
||||||
(Default: \fIyes\fR)
|
(Default: \fIyes\fR)
|
||||||
..
|
..
|
||||||
.TP
|
.TP
|
||||||
|
\fBUseTLSv1.1\fR \fIyes\fR|\fIno\fR
|
||||||
|
Use TLSv1.1 for communication with the IMAP server over SSL?
|
||||||
|
(Default: \fIno\fR)
|
||||||
|
..
|
||||||
|
.TP
|
||||||
|
\fBUseTLSv1.2\fR \fIyes\fR|\fIno\fR
|
||||||
|
Use TLSv1.2 for communication with the IMAP server over SSL?
|
||||||
|
(Default: \fIno\fR)
|
||||||
|
..
|
||||||
|
.TP
|
||||||
\fBPipelineDepth\fR \fIdepth\fR
|
\fBPipelineDepth\fR \fIdepth\fR
|
||||||
Maximum number of IMAP commands which can be simultaneously in flight.
|
Maximum number of IMAP commands which can be simultaneously in flight.
|
||||||
Setting this to \fI1\fR disables pipelining.
|
Setting this to \fI1\fR disables pipelining.
|
||||||
|
|
|
||||||
15
src/socket.c
15
src/socket.c
|
|
@ -231,14 +231,9 @@ static int
|
||||||
init_ssl_ctx( const server_conf_t *conf )
|
init_ssl_ctx( const server_conf_t *conf )
|
||||||
{
|
{
|
||||||
server_conf_t *mconf = (server_conf_t *)conf;
|
server_conf_t *mconf = (server_conf_t *)conf;
|
||||||
const SSL_METHOD *method;
|
|
||||||
int options = 0;
|
int options = 0;
|
||||||
|
|
||||||
if (conf->use_tlsv1 && !conf->use_sslv2 && !conf->use_sslv3)
|
mconf->SSLContext = SSL_CTX_new( SSLv23_client_method() );
|
||||||
method = TLSv1_client_method();
|
|
||||||
else
|
|
||||||
method = SSLv23_client_method();
|
|
||||||
mconf->SSLContext = SSL_CTX_new( method );
|
|
||||||
|
|
||||||
if (!conf->use_sslv2)
|
if (!conf->use_sslv2)
|
||||||
options |= SSL_OP_NO_SSLv2;
|
options |= SSL_OP_NO_SSLv2;
|
||||||
|
|
@ -246,6 +241,14 @@ init_ssl_ctx( const server_conf_t *conf )
|
||||||
options |= SSL_OP_NO_SSLv3;
|
options |= SSL_OP_NO_SSLv3;
|
||||||
if (!conf->use_tlsv1)
|
if (!conf->use_tlsv1)
|
||||||
options |= SSL_OP_NO_TLSv1;
|
options |= SSL_OP_NO_TLSv1;
|
||||||
|
#ifdef SSL_OP_NO_TLSv1_1
|
||||||
|
if (!conf->use_tlsv11)
|
||||||
|
options |= SSL_OP_NO_TLSv1_1;
|
||||||
|
#endif
|
||||||
|
#ifdef SSL_OP_NO_TLSv1_2
|
||||||
|
if (!conf->use_tlsv12)
|
||||||
|
options |= SSL_OP_NO_TLSv1_2;
|
||||||
|
#endif
|
||||||
|
|
||||||
SSL_CTX_set_options( mconf->SSLContext, options );
|
SSL_CTX_set_options( mconf->SSLContext, options );
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user