diff options
| author | Sam Varshavchik | 2014-10-21 21:18:45 -0400 |
|---|---|---|
| committer | Sam Varshavchik | 2014-10-21 21:18:45 -0400 |
| commit | 6cd1f46e0796f132b1b10e764bebcc2882750639 (patch) | |
| tree | 427bd440c83d36dad32ed1fda20153fed3da67d9 | |
| parent | 6a35d8e82905d76e3585ee2699e225d22bccfb8d (diff) | |
| download | courier-libs-6cd1f46e0796f132b1b10e764bebcc2882750639.tar.bz2 | |
tcpd/libcouriertls.c: add additional protocol strings, options.
| -rw-r--r-- | imap/ChangeLog | 5 | ||||
| -rw-r--r-- | imap/imapd-ssl.dist.in | 5 | ||||
| -rw-r--r-- | imap/pop3d-ssl.dist.in | 5 | ||||
| -rw-r--r-- | tcpd/libcouriertls.c | 57 |
4 files changed, 46 insertions, 26 deletions
diff --git a/imap/ChangeLog b/imap/ChangeLog index d05db6d..d40662a 100644 --- a/imap/ChangeLog +++ b/imap/ChangeLog @@ -1,3 +1,8 @@ +2014-10-21 Bernard Quatermass <bqcourier@quatermass.co.uk> + + * tcpd/libcouriertls.c: add parsing options for different protocol + combination. + 2014-10-21 坂元 英紀 <hs@on-sky.net> * Update comments in *ssl config files. diff --git a/imap/imapd-ssl.dist.in b/imap/imapd-ssl.dist.in index 16fd181..bd531d7 100644 --- a/imap/imapd-ssl.dist.in +++ b/imap/imapd-ssl.dist.in @@ -142,7 +142,10 @@ COURIERTLS=@bindir@/couriertls # TLSv1.1 - TLS1.1 # TLSv1.2 - TLS1.2 # -# Leave it unset to use any protocol except SSL 2. +# SSL3+, TLSv1+, TLSv1.1+, and TLSv1.2+ - the corresponding protocol, and all +# higher protocols. +# +# The default value is TLSv1+ ##NAME: TLS_CIPHER_LIST:0 # diff --git a/imap/pop3d-ssl.dist.in b/imap/pop3d-ssl.dist.in index 49f3d39..8fdf5a2 100644 --- a/imap/pop3d-ssl.dist.in +++ b/imap/pop3d-ssl.dist.in @@ -127,7 +127,10 @@ COURIERTLS=@bindir@/couriertls # TLSv1.1 - TLS1.1 # TLSv1.2 - TLS1.2 # -# Leave it unset to use any protocol except SSL 2. +# SSL3+, TLSv1+, TLSv1.1+, and TLSv1.2+ - the corresponding protocol, and all +# higher protocols. +# +# The default value is TLSv1+ ##NAME: TLS_CIPHER_LIST:0 # diff --git a/tcpd/libcouriertls.c b/tcpd/libcouriertls.c index 1f5b0b2..886e27e 100644 --- a/tcpd/libcouriertls.c +++ b/tcpd/libcouriertls.c @@ -55,6 +55,32 @@ #include <sys/time.h> +struct proto_ops { + char *n; + const SSL_METHOD * (*m)(); + int o; +}; +struct proto_ops op_list[] = +{ +#ifdef HAVE_TLSV1_2_METHOD + { "TLSv1.2+", &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1 }, + { "TLSv1.2", &TLSv1_2_method, SSL_OP_ALL }, +#endif +#ifdef HAVE_TLSV1_1_METHOD + { "TLSv1.1+", &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1 }, + { "TLSv1.1", &TLSv1_1_method, SSL_OP_ALL }, +#endif + { "TLSv1+", &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 }, + { "TLSv1", &TLSv1_method, SSL_OP_ALL }, + { "TLS1", &TLSv1_method, SSL_OP_ALL }, + { "SSL3+", &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2 }, + { "SSL3", &SSLv3_method, SSL_OP_ALL }, + { "SSL23", &SSLv23_method, SSL_OP_ALL }, + { "", &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 }, + { NULL, &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 }, +}; + + /***** TODO *****/ /* #define TLSCACHEDEBUG */ @@ -465,6 +491,7 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info) const SSL_METHOD *method=NULL; long options; int cert_file_flags; + struct proto_ops *opp; if (!*ssl_cipher_list) ssl_cipher_list=NULL; @@ -522,31 +549,13 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info) info_copy->isserver=isserver; info_copy->certificate_verified=0; - options=SSL_OP_ALL; - - method=((!protocol || !*protocol) - ? NULL: - strcmp(protocol, "SSL3") == 0 - ? SSLv3_method(): - strcmp(protocol, "SSL23") == 0 - ? SSLv23_method(): - strcmp(protocol, "TLSv1") == 0 - ? TLSv1_method(): -#ifdef HAVE_TLSV1_1_METHOD - strcmp(protocol, "TLSv1.1") == 0 - ? TLSv1_1_method(): -#endif -#ifdef HAVE_TLSV1_2_METHOD - strcmp(protocol, "TLSv1.2") == 0 - ? TLSv1_2_method(): -#endif - NULL); - - if (!method) + for (opp=&op_list[0];opp->n!=NULL;opp++) { - method=SSLv23_method(); - options|=SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3; - } + if (strcmp(opp->n,protocol)==0) + break; + }; + options=opp->o; + method=opp->m(); ctx=SSL_CTX_new(method); |