Partially revert de2a130974e1a76daa1893e18442154c7fc90321.

Put back TLS_PROTOCOL, but use only SSLv23_method, replacing deprecated
methods with stubs for their + versions.

3 files changed, 41 insertions, 16 deletions

diff --git a/imap/imapd-ssl.dist.in.git b/imap/imapd-ssl.dist.in.git
index 3fe9334..df5cf02 100644
--- a/imap/imapd-ssl.dist.in.git
+++ b/imap/imapd-ssl.dist.in.git
@@ -136,14 +136,11 @@ COURIERTLS=@bindir@/couriertls
 #
 # OpenSSL:
 #
-# TLSv1 - TLS1
-# TLSv1.1 - TLS1.1
-# TLSv1.2 - TLS1.2
+# TLSv1 - TLS 1.0, or higher.
+# TLSv1.1 - TLS1.1, or higher.
+# TLSv1.2 - TLS1.2, or higher.
 #
-# TLSv1+, TLSv1.1+, and TLSv1.2+ - the corresponding protocol, and all
-# higher protocols.
-#
-# The default value is TLSv1+
+# The default value is TLSv1
 
 ##NAME: TLS_CIPHER_LIST:0
 #
diff --git a/imap/pop3d-ssl.dist.in.git b/imap/pop3d-ssl.dist.in.git
index b11ac08..43a68e5 100644
--- a/imap/pop3d-ssl.dist.in.git
+++ b/imap/pop3d-ssl.dist.in.git
@@ -121,14 +121,11 @@ COURIERTLS=@bindir@/couriertls
 #
 # OpenSSL:
 #
-# TLSv11 - TLS1
-# TLSv1.1 - TLS1.1
-# TLSv1.2 - TLS1.2
+# TLSv1 - TLS 1.0, or higher.
+# TLSv1.1 - TLS1.1, or higher.
+# TLSv1.2 - TLS1.2, or higher.
 #
-# TLSv1+, TLSv1.1+, and TLSv1.2+ - the corresponding protocol, and all
-# higher protocols.
-#
-# The default value is TLSv1+
+# The default value is TLSv1.
 
 ##NAME: TLS_STARTTLS_PROTOCOL:0
 #
diff --git a/tcpd/libcouriertls.c b/tcpd/libcouriertls.c
index 7a1ebeb..199015e 100644
--- a/tcpd/libcouriertls.c
+++ b/tcpd/libcouriertls.c
@@ -60,6 +60,25 @@ struct proto_ops {
     const SSL_METHOD * (*m)();
     int o;
 };
+struct proto_ops op_list[] =
+{
+#ifdef SSL_OP_NO_TLSv1
+#ifdef SSL_OP_NO_TLSv1_1
+    { "TLSv1.2+",  &SSLv23_method,  SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1 },
+    { "TLSv1.2",   &SSLv23_method,  SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1 },
+#endif
+#endif
+
+#ifdef SSL_OP_NO_TLSv1
+    { "TLSv1.1+",  &SSLv23_method,  SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1 },
+    { "TLSv1.1",   &SSLv23_method,  SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1 },
+#endif
+    { "TLSv1",     &SSLv23_method,  SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 },
+    { "TLS1",      &SSLv23_method,  SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 },
+    { "",          &SSLv23_method,  SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 },
+    { NULL,        &SSLv23_method,  SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 },
+};
+
 
 /***** TODO *****/
 
@@ -547,6 +566,7 @@ SSL_CTX *tls_create_int(int isserver, const struct tls_info *info,
 			int internal)
 {
 	SSL_CTX *ctx;
+	const char *protocol=safe_getenv(info, "TLS_PROTOCOL");
 	const char *ssl_cipher_list=safe_getenv(info, "TLS_CIPHER_LIST");
 	int session_timeout=atoi(safe_getenv(info, "TLS_TIMEOUT"));
 	const char *dhparamsfile=safe_getenv(info, "TLS_DHPARAMS");
@@ -557,7 +577,10 @@ SSL_CTX *tls_create_int(int isserver, const struct tls_info *info,
 	const char *peer_cert_file=NULL;
 	int n;
 	struct tls_info *info_copy;
+	const SSL_METHOD *method=NULL;
+	long options;
 	int cert_file_flags;
+	struct proto_ops *opp;
 
 	if (!*ssl_cipher_list)
 		ssl_cipher_list=NULL;
@@ -617,7 +640,15 @@ SSL_CTX *tls_create_int(int isserver, const struct tls_info *info,
 	info_copy->isserver=isserver;
 	info_copy->certificate_verified=0;
 
-	ctx=SSL_CTX_new(SSLv23_method());
+	for (opp=&op_list[0];opp->n!=NULL;opp++)
+	{
+	    if (strcmp(opp->n,protocol)==0)
+		break;
+	};
+	options=opp->o;
+	method=opp->m();
+
+	ctx=SSL_CTX_new(method);
 
 	if (!ctx)
 	{
@@ -626,7 +657,7 @@ SSL_CTX *tls_create_int(int isserver, const struct tls_info *info,
 		return (0);
 	}
 	SSL_CTX_set_app_data(ctx, info_copy);
-	SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
+	SSL_CTX_set_options(ctx, options);
 
 	if (!ssl_cipher_list)
 		ssl_cipher_list="TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH";