diff options
| author | Sam Varshavchik | 2017-07-25 20:29:53 -0400 |
|---|---|---|
| committer | Sam Varshavchik | 2017-07-25 20:37:01 -0400 |
| commit | ad219be4de0f2e1416afe5857afbb3badd520aca (patch) | |
| tree | f9f064393e797b603055460d5b51ae951583fbea /tcpd/libcouriertls.c | |
| parent | 5f52fae452bac6c6db4b578b4667b8e9bc0901e0 (diff) | |
| download | courier-libs-ad219be4de0f2e1416afe5857afbb3badd520aca.tar.bz2 | |
Partially revert de2a130974e1a76daa1893e18442154c7fc90321.
Put back TLS_PROTOCOL, but use only SSLv23_method, replacing deprecated
methods with stubs for their + versions.
Diffstat (limited to 'tcpd/libcouriertls.c')
| -rw-r--r-- | tcpd/libcouriertls.c | 35 |
1 files changed, 33 insertions, 2 deletions
diff --git a/tcpd/libcouriertls.c b/tcpd/libcouriertls.c index 7a1ebeb..199015e 100644 --- a/tcpd/libcouriertls.c +++ b/tcpd/libcouriertls.c @@ -60,6 +60,25 @@ struct proto_ops { const SSL_METHOD * (*m)(); int o; }; +struct proto_ops op_list[] = +{ +#ifdef SSL_OP_NO_TLSv1 +#ifdef SSL_OP_NO_TLSv1_1 + { "TLSv1.2+", &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1 }, + { "TLSv1.2", &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1 }, +#endif +#endif + +#ifdef SSL_OP_NO_TLSv1 + { "TLSv1.1+", &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1 }, + { "TLSv1.1", &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1 }, +#endif + { "TLSv1", &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 }, + { "TLS1", &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 }, + { "", &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 }, + { NULL, &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 }, +}; + /***** TODO *****/ @@ -547,6 +566,7 @@ SSL_CTX *tls_create_int(int isserver, const struct tls_info *info, int internal) { SSL_CTX *ctx; + const char *protocol=safe_getenv(info, "TLS_PROTOCOL"); const char *ssl_cipher_list=safe_getenv(info, "TLS_CIPHER_LIST"); int session_timeout=atoi(safe_getenv(info, "TLS_TIMEOUT")); const char *dhparamsfile=safe_getenv(info, "TLS_DHPARAMS"); @@ -557,7 +577,10 @@ SSL_CTX *tls_create_int(int isserver, const struct tls_info *info, const char *peer_cert_file=NULL; int n; struct tls_info *info_copy; + const SSL_METHOD *method=NULL; + long options; int cert_file_flags; + struct proto_ops *opp; if (!*ssl_cipher_list) ssl_cipher_list=NULL; @@ -617,7 +640,15 @@ SSL_CTX *tls_create_int(int isserver, const struct tls_info *info, info_copy->isserver=isserver; info_copy->certificate_verified=0; - ctx=SSL_CTX_new(SSLv23_method()); + for (opp=&op_list[0];opp->n!=NULL;opp++) + { + if (strcmp(opp->n,protocol)==0) + break; + }; + options=opp->o; + method=opp->m(); + + ctx=SSL_CTX_new(method); if (!ctx) { @@ -626,7 +657,7 @@ SSL_CTX *tls_create_int(int isserver, const struct tls_info *info, return (0); } SSL_CTX_set_app_data(ctx, info_copy); - SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); + SSL_CTX_set_options(ctx, options); if (!ssl_cipher_list) ssl_cipher_list="TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"; |