diff options
| author | Sam Varshavchik | 2013-10-14 22:07:39 -0400 |
|---|---|---|
| committer | Sam Varshavchik | 2013-10-14 22:07:39 -0400 |
| commit | 37a74ee0f736237b67330c620de7dc08232dec17 (patch) | |
| tree | f7d200c107782a93f2b5bed78a209e14a9ff628a /tcpd | |
| parent | 94e6e7813f3c1f694ed45f56e2b735e911568470 (diff) | |
| download | courier-libs-37a74ee0f736237b67330c620de7dc08232dec17.tar.bz2 | |
2013-10-14 Sam Varshavchik <mrsam@courier-mta.com>
* libs/tcpd/libcouriertls.c (tls_create): Add TLSv1_1_method() and
TLSv1_2 method(), based on patch by Rob Austein <sra@hactrn.net>.
* pop3d-ssl.dist.in, imapd-ssl.dist.in: Fix up differences in the
documentation of TLS options in various config files.
Diffstat (limited to 'tcpd')
| -rw-r--r-- | tcpd/configure.ac | 4 | ||||
| -rw-r--r-- | tcpd/libcouriertls.c | 33 |
2 files changed, 29 insertions, 8 deletions
diff --git a/tcpd/configure.ac b/tcpd/configure.ac index 3077c02..46c4a9d 100644 --- a/tcpd/configure.ac +++ b/tcpd/configure.ac @@ -506,10 +506,10 @@ RAND_pseudo_bytes(dummy, 1); AC_MSG_RESULT(no) ] ) - + LIBS="-lssl $LIBS" + AC_CHECK_FUNCS(TLSv1_1_method TLSv1_2_method) LIBS="$save_LIBS" - TLSLIBRARY="$LIBCOURIERTLSOPENSSL" STARTTLS=couriertls$EXEEXT BUILDLIBCOURIERTLS=libcouriertls.la diff --git a/tcpd/libcouriertls.c b/tcpd/libcouriertls.c index 6eee8b0..c44f318 100644 --- a/tcpd/libcouriertls.c +++ b/tcpd/libcouriertls.c @@ -491,6 +491,8 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info) const char *peer_cert_file=NULL; int n; struct tls_info *info_copy; + const SSL_METHOD *method=NULL; + long options; if (!*ssl_cipher_list) ssl_cipher_list=NULL; @@ -548,14 +550,33 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info) info_copy->isserver=isserver; info_copy->certificate_verified=0; - if (!protocol || !*protocol) - protocol="SSL23"; + options=SSL_OP_ALL; - ctx=SSL_CTX_new(protocol && strcmp(protocol, "SSL3") == 0 + method=((!protocol || !*protocol) + ? NULL: + strcmp(protocol, "SSL3") == 0 ? SSLv3_method(): - protocol && strcmp(protocol, "SSL23") == 0 + strcmp(protocol, "SSL23") == 0 ? SSLv23_method(): - TLSv1_method()); + strcmp(protocol, "TLSv1") == 0 + ? TLSv1_method(): +#ifdef HAVE_TLSV1_1_METHOD + strcmp(protocol, "TLSv1.1") == 0 + ? TLSv1_1_method(): +#endif +#ifdef HAVE_TLSV1_2_METHOD + strcmp(protocol, "TLSv1.2") == 0 + ? TLSv1_2_method(): +#endif + NULL); + + if (!method) + { + method=SSLv23_method(); + options|=SSL_OP_NO_SSLv2; + } + + ctx=SSL_CTX_new(method); if (!ctx) { @@ -564,7 +585,7 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info) return (0); } SSL_CTX_set_app_data(ctx, info_copy); - SSL_CTX_set_options(ctx, SSL_OP_ALL); + SSL_CTX_set_options(ctx, options); if (!ssl_cipher_list) ssl_cipher_list="SSLv3:TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"; |