diff options
| -rw-r--r-- | imap/ChangeLog | 8 | ||||
| -rw-r--r-- | imap/imapd-ssl.dist.in | 41 | ||||
| -rw-r--r-- | imap/pop3d-ssl.dist.in | 39 | ||||
| -rw-r--r-- | tcpd/configure.ac | 4 | ||||
| -rw-r--r-- | tcpd/libcouriertls.c | 33 |
5 files changed, 95 insertions, 30 deletions
diff --git a/imap/ChangeLog b/imap/ChangeLog index 910f62d..297b0cc 100644 --- a/imap/ChangeLog +++ b/imap/ChangeLog @@ -1,3 +1,11 @@ +2013-10-14 Sam Varshavchik <mrsam@courier-mta.com> + + * libs/tcpd/libcouriertls.c (tls_create): Add TLSv1_1_method() and + TLSv1_2 method(), based on patch by Rob Austein <sra@hactrn.net>. + + * pop3d-ssl.dist.in, imapd-ssl.dist.in: Fix up differences in the + documentation of TLS options in various config files. + 4.14.0 2013-07-04 Sam Varshavchik <mrsam@courier-mta.com> diff --git a/imap/imapd-ssl.dist.in b/imap/imapd-ssl.dist.in index 41df386..ac2f468 100644 --- a/imap/imapd-ssl.dist.in +++ b/imap/imapd-ssl.dist.in @@ -5,7 +5,7 @@ # Do not alter lines that begin with ##, they are used when upgrading # this configuration. # -# Copyright 2000 - 2008 Double Precision, Inc. See COPYING for +# Copyright 2000 - 2013 Double Precision, Inc. See COPYING for # distribution information. # # This configuration file sets various options for the Courier-IMAP server @@ -106,6 +106,8 @@ COURIERTLS=@bindir@/couriertls ##NAME: TLS_PRIORITY:0 # +# GnuTLS setting only +# # Set TLS protocol priority settings (GnuTLS only) # # DEFAULT: NORMAL:-CTYPE-OPENPGP @@ -119,15 +121,42 @@ COURIERTLS=@bindir@/couriertls # OpenSSL: # # SSL3 - SSLv3 -# SSL23 - either SSLv2 or SSLv3 (also TLS1, it seems) +# SSL23 - all protocols (including TLS 1.x protocols) # TLS1 - TLS1 +# TLSv1.1 - TLS1.1 +# TLSv1.2 - TLS1.2 +# +# Leave it unset to use any protocol except SSL 2. + +##NAME: TLS_CIPHER_LIST:0 +# +# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the +# OpenSSL library. In most situations you can leave TLS_CIPHER_LIST +# undefined +# +# OpenSSL: +# +# TLS_CIPHER_LIST="SSLv3:TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH" +# +# GnuTLS: +# +# TLS_CIPHER_LIST="HIGH:MEDIUM" +# +# The actual list of available ciphers depend on the options GnuTLS was +# compiled against. The possible ciphers are: +# +# AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL # -# Note that this setting, with OpenSSL, is modified by the TLS_CIPHER_LIST -# setting, below. +# Also, the following aliases: # -# DEFAULT VALUES: +# HIGH -- all ciphers that use more than a 128 bit key size +# MEDIUM -- all ciphers that use a 128 bit key size +# LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher +# is not included +# ALL -- all ciphers except the NULL cipher # -# SSL23 +# See GnuTLS documentation, gnutls_priority_init(3) for additional +# documentation. ##NAME: TLS_STARTTLS_PROTOCOL:0 # diff --git a/imap/pop3d-ssl.dist.in b/imap/pop3d-ssl.dist.in index e306226..81a395a 100644 --- a/imap/pop3d-ssl.dist.in +++ b/imap/pop3d-ssl.dist.in @@ -5,7 +5,7 @@ # Do not alter lines that begin with ##, they are used when upgrading # this configuration. # -# Copyright 2000-2008 Double Precision, Inc. See COPYING for +# Copyright 2000-2013 Double Precision, Inc. See COPYING for # distribution information. # # This configuration file sets various options for the Courier-IMAP server @@ -104,22 +104,12 @@ COURIERTLS=@bindir@/couriertls # OpenSSL: # # SSL3 - SSLv3 -# SSL23 - either SSLv2 or SSLv3 (also TLS1, it seems) +# SSL23 - all protocols (including TLS 1.x protocols) # TLS1 - TLS1 +# TLSv1.1 - TLS1.1 +# TLSv1.2 - TLS1.2 # -# Note that this setting, with OpenSSL, is modified by the TLS_CIPHER_LIST -# setting, below. -# -# SSL23 - -##NAME: TLS_STARTTLS_PROTOCOL:0 -# -# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the POP3 STARTTLS -# extension, as opposed to POP3 over SSL on port 995. -# -# It takes the same values for OpenSSL/GnuTLS as TLS_PROTOCOL - -TLS_STARTTLS_PROTOCOL=TLS1 +# Leave it unset to use any protocol except SSL 2. ##NAME: TLS_CIPHER_LIST:0 # @@ -131,8 +121,25 @@ TLS_STARTTLS_PROTOCOL=TLS1 # # TLS_CIPHER_LIST="SSLv3:TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH" # +# GnuTLS: # - +# TLS_CIPHER_LIST="HIGH:MEDIUM" +# +# The actual list of available ciphers depend on the options GnuTLS was +# compiled against. The possible ciphers are: +# +# AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL +# +# Also, the following aliases: +# +# HIGH -- all ciphers that use more than a 128 bit key size +# MEDIUM -- all ciphers that use a 128 bit key size +# LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher +# is not included +# ALL -- all ciphers except the NULL cipher +# +# See GnuTLS documentation, gnutls_priority_init(3) for additional +# documentation. ##NAME: TLS_MIN_DH_BITS:0 # diff --git a/tcpd/configure.ac b/tcpd/configure.ac index 3077c02..46c4a9d 100644 --- a/tcpd/configure.ac +++ b/tcpd/configure.ac @@ -506,10 +506,10 @@ RAND_pseudo_bytes(dummy, 1); AC_MSG_RESULT(no) ] ) - + LIBS="-lssl $LIBS" + AC_CHECK_FUNCS(TLSv1_1_method TLSv1_2_method) LIBS="$save_LIBS" - TLSLIBRARY="$LIBCOURIERTLSOPENSSL" STARTTLS=couriertls$EXEEXT BUILDLIBCOURIERTLS=libcouriertls.la diff --git a/tcpd/libcouriertls.c b/tcpd/libcouriertls.c index 6eee8b0..c44f318 100644 --- a/tcpd/libcouriertls.c +++ b/tcpd/libcouriertls.c @@ -491,6 +491,8 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info) const char *peer_cert_file=NULL; int n; struct tls_info *info_copy; + const SSL_METHOD *method=NULL; + long options; if (!*ssl_cipher_list) ssl_cipher_list=NULL; @@ -548,14 +550,33 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info) info_copy->isserver=isserver; info_copy->certificate_verified=0; - if (!protocol || !*protocol) - protocol="SSL23"; + options=SSL_OP_ALL; - ctx=SSL_CTX_new(protocol && strcmp(protocol, "SSL3") == 0 + method=((!protocol || !*protocol) + ? NULL: + strcmp(protocol, "SSL3") == 0 ? SSLv3_method(): - protocol && strcmp(protocol, "SSL23") == 0 + strcmp(protocol, "SSL23") == 0 ? SSLv23_method(): - TLSv1_method()); + strcmp(protocol, "TLSv1") == 0 + ? TLSv1_method(): +#ifdef HAVE_TLSV1_1_METHOD + strcmp(protocol, "TLSv1.1") == 0 + ? TLSv1_1_method(): +#endif +#ifdef HAVE_TLSV1_2_METHOD + strcmp(protocol, "TLSv1.2") == 0 + ? TLSv1_2_method(): +#endif + NULL); + + if (!method) + { + method=SSLv23_method(); + options|=SSL_OP_NO_SSLv2; + } + + ctx=SSL_CTX_new(method); if (!ctx) { @@ -564,7 +585,7 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info) return (0); } SSL_CTX_set_app_data(ctx, info_copy); - SSL_CTX_set_options(ctx, SSL_OP_ALL); + SSL_CTX_set_options(ctx, options); if (!ssl_cipher_list) ssl_cipher_list="SSLv3:TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"; |