4 files changed, 46 insertions, 26 deletions
diff --git a/imap/ChangeLog b/imap/ChangeLog
index d05db6d..d40662a 100644
--- a/imap/ChangeLog
+++ b/imap/ChangeLog
@@ -1,3 +1,8 @@
+2014-10-21  Bernard Quatermass <bqcourier@quatermass.co.uk>
+
+	* tcpd/libcouriertls.c: add parsing options for different protocol
+	combination.
+
 2014-10-21  坂元 英紀 <hs@on-sky.net>
 
 	* Update comments in *ssl config files.
diff --git a/imap/imapd-ssl.dist.in b/imap/imapd-ssl.dist.in
index 16fd181..bd531d7 100644
--- a/imap/imapd-ssl.dist.in
+++ b/imap/imapd-ssl.dist.in
@@ -142,7 +142,10 @@ COURIERTLS=@bindir@/couriertls
 # TLSv1.1 - TLS1.1
 # TLSv1.2 - TLS1.2
 #
-# Leave it unset to use any protocol except SSL 2.
+# SSL3+, TLSv1+, TLSv1.1+, and TLSv1.2+ - the corresponding protocol, and all
+# higher protocols.
+#
+# The default value is TLSv1+
 
 ##NAME: TLS_CIPHER_LIST:0
 #
diff --git a/imap/pop3d-ssl.dist.in b/imap/pop3d-ssl.dist.in
index 49f3d39..8fdf5a2 100644
--- a/imap/pop3d-ssl.dist.in
+++ b/imap/pop3d-ssl.dist.in
@@ -127,7 +127,10 @@ COURIERTLS=@bindir@/couriertls
 # TLSv1.1 - TLS1.1
 # TLSv1.2 - TLS1.2
 #
-# Leave it unset to use any protocol except SSL 2.
+# SSL3+, TLSv1+, TLSv1.1+, and TLSv1.2+ - the corresponding protocol, and all
+# higher protocols.
+#
+# The default value is TLSv1+
 
 ##NAME: TLS_CIPHER_LIST:0
 #
diff --git a/tcpd/libcouriertls.c b/tcpd/libcouriertls.c
index 1f5b0b2..886e27e 100644
--- a/tcpd/libcouriertls.c
+++ b/tcpd/libcouriertls.c
@@ -55,6 +55,32 @@
 
 #include	<sys/time.h>
 
+struct proto_ops {
+    char *n;
+    const SSL_METHOD * (*m)();
+    int o;
+};
+struct proto_ops op_list[] =
+{
+#ifdef HAVE_TLSV1_2_METHOD
+    { "TLSv1.2+",  &SSLv23_method,  SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1 },
+    { "TLSv1.2",   &TLSv1_2_method, SSL_OP_ALL },
+#endif
+#ifdef HAVE_TLSV1_1_METHOD
+    { "TLSv1.1+",  &SSLv23_method,  SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1 },
+    { "TLSv1.1",   &TLSv1_1_method, SSL_OP_ALL },
+#endif
+    { "TLSv1+",    &SSLv23_method,  SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 },
+    { "TLSv1",     &TLSv1_method,   SSL_OP_ALL },
+    { "TLS1",      &TLSv1_method,   SSL_OP_ALL },
+    { "SSL3+",     &SSLv23_method,  SSL_OP_ALL|SSL_OP_NO_SSLv2 },
+    { "SSL3",      &SSLv3_method,   SSL_OP_ALL },
+    { "SSL23",     &SSLv23_method,  SSL_OP_ALL },
+    { "",          &SSLv23_method,  SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 },
+    { NULL,        &SSLv23_method,  SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 },
+};
+
+
 /***** TODO *****/
 
 /* #define TLSCACHEDEBUG */
@@ -465,6 +491,7 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info)
 	const SSL_METHOD *method=NULL;
 	long options;
 	int cert_file_flags;
+	struct proto_ops *opp;
 
 	if (!*ssl_cipher_list)
 		ssl_cipher_list=NULL;
@@ -522,31 +549,13 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info)
 	info_copy->isserver=isserver;
 	info_copy->certificate_verified=0;
 
-	options=SSL_OP_ALL;
-
-	method=((!protocol || !*protocol)
-		? NULL:
-		strcmp(protocol, "SSL3") == 0
-			? SSLv3_method():
-		strcmp(protocol, "SSL23") == 0
-			? SSLv23_method():
-		strcmp(protocol, "TLSv1") == 0
-		? TLSv1_method():
-#ifdef HAVE_TLSV1_1_METHOD
-		strcmp(protocol, "TLSv1.1") == 0
-		? TLSv1_1_method():
-#endif
-#ifdef HAVE_TLSV1_2_METHOD
-		strcmp(protocol, "TLSv1.2") == 0
-		? TLSv1_2_method():
-#endif
-		NULL);
-
-	if (!method)
+	for (opp=&op_list[0];opp->n!=NULL;opp++)
 	{
-		method=SSLv23_method();
-		options|=SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3;
-	}
+	    if (strcmp(opp->n,protocol)==0)
+		break;
+	};
+	options=opp->o;
+	method=opp->m();
 
 	ctx=SSL_CTX_new(method);