From 37a74ee0f736237b67330c620de7dc08232dec17 Mon Sep 17 00:00:00 2001
From: Sam Varshavchik
Date: Mon, 14 Oct 2013 22:07:39 -0400
Subject: 2013-10-14  Sam Varshavchik  <mrsam@courier-mta.com>

	* libs/tcpd/libcouriertls.c (tls_create): Add TLSv1_1_method() and
	TLSv1_2 method(), based on patch by Rob Austein <sra@hactrn.net>.

	* pop3d-ssl.dist.in, imapd-ssl.dist.in: Fix up differences in the
	documentation of TLS options in various config files.
---
 imap/ChangeLog         |  8 ++++++++
 imap/imapd-ssl.dist.in | 41 +++++++++++++++++++++++++++++++++++------
 imap/pop3d-ssl.dist.in | 39 +++++++++++++++++++++++----------------
 tcpd/configure.ac      |  4 ++--
 tcpd/libcouriertls.c   | 33 +++++++++++++++++++++++++++------
 5 files changed, 95 insertions(+), 30 deletions(-)

diff --git a/imap/ChangeLog b/imap/ChangeLog
index 910f62d..297b0cc 100644
--- a/imap/ChangeLog
+++ b/imap/ChangeLog
@@ -1,3 +1,11 @@
+2013-10-14  Sam Varshavchik  <mrsam@courier-mta.com>
+
+	* libs/tcpd/libcouriertls.c (tls_create): Add TLSv1_1_method() and
+	TLSv1_2 method(), based on patch by Rob Austein <sra@hactrn.net>.
+
+	* pop3d-ssl.dist.in, imapd-ssl.dist.in: Fix up differences in the
+	documentation of TLS options in various config files.
+
 4.14.0
 
 2013-07-04  Sam Varshavchik  <mrsam@courier-mta.com>
diff --git a/imap/imapd-ssl.dist.in b/imap/imapd-ssl.dist.in
index 41df386..ac2f468 100644
--- a/imap/imapd-ssl.dist.in
+++ b/imap/imapd-ssl.dist.in
@@ -5,7 +5,7 @@
 # Do not alter lines that begin with ##, they are used when upgrading
 # this configuration.
 #
-#  Copyright 2000 - 2008 Double Precision, Inc.  See COPYING for
+#  Copyright 2000 - 2013 Double Precision, Inc.  See COPYING for
 #  distribution information.
 #
 #  This configuration file sets various options for the Courier-IMAP server
@@ -106,6 +106,8 @@ COURIERTLS=@bindir@/couriertls
 
 ##NAME: TLS_PRIORITY:0
 #
+# GnuTLS setting only
+#
 # Set TLS protocol priority settings (GnuTLS only)
 #
 # DEFAULT: NORMAL:-CTYPE-OPENPGP
@@ -119,15 +121,42 @@ COURIERTLS=@bindir@/couriertls
 # OpenSSL:
 #
 # SSL3 - SSLv3
-# SSL23 - either SSLv2 or SSLv3 (also TLS1, it seems)
+# SSL23 - all protocols (including TLS 1.x protocols)
 # TLS1 - TLS1
+# TLSv1.1 - TLS1.1
+# TLSv1.2 - TLS1.2
+#
+# Leave it unset to use any protocol except SSL 2.
+
+##NAME: TLS_CIPHER_LIST:0
+#
+# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
+# OpenSSL library.  In most situations you can leave TLS_CIPHER_LIST
+# undefined
+#
+# OpenSSL:
+#
+# TLS_CIPHER_LIST="SSLv3:TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
+#
+# GnuTLS:
+#
+# TLS_CIPHER_LIST="HIGH:MEDIUM"
+#
+# The actual list of available ciphers depend on the options GnuTLS was
+# compiled against. The possible ciphers are:
+#
+# AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL
 #
-# Note that this setting, with OpenSSL, is modified by the TLS_CIPHER_LIST
-# setting, below.
+# Also, the following aliases:
 #
-# DEFAULT VALUES:
+# HIGH -- all ciphers that use more than a 128 bit key size
+# MEDIUM -- all ciphers that use a 128 bit key size
+# LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher
+#        is not included
+# ALL -- all ciphers except the NULL cipher
 #
-# SSL23
+# See GnuTLS documentation, gnutls_priority_init(3) for additional
+# documentation.
 
 ##NAME: TLS_STARTTLS_PROTOCOL:0
 # 
diff --git a/imap/pop3d-ssl.dist.in b/imap/pop3d-ssl.dist.in
index e306226..81a395a 100644
--- a/imap/pop3d-ssl.dist.in
+++ b/imap/pop3d-ssl.dist.in
@@ -5,7 +5,7 @@
 # Do not alter lines that begin with ##, they are used when upgrading
 # this configuration.
 #
-#  Copyright 2000-2008 Double Precision, Inc.  See COPYING for
+#  Copyright 2000-2013 Double Precision, Inc.  See COPYING for
 #  distribution information.
 #
 #  This configuration file sets various options for the Courier-IMAP server
@@ -104,22 +104,12 @@ COURIERTLS=@bindir@/couriertls
 # OpenSSL:
 #
 # SSL3 - SSLv3
-# SSL23 - either SSLv2 or SSLv3 (also TLS1, it seems)
+# SSL23 - all protocols (including TLS 1.x protocols)
 # TLS1 - TLS1
+# TLSv1.1 - TLS1.1
+# TLSv1.2 - TLS1.2
 #
-# Note that this setting, with OpenSSL, is modified by the TLS_CIPHER_LIST
-# setting, below.
-#
-# SSL23
-
-##NAME: TLS_STARTTLS_PROTOCOL:0
-# 
-# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the POP3 STARTTLS
-# extension, as opposed to POP3 over SSL on port 995.
-#
-# It takes the same values for OpenSSL/GnuTLS as TLS_PROTOCOL
-
-TLS_STARTTLS_PROTOCOL=TLS1
+# Leave it unset to use any protocol except SSL 2.
 
 ##NAME: TLS_CIPHER_LIST:0
 #
@@ -131,8 +121,25 @@ TLS_STARTTLS_PROTOCOL=TLS1
 #
 # TLS_CIPHER_LIST="SSLv3:TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
 #
+# GnuTLS:
 #
-
+# TLS_CIPHER_LIST="HIGH:MEDIUM"
+#
+# The actual list of available ciphers depend on the options GnuTLS was
+# compiled against. The possible ciphers are:
+#
+# AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL
+#
+# Also, the following aliases:
+#
+# HIGH -- all ciphers that use more than a 128 bit key size
+# MEDIUM -- all ciphers that use a 128 bit key size
+# LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher
+#        is not included
+# ALL -- all ciphers except the NULL cipher
+#
+# See GnuTLS documentation, gnutls_priority_init(3) for additional
+# documentation.
 
 ##NAME: TLS_MIN_DH_BITS:0
 #
diff --git a/tcpd/configure.ac b/tcpd/configure.ac
index 3077c02..46c4a9d 100644
--- a/tcpd/configure.ac
+++ b/tcpd/configure.ac
@@ -506,10 +506,10 @@ RAND_pseudo_bytes(dummy, 1);
    AC_MSG_RESULT(no)
 ]
 )
-
+		LIBS="-lssl $LIBS"
+		AC_CHECK_FUNCS(TLSv1_1_method TLSv1_2_method)
 		LIBS="$save_LIBS"
 
-
 		TLSLIBRARY="$LIBCOURIERTLSOPENSSL"
 		STARTTLS=couriertls$EXEEXT
 		BUILDLIBCOURIERTLS=libcouriertls.la
diff --git a/tcpd/libcouriertls.c b/tcpd/libcouriertls.c
index 6eee8b0..c44f318 100644
--- a/tcpd/libcouriertls.c
+++ b/tcpd/libcouriertls.c
@@ -491,6 +491,8 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info)
 	const char *peer_cert_file=NULL;
 	int n;
 	struct tls_info *info_copy;
+	const SSL_METHOD *method=NULL;
+	long options;
 
 	if (!*ssl_cipher_list)
 		ssl_cipher_list=NULL;
@@ -548,14 +550,33 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info)
 	info_copy->isserver=isserver;
 	info_copy->certificate_verified=0;
 
-	if (!protocol || !*protocol)
-		protocol="SSL23";
+	options=SSL_OP_ALL;
 
-	ctx=SSL_CTX_new(protocol && strcmp(protocol, "SSL3") == 0
+	method=((!protocol || !*protocol)
+		? NULL:
+		strcmp(protocol, "SSL3") == 0
 			? SSLv3_method():
-			protocol && strcmp(protocol, "SSL23") == 0
+		strcmp(protocol, "SSL23") == 0
 			? SSLv23_method():
-			TLSv1_method());
+		strcmp(protocol, "TLSv1") == 0
+		? TLSv1_method():
+#ifdef HAVE_TLSV1_1_METHOD
+		strcmp(protocol, "TLSv1.1") == 0
+		? TLSv1_1_method():
+#endif
+#ifdef HAVE_TLSV1_2_METHOD
+		strcmp(protocol, "TLSv1.2") == 0
+		? TLSv1_2_method():
+#endif
+		NULL);
+
+	if (!method)
+	{
+		method=SSLv23_method();
+		options|=SSL_OP_NO_SSLv2;
+	}
+
+	ctx=SSL_CTX_new(method);
 
 	if (!ctx)
 	{
@@ -564,7 +585,7 @@ SSL_CTX *tls_create(int isserver, const struct tls_info *info)
 		return (0);
 	}
 	SSL_CTX_set_app_data(ctx, info_copy);
-	SSL_CTX_set_options(ctx, SSL_OP_ALL);
+	SSL_CTX_set_options(ctx, options);
 
 	if (!ssl_cipher_list)
 		ssl_cipher_list="SSLv3:TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH";
-- 
cgit v1.2.3