diff options
| author | Matthias Andree <matthias.andree@gmx.de> | 2015-04-11 15:13:31 +0200 |
|---|---|---|
| committer | Matthias Andree <matthias.andree@gmx.de> | 2015-04-11 15:13:31 +0200 |
| commit | d3e9b8ee022aa3afbde2c5cfc9fec6981b39b178 (patch) | |
| tree | 8050e13393eaf8a5256ddb28a72d5b860fbc3dfb | |
| parent | 7204a2393e5969f71452c953021a9ca4deab5fd2 (diff) | |
| download | fetchmail-d3e9b8ee022aa3afbde2c5cfc9fec6981b39b178.tar.gz fetchmail-d3e9b8ee022aa3afbde2c5cfc9fec6981b39b178.tar.bz2 fetchmail-d3e9b8ee022aa3afbde2c5cfc9fec6981b39b178.zip | |
Support ssl3+ tls1.1, tls1.2 in --sslproto. Report TLS1.1/1.2 if unsupported by OpenSSL.
Uses TLS_MAX_VERSION checks against TLS1_1_VERSION or TLS1_2_VERSION.
| -rw-r--r-- | socket.c | 21 |
1 files changed, 19 insertions, 2 deletions
@@ -909,25 +909,42 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck _ssl_context[sock] = NULL; if(myproto) { if(!strcasecmp("ssl3",myproto)) { -#if (HAVE_DECL_SSLV3_CLIENT_METHOD + 0 > 0) && (0 == OPENSSL_NO_SSL3 + 0) +#if (HAVE_DECL_SSLV3_CLIENT_METHOD > 0) && (0 == OPENSSL_NO_SSL3 + 0) _ctx[sock] = SSL_CTX_new(SSLv3_client_method()); avoid_ssl_versions &= ~SSL_OP_NO_SSLv3; #else report(stderr, GT_("Your OpenSSL version does not support SSLv3.\n")); return -1; #endif + } else if(!strcasecmp("ssl3+",myproto)) { + avoid_ssl_versions &= ~SSL_OP_NO_SSLv3; + myproto = NULL; } else if(!strcasecmp("tls1",myproto)) { _ctx[sock] = SSL_CTX_new(TLSv1_client_method()); } else if(!strcasecmp("tls1+",myproto)) { myproto = NULL; +#if defined(TLS1_1_VERSION) && TLS_MAX_VERSION >= TLS1_1_VERSION + } else if(!strcasecmp("tls1.1",myproto)) { + _ctx[sock] = SSL_CTX_new(TLSv1_1_client_method()); } else if(!strcasecmp("tls1.1+",myproto)) { myproto = NULL; avoid_ssl_versions |= SSL_OP_NO_TLSv1; +#else + } else if(!strcasecmp("tls1.1",myproto) || !strcasecmp("tls1.1+", myproto)) { + report(stderr, GT_("Your OpenSSL version does not support TLS v1.1.\n")); + return -1; +#endif +#if defined(TLS1_2_VERSION) && TLS_MAX_VERSION >= TLS1_2_VERSION + } else if(!strcasecmp("tls1.2",myproto)) { + _ctx[sock] = SSL_CTX_new(TLSv1_2_client_method()); } else if(!strcasecmp("tls1.2+",myproto)) { myproto = NULL; avoid_ssl_versions |= SSL_OP_NO_TLSv1; -#ifdef SSL_OP_NO_TLSv1_1 avoid_ssl_versions |= SSL_OP_NO_TLSv1_1; +#else + } else if(!strcasecmp("tls1.2",myproto) || !strcasecmp("tls1.2+", myproto)) { + report(stderr, GT_("Your OpenSSL version does not support TLS v1.2.\n")); + return -1; #endif } else if (!strcasecmp("ssl23",myproto) || 0 == strcasecmp("auto",myproto)) { myproto = NULL; |