diff options
| author | Matthias Andree <matthias.andree@gmx.de> | 2015-01-17 01:15:31 +0100 |
|---|---|---|
| committer | Matthias Andree <matthias.andree@gmx.de> | 2015-01-26 09:45:24 +0100 |
| commit | c72743cf6139d6906337ddeac964eb79f644097e (patch) | |
| tree | d3ad37c05dc2c3b1085904039958a510a6dc0a86 /socket.c | |
| parent | 07d7fc7b2b84ed36419abf8802b6de29f6e675cc (diff) | |
| download | fetchmail-c72743cf6139d6906337ddeac964eb79f644097e.tar.gz fetchmail-c72743cf6139d6906337ddeac964eb79f644097e.tar.bz2 fetchmail-c72743cf6139d6906337ddeac964eb79f644097e.zip | |
TLS overhaul, bumping version to 6.4
Removes SSLv2, enables TLSv1.1 and v1.2 more easily,
permits SSLv3 (only if specified) and newer TLSv1.1+ for STLS/STARTTLS.
Only negotiates TLSv1 and newer by default, SSLv3 must now be specified
explicitly, as a consequence of the POODLE attack.
This is meant to be a minimally upgraded version, and cannot be usefully
done as a 6.3.X release.
It is strongly recommended that users review their configuration -
especially --sslproto - per instructions in the NEWS file and manual
page. It has changed semantics and in many cases --sslproto auto or
perhaps --sslproto tls1.2+ should be used now.
Diffstat (limited to 'socket.c')
| -rw-r--r-- | socket.c | 28 |
1 files changed, 17 insertions, 11 deletions
@@ -876,6 +876,7 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck { struct stat randstat; int i; + int avoid_ssl_versions = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; long sslopts = SSL_OP_ALL; SSL_load_error_strings(); @@ -906,26 +907,31 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck /* Make sure a connection referring to an older context is not left */ _ssl_context[sock] = NULL; if(myproto) { - if(!strcasecmp("ssl2",myproto)) { -#if (HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0) && (0 == OPENSSL_NO_SSL2 + 0) - _ctx[sock] = SSL_CTX_new(SSLv2_client_method()); -#else - report(stderr, GT_("Your OpenSSL version does not support SSLv2.\n")); - return -1; -#endif - } else if(!strcasecmp("ssl3",myproto)) { + if(!strcasecmp("ssl3",myproto)) { #if (HAVE_DECL_SSLV3_CLIENT_METHOD + 0 > 0) && (0 == OPENSSL_NO_SSL3 + 0) _ctx[sock] = SSL_CTX_new(SSLv3_client_method()); + avoid_ssl_versions &= ~SSL_OP_NO_SSLv2; #else report(stderr, GT_("Your OpenSSL version does not support SSLv3.\n")); return -1; #endif } else if(!strcasecmp("tls1",myproto)) { _ctx[sock] = SSL_CTX_new(TLSv1_client_method()); - } else if (!strcasecmp("ssl23",myproto)) { + } else if(!strcasecmp("tls1+",myproto)) { + myproto = NULL; + } else if(!strcasecmp("tls1.1+",myproto)) { + myproto = NULL; + avoid_ssl_versions |= SSL_OP_NO_TLSv1; + } else if(!strcasecmp("tls1.2+",myproto)) { + myproto = NULL; + avoid_ssl_versions |= SSL_OP_NO_TLSv1; +#ifdef SSL_OP_NO_TLSv1_1 + avoid_ssl_versions |= SSL_OP_NO_TLSv1_1; +#endif + } else if (!strcasecmp("ssl23",myproto) || 0 == strcasecmp("auto",myproto)) { myproto = NULL; } else { - report(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto); + report(stderr,GT_("Invalid SSL protocol '%s' specified, using default autoselect (SSL23).\n"), myproto); myproto = NULL; } } @@ -943,7 +949,7 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck sslopts &= ~ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; } - SSL_CTX_set_options(_ctx[sock], sslopts); + SSL_CTX_set_options(_ctx[sock], sslopts | avoid_ssl_versions); if (certck) { SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback); |