From c72743cf6139d6906337ddeac964eb79f644097e Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Sat, 17 Jan 2015 01:15:31 +0100 Subject: TLS overhaul, bumping version to 6.4 Removes SSLv2, enables TLSv1.1 and v1.2 more easily, permits SSLv3 (only if specified) and newer TLSv1.1+ for STLS/STARTTLS. Only negotiates TLSv1 and newer by default, SSLv3 must now be specified explicitly, as a consequence of the POODLE attack. This is meant to be a minimally upgraded version, and cannot be usefully done as a 6.3.X release. It is strongly recommended that users review their configuration - especially --sslproto - per instructions in the NEWS file and manual page. It has changed semantics and in many cases --sslproto auto or perhaps --sslproto tls1.2+ should be used now. --- pop3.c | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) (limited to 'pop3.c') diff --git a/pop3.c b/pop3.c index 5549dc9a..907b6142 100644 --- a/pop3.c +++ b/pop3.c @@ -281,6 +281,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting) #endif /* OPIE_ENABLE */ #ifdef SSL_ENABLE flag connection_may_have_tls_errors = FALSE; + char *commonname; #endif /* SSL_ENABLE */ done_capa = FALSE; @@ -393,7 +394,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting) (ctl->server.authenticate == A_KERBEROS_V5) || (ctl->server.authenticate == A_OTP) || (ctl->server.authenticate == A_CRAM_MD5) || - maybe_tls(ctl)) + maybe_starttls(ctl)) { if ((ok = capa_probe(sock)) != PS_SUCCESS) /* we are in STAGE_GETAUTH => failure is PS_AUTHFAIL! */ @@ -406,12 +407,12 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting) (ok == PS_SOCKET && !ctl->wehaveauthed)) { #ifdef SSL_ENABLE - if (must_tls(ctl)) { + if (must_starttls(ctl)) { /* fail with mandatory STLS without repoll */ report(stderr, GT_("TLS is mandatory for this session, but server refused CAPA command.\n")); report(stderr, GT_("The CAPA command is however necessary for TLS.\n")); return ok; - } else if (maybe_tls(ctl)) { + } else if (maybe_starttls(ctl)) { /* defeat opportunistic STLS */ xfree(ctl->sslproto); ctl->sslproto = xstrdup(""); @@ -431,24 +432,19 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting) } #ifdef SSL_ENABLE - if (maybe_tls(ctl)) { - char *commonname; - - commonname = ctl->server.pollname; - if (ctl->server.via) - commonname = ctl->server.via; - if (ctl->sslcommonname) - commonname = ctl->sslcommonname; - - if (has_stls - || must_tls(ctl)) /* if TLS is mandatory, ignore capabilities */ + commonname = ctl->server.pollname; + if (ctl->server.via) + commonname = ctl->server.via; + if (ctl->sslcommonname) + commonname = ctl->sslcommonname; + + if (maybe_starttls(ctl)) { + if (has_stls || must_starttls(ctl)) /* if TLS is mandatory, ignore capabilities */ { - /* Use "tls1" rather than ctl->sslproto because tls1 is the only - * protocol that will work with STARTTLS. Don't need to worry - * whether TLS is mandatory or opportunistic unless SSLOpen() fails - * (see below). */ + /* Don't need to worry whether TLS is mandatory or + * opportunistic unless SSLOpen() fails (see below). */ if (gen_transact(sock, "STLS") == PS_SUCCESS - && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, "tls1", ctl->sslcertck, + && (set_timeout(mytimeout), SSLOpen(sock, ctl->sslcert, ctl->sslkey, ctl->sslproto, ctl->sslcertck, ctl->sslcertfile, ctl->sslcertpath, ctl->sslfingerprint, commonname, ctl->server.pollname, &ctl->remotename)) != -1) { @@ -475,7 +471,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting) { report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname); } - } else if (must_tls(ctl)) { + } else if (must_starttls(ctl)) { /* Config required TLS but we couldn't guarantee it, so we must * stop. */ set_timeout(0); @@ -495,7 +491,11 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting) } } } - } /* maybe_tls() */ + } else { /* maybe_starttls() */ + if (has_stls && outlevel >= O_VERBOSE) { + report(stdout, GT_("%s: WARNING: server offered STLS, but sslproto '' given.\n"), commonname); + } + } /* maybe_starttls() */ #endif /* SSL_ENABLE */ /* -- cgit v1.2.3