sipp11
/
mbsync
mirror of https://git.code.sf.net/p/isync/isync
1
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

Add support for specifying cipher string used for ssl connection 

Some distributions (e.g. Fedora) added support for system wide crypto
policies. This is supported in most common crypto libraries including
OpenSSL. Applications can override this policy using their own cipher
string. This commit adds support for specifying the cipher string in
the mbsync configuration.

For example, to exclude Diffie-Hellman, the user can specify
  CipherString "DEFAULT:!DH"
in the IMAP Account's configuration.
1.4
Jaroslav Suchanek 5 years ago committed by Oswald Buddenhagen
parent
25b1c2b9e7
commit
07cb422cbb
5 changed files with 17 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      NEWS
  2. 2
      src/drv_imap.c
  3. 7
      src/mbsync.1
  4. 5
      src/socket.c
  5. 1
      src/socket.h

2
NEWS
Unescape View File

@ -4,6 +4,8 @@ The 'isync' compatibility wrapper was removed.
The IMAP '$Forwarded' / Maildir 'P' (passed) flag is supported now.
Support for configuring a TLS cipher string was added.
[1.3.0]
Network timeout handling has been added.

2
src/drv_imap.c
Unescape View File

@ -3295,6 +3295,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
cfg->file, cfg->line, server->sconf.client_keyfile );
cfg->err = 1;
}
} else if (!strcasecmp( "CipherString", cfg->cmd )) {
server->sconf.cipher_string = nfstrdup( cfg->val );
} else if (!strcasecmp( "SSLType", cfg->cmd )) {
if (!strcasecmp( "None", cfg->val )) {
server->ssl_type = SSL_None;

7
src/mbsync.1
Unescape View File

@ -414,6 +414,13 @@ so it is unlikely that you need this option.
File containing the private key corresponding to \fBClientCertificate\fR.
.
.TP
\fBCipherString\fR \fIstring\fR
Specify OpenSSL cipher string for connections secured with TLS up to
version 1.2 (but not 1.3 and above).
The format is described in \fBciphers\fR\|(1).
(Default: empty, which implies system wide policy).
.
.TP
\fBPipelineDepth\fR \fIdepth\fR
Maximum number of IMAP commands which can be simultaneously in flight.
Setting this to \fI1\fR disables pipelining.

5
src/socket.c
Unescape View File

@ -263,6 +263,11 @@ init_ssl_ctx( const server_conf_t *conf )
SSL_CTX_set_options( mconf->SSLContext, options );
if (conf->cipher_string && !SSL_CTX_set_cipher_list( mconf->SSLContext, conf->cipher_string )) {
print_ssl_errors( "setting cipher string '%s'", conf->cipher_string );
return 0;
}
if (conf->cert_file && !SSL_CTX_load_verify_locations( mconf->SSLContext, conf->cert_file, 0 )) {
print_ssl_errors( "loading certificate file '%s'", conf->cert_file );
return 0;

1
src/socket.h
Unescape View File

@ -49,6 +49,7 @@ typedef struct {
char *cert_file;
char *client_certfile;
char *client_keyfile;
char *cipher_string;
char system_certs;
char ssl_versions;

Write Preview
Loading…
Cancel
Save