sipp11
/
mbsync
mirror of https://git.code.sf.net/p/isync/isync
1
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

enable TLS 1.1 and 1.2 by default 

there is no reason not to, and debian even disabled 1.0 globally,
because it's (theoretically) too insecure in some contexts (BEAST
attack).

in the compat wrapper, the UseTLSv1 option has been re-interpreted as
v1.x, to avoid adding new options.
1.2
Oswald Buddenhagen 7 years ago
parent
fed0dcc60e
commit
47bdbb4aab
4 changed files with 8 additions and 7 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 5
      src/compat/config.c
  2. 2
      src/compat/isync.1
  3. 4
      src/drv_imap.c
  4. 4
      src/mbsync.1

5
src/compat/config.c
Unescape View File

@ -316,9 +316,10 @@ write_imap_server( FILE *fp, config_t *cfg )
if (cfg->pass)
fprintf( fp, "Pass %s\n", quotify( cfg->pass ) );
fprintf( fp, "RequireCRAM %s\nRequireSSL %s\n"
"UseSSLv2 %s\nUseSSLv3 %s\nUseTLSv1 %s\n",
"UseSSLv2 %s\nUseSSLv3 %s\nUseTLSv1 %s\nUseTLSv1.1 %s\nUseTLSv1.2 %s\n",
tb(cfg->require_cram), tb(cfg->require_ssl),
tb(cfg->use_sslv2), tb(cfg->use_sslv3), tb(cfg->use_tlsv1) );
tb(cfg->use_sslv2), tb(cfg->use_sslv3),
tb(cfg->use_tlsv1), tb(cfg->use_tlsv1), tb(cfg->use_tlsv1) );
if ((cfg->use_imaps || cfg->use_sslv2 || cfg->use_sslv3 || cfg->use_tlsv1) &&
cfg->cert_file)
fprintf( fp, "CertificateFile %s\n", quotify( cfg->cert_file ) );

2
src/compat/isync.1
Unescape View File

@ -278,7 +278,7 @@ Should \fBisync\fR use SSLv3 for communication with the IMAP server over SSL?
..
.TP
\fBUseTLSv1\fR \fIyes\fR|\fIno\fR
Should \fBisync\fR use TLSv1 for communication with the IMAP server over SSL?
Should \fBisync\fR use TLSv1.x for communication with the IMAP server over SSL?
(Default: \fIyes\fR)
..
.TP

4
src/drv_imap.c
Unescape View File

@ -2767,7 +2767,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
arg += 6;
server->ssl_type = SSL_IMAPS;
if (server->sconf.ssl_versions == -1)
server->sconf.ssl_versions = SSLv2 | SSLv3 | TLSv1;
server->sconf.ssl_versions = SSLv2 | SSLv3 | TLSv1 | TLSv1_1 | TLSv1_2;
} else
#endif
if (starts_with( arg, -1, "imap:", 5 ))
@ -2930,7 +2930,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
}
} else {
if (server->sconf.ssl_versions < 0)
server->sconf.ssl_versions = TLSv1; /* Most compatible and still reasonably secure. */
server->sconf.ssl_versions = TLSv1 | TLSv1_1 | TLSv1_2;
if (server->ssl_type < 0)
server->ssl_type = server->sconf.tunnel ? SSL_None : SSL_STARTTLS;
}

4
src/mbsync.1
Unescape View File

@ -337,8 +337,8 @@ right after connecting the secure IMAP port 993.
Select the acceptable SSL/TLS versions.
Use of SSLv2 is strongly discouraged for security reasons, but might be the
only option on some very old servers.
Generally, the newest TLS version is recommended, but as this confuses some
servers, \fBTLSv1\fR is the default.
Use old versions only when the server has problems with newer ones.
(Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]).
..
.TP
\fBSystemCertificates\fR \fByes\fR|\fBno\fR

Write Preview
Loading…
Cancel
Save