sipp11
/
mbsync
mirror of https://git.code.sf.net/p/isync/isync
1
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

add support for (disabling) TLS v1.3 

this is actually potentially counterproductive, as people who have set
SSLVersions and fail to adjust it will _lose_ tls 1.3 support. however,
without the option being there, people (incorrectly) believe that tls
1.3 is not supported.
1.4
Oswald Buddenhagen 5 years ago
parent
990cc112f1
commit
d09f988c70
5 changed files with 20 additions and 8 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      NEWS
  2. 15
      src/drv_imap.c
  3. 4
      src/mbsync.1
  4. 4
      src/socket.c
  5. 3
      src/socket.h

2
NEWS
Unescape View File

@ -2,6 +2,8 @@
The 'isync' compatibility wrapper was removed.
Added support for disabling TLS v1.3 - adjust SSLVersions if you set it.
The IMAP '$Forwarded' / Maildir 'P' (passed) flag is supported now.
Support for configuring a TLS cipher string was added.

15
src/drv_imap.c
Unescape View File

@ -3194,7 +3194,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
#ifdef HAVE_LIBSSL
/* Legacy SSL options */
int require_ssl = -1, use_imaps = -1;
int use_sslv3 = -1, use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1;
int use_sslv3 = -1, use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1, use_tlsv13 = -1;
#endif
/* Legacy SASL option */
int require_cram = -1;
@ -3234,7 +3234,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
arg += 6;
server->ssl_type = SSL_IMAPS;
if (server->sconf.ssl_versions == -1)
server->sconf.ssl_versions = SSLv3 | TLSv1 | TLSv1_1 | TLSv1_2;
server->sconf.ssl_versions = SSLv3 | TLSv1 | TLSv1_1 | TLSv1_2 | TLSv1_3;
} else
#endif
if (starts_with( arg, -1, "imap:", 5 ))
@ -3333,6 +3333,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
server->sconf.ssl_versions |= TLSv1_1;
} else if (!strcasecmp( "TLSv1.2", arg )) {
server->sconf.ssl_versions |= TLSv1_2;
} else if (!strcasecmp( "TLSv1.3", arg )) {
server->sconf.ssl_versions |= TLSv1_3;
} else {
error( "%s:%d: Unrecognized SSL version\n", cfg->file, cfg->line );
cfg->err = 1;
@ -3352,6 +3354,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
use_tlsv11 = parse_bool( cfg );
else if (!strcasecmp( "UseTLSv1.2", cfg->cmd ))
use_tlsv12 = parse_bool( cfg );
else if (!strcasecmp( "UseTLSv1.3", cfg->cmd ))
use_tlsv13 = parse_bool( cfg );
#endif
else if (!strcasecmp( "AuthMech", cfg->cmd ) ||
!strcasecmp( "AuthMechs", cfg->cmd )) {
@ -3412,7 +3416,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
return 1;
}
#ifdef HAVE_LIBSSL
if ((use_sslv3 & use_tlsv1 & use_tlsv11 & use_tlsv12) != -1 || use_imaps >= 0 || require_ssl >= 0) {
if ((use_sslv3 & use_tlsv1 & use_tlsv11 & use_tlsv12 & use_tlsv13) != -1 || use_imaps >= 0 || require_ssl >= 0) {
if (server->ssl_type >= 0 || server->sconf.ssl_versions >= 0) {
error( "%s '%s': The deprecated UseSSL*, UseTLS*, UseIMAPS, and RequireSSL options are mutually exclusive with SSLType and SSLVersions.\n", type, name );
cfg->err = 1;
@ -3423,7 +3427,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
(use_sslv3 != 1 ? 0 : SSLv3) |
(use_tlsv1 == 0 ? 0 : TLSv1) |
(use_tlsv11 != 1 ? 0 : TLSv1_1) |
(use_tlsv12 != 1 ? 0 : TLSv1_2);
(use_tlsv12 != 1 ? 0 : TLSv1_2) |
(use_tlsv13 != 1 ? 0 : TLSv1_3);
if (use_imaps == 1) {
server->ssl_type = SSL_IMAPS;
} else if (require_ssl) {
@ -3441,7 +3446,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
}
} else {
if (server->sconf.ssl_versions < 0)
server->sconf.ssl_versions = TLSv1 | TLSv1_1 | TLSv1_2;
server->sconf.ssl_versions = TLSv1 | TLSv1_1 | TLSv1_2 | TLSv1_3;
if (server->ssl_type < 0)
server->ssl_type = server->sconf.tunnel ? SSL_None : SSL_STARTTLS;
}

4
src/mbsync.1
Unescape View File

@ -363,10 +363,10 @@ so it is the default (unless a tunnel is used).
right after connecting the secure IMAP port 993.
.
.TP
\fBSSLVersions\fR [\fBSSLv3\fR] [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]
\fBSSLVersions\fR [\fBSSLv3\fR] [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR] [\fBTLSv1.3\fR]
Select the acceptable SSL/TLS versions.
Use old versions only when the server has problems with newer ones.
(Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]).
(Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR] [\fBTLSv1.3\fR]).
.
.TP
\fBSystemCertificates\fR \fByes\fR|\fBno\fR

4
src/socket.c
Unescape View File

@ -260,6 +260,10 @@ init_ssl_ctx( const server_conf_t *conf )
if (!(conf->ssl_versions & TLSv1_2))
options |= SSL_OP_NO_TLSv1_2;
#endif
#ifdef SSL_OP_NO_TLSv1_3
if (!(conf->ssl_versions & TLSv1_3))
options |= SSL_OP_NO_TLSv1_3;
#endif
SSL_CTX_set_options( mconf->SSLContext, options );

3
src/socket.h
Unescape View File

@ -36,7 +36,8 @@ enum {
SSLv3 = 2,
TLSv1 = 4,
TLSv1_1 = 8,
TLSv1_2 = 16
TLSv1_2 = 16,
TLSv1_3 = 32
};
#endif

Write Preview
Loading…
Cancel
Save