New settings:
tls_prefer_server_ciphers: 0
Prefer the cipher order configured on the server-side.
tls_versions: ssl2 ssl3 tls1_0 tls1_1 tls1_2
Disable SSL/TLS protocols not in this list.
diff --git a/imap/tls.c b/imap/tls.c
index b2cf666..5a626e2 100644
--- a/imap/tls.c
+++ b/imap/tls.c
@@ -632,6 +632,7 @@ int tls_init_serverengine(const char *ident,
const char *s_cert_file;
const char *s_key_file;
int requirecert;
+ int server_cipher_order;
int timeout;
if (tls_serverengine)
@@ -663,10 +657,40 @@ int tls_init_serverengine(const char *ident,
};
off |= SSL_OP_ALL; /* Work around all known bugs */
- if (tlsonly) {
- off |= SSL_OP_NO_SSLv2;
- off |= SSL_OP_NO_SSLv3;
+
+ const char *tls_versions = config_getstring(IMAPOPT_TLS_VERSIONS);
+
+ if (strstr(tls_versions, "ssl2") == NULL || tlsonly) {
+ off |= SSL_OP_NO_SSLv2;
+ }
+
+ if (strstr(tls_versions, "ssl3") == NULL || tlsonly) {
+ off |= SSL_OP_NO_SSLv3;
+ }
+
+ if (strstr(tls_versions, "tls1_2") == NULL) {
+#if (OPENSSL_VERSION_NUMBER >= 0x1000105fL)
+ off |= SSL_OP_NO_TLSv1_2;
+#else
+ syslog(LOG_ERR, "ERROR: TLSv1.2 configured, OpenSSL < 1.0.1e insufficient");
+#endif
}
+
+ if (strstr(tls_versions, "tls1_1") == NULL) {
+#if (OPENSSL_VERSION_NUMBER >= 0x1000000fL)
+ off |= SSL_OP_NO_TLSv1_1;
+#else
+ syslog(LOG_ERR, "ERROR: TLSv1.1 configured, OpenSSL < 1.0.0 insufficient");
+#endif
+ }
+ if (strstr(tls_versions, "tls1_0") == NULL) {
+ off |= SSL_OP_NO_TLSv1;
+ }
+
+ server_cipher_order = config_getswitch(IMAPOPT_TLS_PREFER_SERVER_CIPHERS);
+ if (server_cipher_order)
+ off |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+
SSL_CTX_set_options(s_ctx, off);
SSL_CTX_set_info_callback(s_ctx, (void (*)()) apps_ssl_info_callback);
@@ -1196,7 +1220,7 @@ int tls_init_clientengine(int verifydepth,
return -1;
}
- c_ctx = SSL_CTX_new(TLSv1_client_method());
+ c_ctx = SSL_CTX_new(SSLv23_client_method());
if (c_ctx == NULL) {
return (-1);
};
diff --git a/imtest/imtest.c b/imtest/imtest.c
index 01ac72c..50d115d 100644
--- a/imtest/imtest.c
+++ b/imtest/imtest.c
@@ -510,7 +510,7 @@ static int tls_init_clientengine(int verifydepth, char *var_tls_cert_file, char
return IMTEST_FAIL;
}
- tls_ctx = SSL_CTX_new(TLSv1_client_method());
+ tls_ctx = SSL_CTX_new(SSLv23_client_method());
if (tls_ctx == NULL) {
return IMTEST_FAIL;
};
Index: cyrus-imapd-2.3.16/lib/imapoptions
===================================================================
--- cyrus-imapd-2.3.16.orig/lib/imapoptions
+++ cyrus-imapd-2.3.16/lib/imapoptions
@@ -1288,6 +1288,15 @@ product version in the capabilities */
the special use flag "\Drafts" added. Later versions of Cyrus
have a much more flexible RFC 6154 compatible system. */
+{ "tls_prefer_server_ciphers", 0, SWITCH }
+/* Prefer the ciphers on the server side instead of client side */
+
+{ "tls_versions", "ssl2 ssl3 tls1_0 tls1_1 tls1_2", STRING }
+/* A list of SSL/TLS versions to not disable. Cyrus IMAP SSL/TLS starts
+ with all protocols, and substracts protocols not in this list. Newer
+ versions of SSL/TLS will need to be added here to allow them to get
+ disabled. */
+
/*
.SH SEE ALSO
.PP