Tree - rpms/cyrus-imapd - CentOS Git server

rpms / cyrus-imapd

Files

Commit: a9ab2dd7b0b4406ec7f66047eac858ea2e85bf9a
Blob Blame History Raw
New settings:

    tls_prefer_server_ciphers: 0

        Prefer the cipher order configured on the server-side.

    tls_versions: ssl2 ssl3 tls1_0 tls1_1 tls1_2

        Disable SSL/TLS protocols not in this list.

diff --git a/imap/tls.c b/imap/tls.c
index b2cf666..5a626e2 100644
--- a/imap/tls.c
+++ b/imap/tls.c
@@ -632,6 +632,7 @@ int     tls_init_serverengine(const char *ident,
     const char   *s_cert_file;
     const char   *s_key_file;
     int    requirecert;
+    int    server_cipher_order;
     int    timeout;
 
     if (tls_serverengine)
@@ -663,10 +657,40 @@ int     tls_init_serverengine(const char *ident,
     };
 
     off |= SSL_OP_ALL;		/* Work around all known bugs */
-    if (tlsonly) {
-	off |= SSL_OP_NO_SSLv2;
-	off |= SSL_OP_NO_SSLv3;
+
+    const char *tls_versions = config_getstring(IMAPOPT_TLS_VERSIONS);
+
+    if (strstr(tls_versions, "ssl2") == NULL || tlsonly) {
+    off |= SSL_OP_NO_SSLv2;
+    }
+
+    if (strstr(tls_versions, "ssl3") == NULL || tlsonly) {
+    off |= SSL_OP_NO_SSLv3;
+    }
+
+    if (strstr(tls_versions, "tls1_2") == NULL) {
+#if (OPENSSL_VERSION_NUMBER >= 0x1000105fL)
+    off |= SSL_OP_NO_TLSv1_2;
+#else
+    syslog(LOG_ERR, "ERROR: TLSv1.2 configured, OpenSSL < 1.0.1e insufficient");
+#endif
     }
+
+    if (strstr(tls_versions, "tls1_1") == NULL) {
+#if (OPENSSL_VERSION_NUMBER >= 0x1000000fL)
+    off |= SSL_OP_NO_TLSv1_1;
+#else
+    syslog(LOG_ERR, "ERROR: TLSv1.1 configured, OpenSSL < 1.0.0 insufficient");
+#endif
+    }
+    if (strstr(tls_versions, "tls1_0") == NULL) {
+    off |= SSL_OP_NO_TLSv1;
+    }
+
+    server_cipher_order = config_getswitch(IMAPOPT_TLS_PREFER_SERVER_CIPHERS);
+    if (server_cipher_order)
+        off |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+
     SSL_CTX_set_options(s_ctx, off);
     SSL_CTX_set_info_callback(s_ctx, (void (*)()) apps_ssl_info_callback);
 
@@ -1196,7 +1220,7 @@ int tls_init_clientengine(int verifydepth,
 	return -1;
     }
     
-    c_ctx = SSL_CTX_new(TLSv1_client_method());
+    c_ctx = SSL_CTX_new(SSLv23_client_method());
     if (c_ctx == NULL) {
 	return (-1);
     };
diff --git a/imtest/imtest.c b/imtest/imtest.c
index 01ac72c..50d115d 100644
--- a/imtest/imtest.c
+++ b/imtest/imtest.c
@@ -510,7 +510,7 @@ static int tls_init_clientengine(int verifydepth, char *var_tls_cert_file, char
 	return IMTEST_FAIL;
     }
     
-    tls_ctx = SSL_CTX_new(TLSv1_client_method());
+    tls_ctx = SSL_CTX_new(SSLv23_client_method());
     if (tls_ctx == NULL) {
 	return IMTEST_FAIL;
     };
Index: cyrus-imapd-2.3.16/lib/imapoptions
===================================================================
--- cyrus-imapd-2.3.16.orig/lib/imapoptions
+++ cyrus-imapd-2.3.16/lib/imapoptions
@@ -1288,6 +1288,15 @@ product version in the capabilities */
    the special use flag "\Drafts" added.  Later versions of Cyrus
    have a much more flexible RFC 6154 compatible system.  */
 
+{ "tls_prefer_server_ciphers", 0, SWITCH }
+/* Prefer the ciphers on the server side instead of client side */
+
+{ "tls_versions", "ssl2 ssl3 tls1_0 tls1_1 tls1_2", STRING }
+/* A list of SSL/TLS versions to not disable. Cyrus IMAP SSL/TLS starts
+   with all protocols, and substracts protocols not in this list. Newer
+   versions of SSL/TLS will need to be added here to allow them to get
+   disabled. */
+
 /*
 .SH SEE ALSO
 .PP
rpms / cyrus-imapd

Source Code

Files
