commit 47bdbb4aab0785ec779dbc8c418026ed5e3bed1c
Author: Oswald Buddenhagen <[email protected]>
Date: Fri Aug 11 08:50:28 2017 +0200
enable TLS 1.1 and 1.2 by default
there is no reason not to, and debian even disabled 1.0 globally,
because it's (theoretically) too insecure in some contexts (BEAST
attack).
in the compat wrapper, the UseTLSv1 option has been re-interpreted as
v1.x, to avoid adding new options.
src/compat/config.c | 5 +++--
src/compat/isync.1 | 2 +-
src/drv_imap.c | 4 ++--
src/mbsync.1 | 4 ++--
4 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/src/compat/config.c b/src/compat/config.c
index 746b46a..9ce9a98 100644
--- a/src/compat/config.c
+++ b/src/compat/config.c
@@ -316,9 +316,10 @@ write_imap_server( FILE *fp, config_t *cfg )
if (cfg->pass)
fprintf( fp, "Pass %s\n", quotify( cfg->pass ) );
fprintf( fp, "RequireCRAM %s\nRequireSSL %s\n"
- "UseSSLv2 %s\nUseSSLv3 %s\nUseTLSv1 %s\n",
+ "UseSSLv2 %s\nUseSSLv3 %s\nUseTLSv1 %s\nUseTLSv1.1
%s\nUseTLSv1.2 %s\n",
tb(cfg->require_cram), tb(cfg->require_ssl),
- tb(cfg->use_sslv2), tb(cfg->use_sslv3), tb(cfg->use_tlsv1)
);
+ tb(cfg->use_sslv2), tb(cfg->use_sslv3),
+ tb(cfg->use_tlsv1), tb(cfg->use_tlsv1), tb(cfg->use_tlsv1)
);
if ((cfg->use_imaps || cfg->use_sslv2 || cfg->use_sslv3 ||
cfg->use_tlsv1) &&
cfg->cert_file)
fprintf( fp, "CertificateFile %s\n", quotify( cfg->cert_file )
);
diff --git a/src/compat/isync.1 b/src/compat/isync.1
index fb9900f..aad06aa 100644
--- a/src/compat/isync.1
+++ b/src/compat/isync.1
@@ -278,7 +278,7 @@ Should \fBisync\fR use SSLv3 for communication with the
IMAP server over SSL?
..
.TP
\fBUseTLSv1\fR \fIyes\fR|\fIno\fR
-Should \fBisync\fR use TLSv1 for communication with the IMAP server over SSL?
+Should \fBisync\fR use TLSv1.x for communication with the IMAP server over SSL?
(Default: \fIyes\fR)
..
.TP
diff --git a/src/drv_imap.c b/src/drv_imap.c
index 3d66243..7aacb95 100644
--- a/src/drv_imap.c
+++ b/src/drv_imap.c
@@ -2767,7 +2767,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
arg += 6;
server->ssl_type = SSL_IMAPS;
if (server->sconf.ssl_versions == -1)
- server->sconf.ssl_versions = SSLv2 |
SSLv3 | TLSv1;
+ server->sconf.ssl_versions = SSLv2 |
SSLv3 | TLSv1 | TLSv1_1 | TLSv1_2;
} else
#endif
if (starts_with( arg, -1, "imap:", 5 ))
@@ -2930,7 +2930,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
}
} else {
if (server->sconf.ssl_versions < 0)
- server->sconf.ssl_versions = TLSv1; /* Most
compatible and still reasonably secure. */
+ server->sconf.ssl_versions = TLSv1 | TLSv1_1 |
TLSv1_2;
if (server->ssl_type < 0)
server->ssl_type = server->sconf.tunnel ?
SSL_None : SSL_STARTTLS;
}
diff --git a/src/mbsync.1 b/src/mbsync.1
index 51f356a..d2d5bd8 100644
--- a/src/mbsync.1
+++ b/src/mbsync.1
@@ -337,8 +337,8 @@ right after connecting the secure IMAP port 993.
Select the acceptable SSL/TLS versions.
Use of SSLv2 is strongly discouraged for security reasons, but might be the
only option on some very old servers.
-Generally, the newest TLS version is recommended, but as this confuses some
-servers, \fBTLSv1\fR is the default.
+Use old versions only when the server has problems with newer ones.
+(Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]).
..
.TP
\fBSystemCertificates\fR \fByes\fR|\fBno\fR
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
isync-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/isync-devel
