Some distributions (e.g. Fedora) added support for system wide crypto
policies. This is supported in most common crypto libraries including
OpenSSL. Applications can override this policy using their own cipher
string. This commit add support for specifying the cipher string in
mbsync configuration.
For example, to exclude Diffie-Hellman user can specify,
SSLCipherString "DEFAULT:!DH"
configuration option for the IMAP Account.
---
src/drv_imap.c | 7 +++++++
src/mbsync.1 | 5 +++++
src/socket.c | 6 ++++++
src/socket.h | 1 +
4 files changed, 19 insertions(+)
diff --git a/src/drv_imap.c b/src/drv_imap.c
index 7bc88f6..473340a 100644
--- a/src/drv_imap.c
+++ b/src/drv_imap.c
@@ -1625,6 +1625,11 @@ imap_free_store( store_t *gctx )
imap_set_bad_callback( gctx, imap_cancel_unowned, gctx );
gctx->next = unowned;
unowned = gctx;
+
+#ifdef HAVE_LIBSSL
+ imap_store_conf_t *cfg = (imap_store_conf_t *)ctx->gen.conf;
+ free( cfg->server->sconf.ssl_cipherString );
+#endif
}
/******************* imap_cleanup *******************/
@@ -3274,6 +3279,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
cfg->err = 1;
}
} while ((arg = get_arg( cfg, ARG_OPTIONAL, 0 )));
+ } else if (!strcasecmp( "SSLCipherString", cfg->cmd )) {
+ server->sconf.ssl_cipherString = nfstrdup( cfg->val );
} else if (!strcasecmp( "RequireSSL", cfg->cmd ))
require_ssl = parse_bool( cfg );
else if (!strcasecmp( "UseIMAPS", cfg->cmd ))
diff --git a/src/mbsync.1 b/src/mbsync.1
index 8f6c58b..9eb2ea7 100644
--- a/src/mbsync.1
+++ b/src/mbsync.1
@@ -370,6 +370,11 @@ Use old versions only when the server has problems with
newer ones.
(Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]).
..
.TP
+\fBSSLCipherString\fR [\fBcipher string\fR]
+Specify cipher string for openssl connection.
+(Default: empty, which implies system wide policy).
+..
+.TP
\fBSystemCertificates\fR \fByes\fR|\fBno\fR
Whether the system's default root cerificate store should be loaded.
(Default: \fByes\fR)
diff --git a/src/socket.c b/src/socket.c
index 950c956..b02b4cc 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -263,6 +263,12 @@ init_ssl_ctx( const server_conf_t *conf )
SSL_CTX_set_options( mconf->SSLContext, options );
+ if (conf->ssl_cipherString &&
+ !SSL_CTX_set_cipher_list( conf->SSLContext,
conf->ssl_cipherString) ) {
+ print_ssl_errors("setting cipher string failed");
+ return 0;
+ }
+
if (conf->cert_file && !SSL_CTX_load_verify_locations(
mconf->SSLContext, conf->cert_file, 0 )) {
print_ssl_errors( "loading certificate file '%s'",
conf->cert_file );
return 0;
diff --git a/src/socket.h b/src/socket.h
index f80c2ef..e04c782 100644
--- a/src/socket.h
+++ b/src/socket.h
@@ -51,6 +51,7 @@ typedef struct {
char *client_keyfile;
char system_certs;
char ssl_versions;
+ char *ssl_cipherString;
/* these are actually variables and are leaked at the end */
char ssl_ctx_valid;
--
2.18.1
_______________________________________________
isync-devel mailing list
isync-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/isync-devel
