On Sat, Nov 09, 2019 at 07:47:55PM +0100, Jaroslav Suchanek wrote:
--- a/src/drv_imap.c
+++ b/src/drv_imap.c
@@ -1625,6 +1625,11 @@ imap_free_store( store_t *gctx )
imap_set_bad_callback( gctx, imap_cancel_unowned, gctx );
gctx->next = unowned;
unowned = gctx;
+
+#ifdef HAVE_LIBSSL
+ imap_store_conf_t *cfg = (imap_store_conf_t *)ctx->gen.conf;
+ free( cfg->server->sconf.ssl_cipherString );
+#endif
}
can't do that here, as it might lead to double free()s. the policy is to
just leak config variables, as nothing is lost by doing that.
attached is a patch which fixes this and polishes a few other things.
>From 61e1ebcd3ba5720f7361c882d495083ac33213a6 Mon Sep 17 00:00:00 2001
From: Jaroslav Suchanek <jaroslav.sucha...@gmail.com>
Date: Sat, 9 Nov 2019 19:47:55 +0100
Subject: [PATCH] Add support for specifying cipher string used for ssl
connection
Some distributions (e.g. Fedora) added support for system wide crypto
policies. This is supported in most common crypto libraries including
OpenSSL. Applications can override this policy using their own cipher
string. This commit adds support for specifying the cipher string in
the mbsync configuration.
For example, to exclude Diffie-Hellman, the user can specify
CipherString "DEFAULT:!DH"
in the IMAP Account's configuration.
---
NEWS | 2 ++
src/drv_imap.c | 2 ++
src/mbsync.1 | 7 +++++++
src/socket.c | 5 +++++
src/socket.h | 1 +
5 files changed, 17 insertions(+)
diff --git a/NEWS b/NEWS
index ef795a8..18e4f13 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,8 @@ The 'isync' compatibility wrapper was removed.
The IMAP '$Forwarded' / Maildir 'P' (passed) flag is supported now.
+Support for configuring a TLS cipher string was added.
+
[1.3.0]
Network timeout handling has been added.
diff --git a/src/drv_imap.c b/src/drv_imap.c
index 7bc88f6..1273fb9 100644
--- a/src/drv_imap.c
+++ b/src/drv_imap.c
@@ -3243,6 +3243,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
cfg->file, cfg->line, server->sconf.client_keyfile );
cfg->err = 1;
}
+ } else if (!strcasecmp( "CipherString", cfg->cmd )) {
+ server->sconf.cipher_string = nfstrdup( cfg->val );
} else if (!strcasecmp( "SSLType", cfg->cmd )) {
if (!strcasecmp( "None", cfg->val )) {
server->ssl_type = SSL_None;
diff --git a/src/mbsync.1 b/src/mbsync.1
index 8f6c58b..c7dedcc 100644
--- a/src/mbsync.1
+++ b/src/mbsync.1
@@ -397,6 +397,13 @@ so it is unlikely that you need this option.
File containing the private key corresponding to \fBClientCertificate\fR.
..
.TP
+\fBCipherString\fR \fIstring\fR
+Specify OpenSSL cipher string for connections secured with TLS up to
+version 1.2 (but not 1.3 and above).
+The format is described in \fBciphers\fR\|(1).
+(Default: empty, which implies system wide policy).
+..
+.TP
\fBPipelineDepth\fR \fIdepth\fR
Maximum number of IMAP commands which can be simultaneously in flight.
Setting this to \fI1\fR disables pipelining.
diff --git a/src/socket.c b/src/socket.c
index 950c956..5563757 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -263,6 +263,11 @@ init_ssl_ctx( const server_conf_t *conf )
SSL_CTX_set_options( mconf->SSLContext, options );
+ if (conf->cipher_string && !SSL_CTX_set_cipher_list( mconf->SSLContext, conf->cipher_string )) {
+ print_ssl_errors( "setting cipher string '%s'", conf->cipher_string );
+ return 0;
+ }
+
if (conf->cert_file && !SSL_CTX_load_verify_locations( mconf->SSLContext, conf->cert_file, 0 )) {
print_ssl_errors( "loading certificate file '%s'", conf->cert_file );
return 0;
diff --git a/src/socket.h b/src/socket.h
index f80c2ef..c39c861 100644
--- a/src/socket.h
+++ b/src/socket.h
@@ -49,6 +49,7 @@ typedef struct {
char *cert_file;
char *client_certfile;
char *client_keyfile;
+ char *cipher_string;
char system_certs;
char ssl_versions;
--
2.23.0.1.g9111c1b4df
_______________________________________________
isync-devel mailing list
isync-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/isync-devel
