commit 581f125ce445e5b9322c408d87d050afaca32f2e
Author: Jaroslav Suchanek <jaroslav.sucha...@gmail.com>
AuthorDate: Sat Nov 9 19:47:55 2019 +0100
Commit: Oswald Buddenhagen <o...@users.sf.net>
CommitDate: Sun Dec 29 13:05:37 2019 +0100
Add support for specifying cipher string used for ssl connection
Some distributions (e.g. Fedora) added support for system wide crypto
policies. This is supported in most common crypto libraries including
OpenSSL. Applications can override this policy using their own cipher
string. This commit adds support for specifying the cipher string in
the mbsync configuration.
For example, to exclude Diffie-Hellman, the user can specify
CipherString "DEFAULT:!DH"
in the IMAP Account's configuration.
NEWS | 2 ++
src/drv_imap.c | 2 ++
src/mbsync.1 | 7 +++++++
src/socket.c | 5 +++++
src/socket.h | 1 +
5 files changed, 17 insertions(+)
diff --git a/NEWS b/NEWS
index ef795a8..18e4f13 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,8 @@ The 'isync' compatibility wrapper was removed.
The IMAP '$Forwarded' / Maildir 'P' (passed) flag is supported now.
+Support for configuring a TLS cipher string was added.
+
[1.3.0]
Network timeout handling has been added.
diff --git a/src/drv_imap.c b/src/drv_imap.c
index 92b5b32..2c0e4b0 100644
--- a/src/drv_imap.c
+++ b/src/drv_imap.c
@@ -3293,6 +3293,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
cfg->file, cfg->line,
server->sconf.client_keyfile );
cfg->err = 1;
}
+ } else if (!strcasecmp( "CipherString", cfg->cmd )) {
+ server->sconf.cipher_string = nfstrdup( cfg->val );
} else if (!strcasecmp( "SSLType", cfg->cmd )) {
if (!strcasecmp( "None", cfg->val )) {
server->ssl_type = SSL_None;
diff --git a/src/mbsync.1 b/src/mbsync.1
index 171727f..ff00fa6 100644
--- a/src/mbsync.1
+++ b/src/mbsync.1
@@ -404,6 +404,13 @@ so it is unlikely that you need this option.
File containing the private key corresponding to \fBClientCertificate\fR.
.
.TP
+\fBCipherString\fR \fIstring\fR
+Specify OpenSSL cipher string for connections secured with TLS up to
+version 1.2 (but not 1.3 and above).
+The format is described in \fBciphers\fR\|(1).
+(Default: empty, which implies system wide policy).
+.
+.TP
\fBPipelineDepth\fR \fIdepth\fR
Maximum number of IMAP commands which can be simultaneously in flight.
Setting this to \fI1\fR disables pipelining.
diff --git a/src/socket.c b/src/socket.c
index c5cf10d..efc9986 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -266,6 +266,11 @@ DIAG_POP
SSL_CTX_set_options( mconf->SSLContext, options );
+ if (conf->cipher_string && !SSL_CTX_set_cipher_list( mconf->SSLContext,
conf->cipher_string )) {
+ print_ssl_errors( "setting cipher string '%s'",
conf->cipher_string );
+ return 0;
+ }
+
if (conf->cert_file && !SSL_CTX_load_verify_locations(
mconf->SSLContext, conf->cert_file, NULL )) {
print_ssl_errors( "loading certificate file '%s'",
conf->cert_file );
return 0;
diff --git a/src/socket.h b/src/socket.h
index e7cca05..f97cfe4 100644
--- a/src/socket.h
+++ b/src/socket.h
@@ -49,6 +49,7 @@ typedef struct {
char *cert_file;
char *client_certfile;
char *client_keyfile;
+ char *cipher_string;
char system_certs;
char ssl_versions;
_______________________________________________
isync-devel mailing list
isync-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/isync-devel
