commit 29842e8d20909a8a7cf2760ed53e5c55e3e478e4
Author: Oswald Buddenhagen <o...@users.sf.net>
Date: Tue Nov 26 16:05:46 2019 +0100
add support for (disabling) TLS v1.3
this is actually potentially counterproductive, as people who have set
SSLVersions and fail to adjust it will _lose_ tls 1.3 support. however,
without the option being there, people (incorrectly) believe that tls
1.3 is not supported.
NEWS | 2 ++
src/drv_imap.c | 15 ++++++++++-----
src/mbsync.1 | 4 ++--
src/socket.c | 4 ++++
src/socket.h | 3 ++-
5 files changed, 20 insertions(+), 8 deletions(-)
diff --git a/NEWS b/NEWS
index ce2d51c..47ebe59 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,8 @@
The 'isync' compatibility wrapper was removed.
+Added support for disabling TLS v1.3 - adjust SSLVersions if you set it.
+
The IMAP '$Forwarded' / Maildir 'P' (passed) flag is supported now.
Support for configuring a TLS cipher string was added.
diff --git a/src/drv_imap.c b/src/drv_imap.c
index ab7dbc1..2e02fd1 100644
--- a/src/drv_imap.c
+++ b/src/drv_imap.c
@@ -3241,7 +3241,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
#ifdef HAVE_LIBSSL
/* Legacy SSL options */
int require_ssl = -1, use_imaps = -1;
- int use_sslv3 = -1, use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1;
+ int use_sslv3 = -1, use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1,
use_tlsv13 = -1;
#endif
/* Legacy SASL option */
int require_cram = -1;
@@ -3281,7 +3281,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
arg += 6;
server->ssl_type = SSL_IMAPS;
if (server->sconf.ssl_versions == -1)
- server->sconf.ssl_versions = SSLv3 |
TLSv1 | TLSv1_1 | TLSv1_2;
+ server->sconf.ssl_versions = SSLv3 |
TLSv1 | TLSv1_1 | TLSv1_2 | TLSv1_3;
} else
#endif
if (starts_with( arg, UINT_MAX, "imap:", 5 ))
@@ -3382,6 +3382,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
server->sconf.ssl_versions |= TLSv1_1;
} else if (!strcasecmp( "TLSv1.2", arg )) {
server->sconf.ssl_versions |= TLSv1_2;
+ } else if (!strcasecmp( "TLSv1.3", arg )) {
+ server->sconf.ssl_versions |= TLSv1_3;
} else {
error( "%s:%d: Unrecognized SSL
version\n", cfg->file, cfg->line );
cfg->err = 1;
@@ -3401,6 +3403,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
use_tlsv11 = parse_bool( cfg );
else if (!strcasecmp( "UseTLSv1.2", cfg->cmd ))
use_tlsv12 = parse_bool( cfg );
+ else if (!strcasecmp( "UseTLSv1.3", cfg->cmd ))
+ use_tlsv13 = parse_bool( cfg );
#endif
else if (!strcasecmp( "AuthMech", cfg->cmd ) ||
!strcasecmp( "AuthMechs", cfg->cmd )) {
@@ -3466,7 +3470,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
return 1;
}
#ifdef HAVE_LIBSSL
- if ((use_sslv3 & use_tlsv1 & use_tlsv11 & use_tlsv12) != -1 ||
use_imaps >= 0 || require_ssl >= 0) {
+ if ((use_sslv3 & use_tlsv1 & use_tlsv11 & use_tlsv12 &
use_tlsv13) != -1 || use_imaps >= 0 || require_ssl >= 0) {
if (server->ssl_type >= 0 || server->sconf.ssl_versions
>= 0) {
error( "%s '%s': The deprecated UseSSL*,
UseTLS*, UseIMAPS, and RequireSSL options are mutually exclusive with SSLType
and SSLVersions.\n", type, name );
cfg->err = 1;
@@ -3477,7 +3481,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
(use_sslv3 != 1 ? 0 : SSLv3) |
(use_tlsv1 == 0 ? 0 : TLSv1) |
(use_tlsv11 != 1 ? 0 : TLSv1_1) |
- (use_tlsv12 != 1 ? 0 : TLSv1_2);
+ (use_tlsv12 != 1 ? 0 : TLSv1_2) |
+ (use_tlsv13 != 1 ? 0 : TLSv1_3);
if (use_imaps == 1) {
server->ssl_type = SSL_IMAPS;
} else if (require_ssl) {
@@ -3495,7 +3500,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
}
} else {
if (server->sconf.ssl_versions < 0)
- server->sconf.ssl_versions = TLSv1 | TLSv1_1 |
TLSv1_2;
+ server->sconf.ssl_versions = TLSv1 | TLSv1_1 |
TLSv1_2 | TLSv1_3;
if (server->ssl_type < 0)
server->ssl_type = server->sconf.tunnel ?
SSL_None : SSL_STARTTLS;
}
diff --git a/src/mbsync.1 b/src/mbsync.1
index ee815f2..4f6dfae 100644
--- a/src/mbsync.1
+++ b/src/mbsync.1
@@ -372,10 +372,10 @@ so it is the default (unless a tunnel is used).
right after connecting the secure IMAP port 993.
.
.TP
-\fBSSLVersions\fR [\fBSSLv3\fR] [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]
+\fBSSLVersions\fR [\fBSSLv3\fR] [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]
[\fBTLSv1.3\fR]
Select the acceptable SSL/TLS versions.
Use old versions only when the server has problems with newer ones.
-(Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]).
+(Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR] [\fBTLSv1.3\fR]).
.
.TP
\fBSystemCertificates\fR \fByes\fR|\fBno\fR
diff --git a/src/socket.c b/src/socket.c
index efc9986..015cb4e 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -263,6 +263,10 @@ DIAG_POP
if (!(conf->ssl_versions & TLSv1_2))
options |= SSL_OP_NO_TLSv1_2;
#endif
+#ifdef SSL_OP_NO_TLSv1_3
+ if (!(conf->ssl_versions & TLSv1_3))
+ options |= SSL_OP_NO_TLSv1_3;
+#endif
SSL_CTX_set_options( mconf->SSLContext, options );
diff --git a/src/socket.h b/src/socket.h
index f97cfe4..b9056e0 100644
--- a/src/socket.h
+++ b/src/socket.h
@@ -36,7 +36,8 @@ enum {
SSLv3 = 2,
TLSv1 = 4,
TLSv1_1 = 8,
- TLSv1_2 = 16
+ TLSv1_2 = 16,
+ TLSv1_3 = 32
};
#endif
_______________________________________________
isync-devel mailing list
isync-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/isync-devel
