commit b941ae27337b437bf55966c4e858171fbe74872e
Author: Oswald Buddenhagen <o...@users.sf.net>
Date: Tue Nov 26 16:18:58 2019 +0100
remove support for SSLv3
it's insecure and default builds of openssl don't include it any more.
NEWS | 1 +
src/drv_imap.c | 11 +++++------
src/socket.c | 4 +---
src/socket.h | 1 -
4 files changed, 7 insertions(+), 10 deletions(-)
diff --git a/NEWS b/NEWS
index 47ebe59..8dda0db 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@
The 'isync' compatibility wrapper was removed.
Added support for disabling TLS v1.3 - adjust SSLVersions if you set it.
+Removed support for obsolete/insecure SSL v3.
The IMAP '$Forwarded' / Maildir 'P' (passed) flag is supported now.
diff --git a/src/drv_imap.c b/src/drv_imap.c
index 2e02fd1..02da99a 100644
--- a/src/drv_imap.c
+++ b/src/drv_imap.c
@@ -3241,7 +3241,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
#ifdef HAVE_LIBSSL
/* Legacy SSL options */
int require_ssl = -1, use_imaps = -1;
- int use_sslv3 = -1, use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1,
use_tlsv13 = -1;
+ int use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1, use_tlsv13 = -1;
#endif
/* Legacy SASL option */
int require_cram = -1;
@@ -3281,7 +3281,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
arg += 6;
server->ssl_type = SSL_IMAPS;
if (server->sconf.ssl_versions == -1)
- server->sconf.ssl_versions = SSLv3 |
TLSv1 | TLSv1_1 | TLSv1_2 | TLSv1_3;
+ server->sconf.ssl_versions = TLSv1 |
TLSv1_1 | TLSv1_2 | TLSv1_3;
} else
#endif
if (starts_with( arg, UINT_MAX, "imap:", 5 ))
@@ -3375,7 +3375,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
if (!strcasecmp( "SSLv2", arg )) {
warn( "Warning: SSLVersion SSLv2 is no
longer supported\n" );
} else if (!strcasecmp( "SSLv3", arg )) {
- server->sconf.ssl_versions |= SSLv3;
+ warn( "Warning: SSLVersion SSLv3 is no
longer supported\n" );
} else if (!strcasecmp( "TLSv1", arg )) {
server->sconf.ssl_versions |= TLSv1;
} else if (!strcasecmp( "TLSv1.1", arg )) {
@@ -3396,7 +3396,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
else if (!strcasecmp( "UseSSLv2", cfg->cmd ))
warn( "Warning: UseSSLv2 is no longer supported\n" );
else if (!strcasecmp( "UseSSLv3", cfg->cmd ))
- use_sslv3 = parse_bool( cfg );
+ warn( "Warning: UseSSLv3 is no longer supported\n" );
else if (!strcasecmp( "UseTLSv1", cfg->cmd ))
use_tlsv1 = parse_bool( cfg );
else if (!strcasecmp( "UseTLSv1.1", cfg->cmd ))
@@ -3470,7 +3470,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
return 1;
}
#ifdef HAVE_LIBSSL
- if ((use_sslv3 & use_tlsv1 & use_tlsv11 & use_tlsv12 &
use_tlsv13) != -1 || use_imaps >= 0 || require_ssl >= 0) {
+ if ((use_tlsv1 & use_tlsv11 & use_tlsv12 & use_tlsv13) != -1 ||
use_imaps >= 0 || require_ssl >= 0) {
if (server->ssl_type >= 0 || server->sconf.ssl_versions
>= 0) {
error( "%s '%s': The deprecated UseSSL*,
UseTLS*, UseIMAPS, and RequireSSL options are mutually exclusive with SSLType
and SSLVersions.\n", type, name );
cfg->err = 1;
@@ -3478,7 +3478,6 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
}
warn( "Notice: %s '%s': UseSSL*, UseTLS*, UseIMAPS, and
RequireSSL are deprecated. Use SSLType and SSLVersions instead.\n", type, name
);
server->sconf.ssl_versions =
- (use_sslv3 != 1 ? 0 : SSLv3) |
(use_tlsv1 == 0 ? 0 : TLSv1) |
(use_tlsv11 != 1 ? 0 : TLSv1_1) |
(use_tlsv12 != 1 ? 0 : TLSv1_2) |
diff --git a/src/socket.c b/src/socket.c
index 015cb4e..1439fe0 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -250,9 +250,7 @@ DIAG_POP
return 0;
}
- uint options = 0;
- if (!(conf->ssl_versions & SSLv3))
- options |= SSL_OP_NO_SSLv3;
+ uint options = SSL_OP_NO_SSLv3;
if (!(conf->ssl_versions & TLSv1))
options |= SSL_OP_NO_TLSv1;
#ifdef SSL_OP_NO_TLSv1_1
diff --git a/src/socket.h b/src/socket.h
index b9056e0..1b51f4b 100644
--- a/src/socket.h
+++ b/src/socket.h
@@ -33,7 +33,6 @@
# include <openssl/ssl.h>
enum {
- SSLv3 = 2,
TLSv1 = 4,
TLSv1_1 = 8,
TLSv1_2 = 16,
_______________________________________________
isync-devel mailing list
isync-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/isync-devel
