Emmanuel Dreyfus <m...@netbsd.org> wrote: > This short patch adds a few improvement to imapproxy SSL client > - TLSv1.2 support if OpenSSL supports it
I realize that part is broken for the general case: TLSv1_2_client_method() only negociate TLSv1.2 and will fail if server does not support it. The right way seems to use SSLv23_client_method(), which negociate the highest available version, which includes TLSv1.2, despite what the method name suggest. That page makes it clear (even if it does not talk about 1.2): http://www.openssl.org/docs/ssl/SSL_CTX_new.html II will post a new patch that uses SSLv23_client_method(). TLS version can still be controlled by SSL_CTX_set_options() with SSL_OP_NO_(SSLv2|SSLv3|TLSv1|TLSv1_1|TLSv1_2). Do we want an option to control the protocol version, or just picking the best is just good enough? If we do not provide an option, I think we want to disable SSLv2, which is well known to be insecure, and SSLv3, which was not supported by imapproxy before. Feedback is welcome. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz m...@netbsd.org ------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk ----- squirrelmail-imapproxy mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-imapproxy@lists.sourceforge.net List archives: http://news.gmane.org/gmane.mail.squirrelmail.imapproxy List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-imapproxy
