aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-12-13 18:15:39 +0100
committerGuilhem Moulin <guilhem@fripost.org>2020-12-13 18:44:24 +0100
commit0a358b8e929be3cbf9586e2a9146c209903f6896 (patch)
treecb7a156a6c3a83861098028c0b7b279b95daa3be
parent8c43ed9baa905d907a6aad77de2282a852ba69a9 (diff)
libinterimap: _start_ssl() now fails immediately with OpenSSL <1.1.0.
It could in principle still work with earlier versions if the new settings SSL_protocol_{min,max} are not used, however it's cumbersome to do individual checks for specific settings, let alone maintain test coverage with multiple OpenSSL versions.
-rw-r--r--Changelog10
-rw-r--r--lib/Net/IMAP/InterIMAP.pm11
2 files changed, 11 insertions, 10 deletions
diff --git a/Changelog b/Changelog
index 2fbdf36..773065d 100644
--- a/Changelog
+++ b/Changelog
@@ -8,14 +8,16 @@ interimap (0.5.5) upstream;
* libinterimap: deprecate SSL_protocols, obsoleted by new settings
SSL_protocol_{min,max}. Using the libssl interface simplifies our
protocol black/whitelist greatly; this only allows simple min/max
- bounds, but holes are arguably not very useful here. Using the new
- settings bumps the required libssl version to 1.1.0.
+ bounds, but holes are arguably not very useful here.
* libinterimap: use default locations for trusted CA certificates when
neither CAfile nor CApath are set. In particular, OpenSSL's default
locations can be overridden by the SSL_CERT_FILE resp. SSL_CERT_DIR
environment variables, see SSL_CTX_load_verify_locations(3ssl).
- This bumps the minimum OpenSSL version to 1.1.0 (when SSL_verify is
- used).
+ * libinterimap: _start_ssl() now fails immediately with OpenSSL <1.1.0.
+ It could in principle still work with earlier versions if the new
+ settings SSL_protocol_{min,max} are not used, however it's cumbersome
+ to do individual checks for specific settings, let alone maintain
+ test coverage with multiple OpenSSL versions.
+ `make release`: also bump libinterimap version and pin it in 'use'
declarations.
+ Make error messages more uniform and consistent.
diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm
index 89e5cba..99d3a0e 100644
--- a/lib/Net/IMAP/InterIMAP.pm
+++ b/lib/Net/IMAP/InterIMAP.pm
@@ -48,7 +48,6 @@ my $RE_LIST_CHAR = qr/[\x21\x23-\x27\x2A\x2B-\x5B\x5D-\x7A\x7C-\x7E]/;
my $RE_TEXT_CHAR = qr/[\x01-\x09\x0B\x0C\x0E-\x7F]/;
my $RE_SSL_PROTO = qr/(?:SSLv[23]|TLSv1|TLSv1\.[0-3])/;
-my $OPENSSL_VERSION = Net::SSLeay::OPENSSL_VERSION_NUMBER();
# Map each option to a regexp validating its values.
my %OPTIONS = (
@@ -1704,6 +1703,11 @@ my %SSL_protocol_versions = (
# Upgrade the $socket to SSL/TLS.
sub _start_ssl($$) {
my ($self, $socket) = @_;
+ # need OpenSSL 1.1.0 or later for SSL_CTX_set_min_proto_version(3ssl), see
+ # https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_min_proto_version.html
+ $self->panic("SSL/TLS functions require OpenSSL 1.1.0 or later")
+ if Net::SSLeay::OPENSSL_VERSION_NUMBER() < 0x1010000f;
+
my $ctx = Net::SSLeay::CTX_new() or $self->panic("SSL_CTX_new(): $!");
$self->{SSL_verify} //= 1; # default is to perform certificate verification
@@ -1716,7 +1720,6 @@ sub _start_ssl($$) {
$ssl_options |= Net::SSLeay::OP_NO_COMPRESSION();
if (defined $self->{SSL_protocol_min} or defined $self->{SSL_protocol_max}) {
- $self->panic("Failed requirement libssl >=1.1.0") if $OPENSSL_VERSION < 0x1010000f;
my ($min, $max) = @$self{qw/SSL_protocol_min SSL_protocol_max/};
if (defined $min) {
my $v = $SSL_protocol_versions{$min} // $self->panic("Unknown protocol version: $min");
@@ -1772,9 +1775,6 @@ sub _start_ssl($$) {
my $host = $self->{host} // $self->panic();
my ($hostip, $hostipfam) = _parse_hostip($host);
if ($self->{SSL_verify}) {
- # for X509_VERIFY_PARAM_set1_{ip,host}()
- $self->panic("Failed requirement libssl >=1.0.2") if $OPENSSL_VERSION < 0x1000200f;
-
# verify certificate chain
if (defined $self->{SSL_CAfile} or defined $self->{SSL_CApath}) {
$self->_ssl_error("SSL_CTX_load_verify_locations()")
@@ -1808,7 +1808,6 @@ sub _start_ssl($$) {
# always use 'SSL_hostname' when set, otherwise use 'host' (unless it's an IP)
my $servername = $self->{SSL_hostname} // (defined $hostipfam ? "" : $host);
if ($servername ne "") {
- $self->panic("Failed requirement libssl >=0.9.8f") if $OPENSSL_VERSION < 0x00908070;
$self->_ssl_error("SSL_set_tlsext_host_name($servername)")
unless Net::SSLeay::set_tlsext_host_name($ssl, $servername) == 1;
$self->log("Using SNI with name $servername") if $self->{debug};