diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2020-12-11 15:09:15 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2020-12-11 18:32:16 +0100 |
commit | e3b95b0da424e55682c8c7b025d9d272a4a35ffe (patch) | |
tree | b1605012ec501a667f3e1b771d2501c79284bd71 | |
parent | 79463a5972229686a10c6fb39eaf3c27b85b165c (diff) |
libinterimap: remove default SSL_protocols value.
Namely, use the system default instead of "!SSLv2 !SSLv3 !TLSv1 !TLSv1.1".
As of Debian Buster (OpenSSL 1.1.1) this does not make a difference,
however using the system default provides better compatibility with
future libssl versions.
-rw-r--r-- | Changelog | 10 | ||||
-rw-r--r-- | doc/interimap.1.md | 11 | ||||
-rw-r--r-- | doc/pullimap.1.md | 11 | ||||
-rw-r--r-- | lib/Net/IMAP/InterIMAP.pm | 38 | ||||
-rw-r--r-- | tests/starttls/t | 1 | ||||
-rw-r--r-- | tests/tls-protocols/t | 7 | ||||
-rw-r--r-- | tests/tls/t | 1 |
7 files changed, 41 insertions, 38 deletions
@@ -1,3 +1,13 @@ +interimap (0.5.5) upstream; + + * libinterimap: remove default SSL_protocols value "!SSLv2 !SSLv3 + !TLSv1 !TLSv1.1" and use the system default instead. As of Debian + Buster (OpenSSL 1.1.1) this does not make a difference, however using + the system default provides better compatibility with future libssl + versions. + + -- Guilhem Moulin <guilhem@fripost.org> Fri, 11 Dec 2020 14:55:53 +0100 + interimap (0.5.4) upstream; * libinterimap: make SSL_verify also checks that the certificate diff --git a/doc/interimap.1.md b/doc/interimap.1.md index 5f19d66..9cfec7a 100644 --- a/doc/interimap.1.md +++ b/doc/interimap.1.md @@ -383,12 +383,11 @@ Valid options are: *SSL_protocols* -: A space-separated list of SSL protocols to enable or disable (if - prefixed with an exclamation mark `!`. Known protocols are `SSLv2`, - `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`. Enabling a - protocol is a short-hand for disabling all other protocols. - (Default: `!SSLv2 !SSLv3 !TLSv1 !TLSv1.1`, i.e., only enable TLSv1.2 - and above.) +: A space-separated list of SSL protocols to explicitly enable or + disable (if prefixed with an exclamation mark `!`. Known protocols + are `SSLv2`, `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`. + Enabling a protocol is a short-hand for disabling all other + protocols. *SSL_cipher_list* diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md index ea93ed3..84cae46 100644 --- a/doc/pullimap.1.md +++ b/doc/pullimap.1.md @@ -202,12 +202,11 @@ Valid options are: *SSL_protocols* -: A space-separated list of SSL protocols to enable or disable (if - prefixed with an exclamation mark `!`. Known protocols are `SSLv2`, - `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`. Enabling a - protocol is a short-hand for disabling all other protocols. - (Default: `!SSLv2 !SSLv3 !TLSv1 !TLSv1.1`, i.e., only enable TLSv1.2 - and above.) +: A space-separated list of SSL protocols to explicitly enable or + disable (if prefixed with an exclamation mark `!`. Known protocols + are `SSLv2`, `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`. + Enabling a protocol is a short-hand for disabling all other + protocols. *SSL_cipher_list* diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm index 8b59ed2..221b016 100644 --- a/lib/Net/IMAP/InterIMAP.pm +++ b/lib/Net/IMAP/InterIMAP.pm @@ -1694,32 +1694,34 @@ sub _start_ssl($$) { my ($self, $socket) = @_; my $openssl_version = Net::SSLeay::OPENSSL_VERSION_NUMBER(); my $ctx = Net::SSLeay::CTX_new() or $self->panic("Failed to create SSL_CTX $!"); - my $ssl_options = Net::SSLeay::OP_SINGLE_DH_USE() | Net::SSLeay::OP_SINGLE_ECDH_USE(); if (defined $self->{_OUTBUF} and $self->{_OUTBUF} ne '') { $self->warn("Truncating non-empty output buffer (unauthenticated response injection?)"); undef $self->{_OUTBUF}; } - $self->{SSL_protocols} //= q{!SSLv2 !SSLv3 !TLSv1 !TLSv1.1}; - my ($proto_include, $proto_exclude) = (0, 0); - foreach (split /\s+/, $self->{SSL_protocols}) { - my $neg = s/^!// ? 1 : 0; - s/\.0$//; - ($neg ? $proto_exclude : $proto_include) |= $SSL_proto{$_} // $self->panic("Unknown SSL protocol: $_"); - } - if ($proto_include != 0) { - # exclude all protocols except those explictly included - my $x = 0; - $x |= $_ foreach values %SSL_proto; - $x &= ~ $proto_include; - $proto_exclude |= $x; - } - my @proto_exclude = grep { ($proto_exclude & $SSL_proto{$_}) != 0 } keys %SSL_proto; - $self->log("Disabling SSL protocols: ".join(', ', sort @proto_exclude)) if $self->{debug}; - $ssl_options |= $SSL_proto{$_} foreach @proto_exclude; + my $ssl_options = Net::SSLeay::OP_SINGLE_DH_USE() | Net::SSLeay::OP_SINGLE_ECDH_USE(); $ssl_options |= Net::SSLeay::OP_NO_COMPRESSION(); + if (defined (my $protos = $self->{SSL_protocols})) { + my ($proto_include, $proto_exclude) = (0, 0); + foreach (split /\s+/, $protos) { + my $neg = s/^!// ? 1 : 0; + s/\.0$//; + ($neg ? $proto_exclude : $proto_include) |= $SSL_proto{$_} // $self->panic("Unknown SSL protocol: $_"); + } + if ($proto_include != 0) { + # exclude all protocols except those explictly included + my $x = 0; + $x |= $_ foreach values %SSL_proto; + $x &= ~ $proto_include; + $proto_exclude |= $x; + } + my @proto_exclude = grep { ($proto_exclude & $SSL_proto{$_}) != 0 } keys %SSL_proto; + $self->log("Disabling SSL protocols: ".join(', ', sort @proto_exclude)) if $self->{debug}; + $ssl_options |= $SSL_proto{$_} foreach @proto_exclude; + } + # https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html Net::SSLeay::CTX_set_options($ctx, $ssl_options); diff --git a/tests/starttls/t b/tests/starttls/t index 5f9bd4f..55caf99 100644 --- a/tests/starttls/t +++ b/tests/starttls/t @@ -21,7 +21,6 @@ grep -Fx "STARTTLS" <"$TMPDIR/capabilities" || error grep -Fx "remote: C: 000000 STARTTLS" <"$STDERR" || error grep -Fx "remote: C: 000001 CAPABILITY" <"$STDERR" || error -grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1" <"$STDERR" || error grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error grep "^remote: SSL cipher: " <"$STDERR" || error diff --git a/tests/tls-protocols/t b/tests/tls-protocols/t index f34a95b..5444658 100644 --- a/tests/tls-protocols/t +++ b/tests/tls-protocols/t @@ -5,12 +5,7 @@ with_remote_tls_protocols() { printf "SSL_protocols = %s\\n" "$*" >>"$XDG_CONFIG_HOME/interimap/config" } -# default -interimap --debug || error -grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1" <"$STDERR" || error -grep -E "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error - -# also disable TLSv1.2 +# disable TLSv1.2 and earlier versions with_remote_tls_protocols "!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2" interimap --debug || error grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2" <"$STDERR" || error diff --git a/tests/tls/t b/tests/tls/t index 9fdd399..76f7c14 100644 --- a/tests/tls/t +++ b/tests/tls/t @@ -8,7 +8,6 @@ for ((i = 0; i < 32; i++)); do done interimap --debug || error -grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1" <"$STDERR" || error grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error grep "^remote: SSL cipher: " <"$STDERR" || error |