aboutsummaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-12-11 15:09:15 +0100
committerGuilhem Moulin <guilhem@fripost.org>2020-12-11 18:32:16 +0100
commite3b95b0da424e55682c8c7b025d9d272a4a35ffe (patch)
treeb1605012ec501a667f3e1b771d2501c79284bd71 /lib
parent79463a5972229686a10c6fb39eaf3c27b85b165c (diff)
libinterimap: remove default SSL_protocols value.
Namely, use the system default instead of "!SSLv2 !SSLv3 !TLSv1 !TLSv1.1". As of Debian Buster (OpenSSL 1.1.1) this does not make a difference, however using the system default provides better compatibility with future libssl versions.
Diffstat (limited to 'lib')
-rw-r--r--lib/Net/IMAP/InterIMAP.pm38
1 files changed, 20 insertions, 18 deletions
diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm
index 8b59ed2..221b016 100644
--- a/lib/Net/IMAP/InterIMAP.pm
+++ b/lib/Net/IMAP/InterIMAP.pm
@@ -1694,32 +1694,34 @@ sub _start_ssl($$) {
my ($self, $socket) = @_;
my $openssl_version = Net::SSLeay::OPENSSL_VERSION_NUMBER();
my $ctx = Net::SSLeay::CTX_new() or $self->panic("Failed to create SSL_CTX $!");
- my $ssl_options = Net::SSLeay::OP_SINGLE_DH_USE() | Net::SSLeay::OP_SINGLE_ECDH_USE();
if (defined $self->{_OUTBUF} and $self->{_OUTBUF} ne '') {
$self->warn("Truncating non-empty output buffer (unauthenticated response injection?)");
undef $self->{_OUTBUF};
}
- $self->{SSL_protocols} //= q{!SSLv2 !SSLv3 !TLSv1 !TLSv1.1};
- my ($proto_include, $proto_exclude) = (0, 0);
- foreach (split /\s+/, $self->{SSL_protocols}) {
- my $neg = s/^!// ? 1 : 0;
- s/\.0$//;
- ($neg ? $proto_exclude : $proto_include) |= $SSL_proto{$_} // $self->panic("Unknown SSL protocol: $_");
- }
- if ($proto_include != 0) {
- # exclude all protocols except those explictly included
- my $x = 0;
- $x |= $_ foreach values %SSL_proto;
- $x &= ~ $proto_include;
- $proto_exclude |= $x;
- }
- my @proto_exclude = grep { ($proto_exclude & $SSL_proto{$_}) != 0 } keys %SSL_proto;
- $self->log("Disabling SSL protocols: ".join(', ', sort @proto_exclude)) if $self->{debug};
- $ssl_options |= $SSL_proto{$_} foreach @proto_exclude;
+ my $ssl_options = Net::SSLeay::OP_SINGLE_DH_USE() | Net::SSLeay::OP_SINGLE_ECDH_USE();
$ssl_options |= Net::SSLeay::OP_NO_COMPRESSION();
+ if (defined (my $protos = $self->{SSL_protocols})) {
+ my ($proto_include, $proto_exclude) = (0, 0);
+ foreach (split /\s+/, $protos) {
+ my $neg = s/^!// ? 1 : 0;
+ s/\.0$//;
+ ($neg ? $proto_exclude : $proto_include) |= $SSL_proto{$_} // $self->panic("Unknown SSL protocol: $_");
+ }
+ if ($proto_include != 0) {
+ # exclude all protocols except those explictly included
+ my $x = 0;
+ $x |= $_ foreach values %SSL_proto;
+ $x &= ~ $proto_include;
+ $proto_exclude |= $x;
+ }
+ my @proto_exclude = grep { ($proto_exclude & $SSL_proto{$_}) != 0 } keys %SSL_proto;
+ $self->log("Disabling SSL protocols: ".join(', ', sort @proto_exclude)) if $self->{debug};
+ $ssl_options |= $SSL_proto{$_} foreach @proto_exclude;
+ }
+
# https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html
Net::SSLeay::CTX_set_options($ctx, $ssl_options);