aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Changelog10
-rw-r--r--doc/interimap.1.md11
-rw-r--r--doc/pullimap.1.md11
-rw-r--r--lib/Net/IMAP/InterIMAP.pm38
-rw-r--r--tests/starttls/t1
-rw-r--r--tests/tls-protocols/t7
-rw-r--r--tests/tls/t1
7 files changed, 41 insertions, 38 deletions
diff --git a/Changelog b/Changelog
index 42cac7a..b809cd3 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,13 @@
+interimap (0.5.5) upstream;
+
+ * libinterimap: remove default SSL_protocols value "!SSLv2 !SSLv3
+ !TLSv1 !TLSv1.1" and use the system default instead. As of Debian
+ Buster (OpenSSL 1.1.1) this does not make a difference, however using
+ the system default provides better compatibility with future libssl
+ versions.
+
+ -- Guilhem Moulin <guilhem@fripost.org> Fri, 11 Dec 2020 14:55:53 +0100
+
interimap (0.5.4) upstream;
* libinterimap: make SSL_verify also checks that the certificate
diff --git a/doc/interimap.1.md b/doc/interimap.1.md
index 5f19d66..9cfec7a 100644
--- a/doc/interimap.1.md
+++ b/doc/interimap.1.md
@@ -383,12 +383,11 @@ Valid options are:
*SSL_protocols*
-: A space-separated list of SSL protocols to enable or disable (if
- prefixed with an exclamation mark `!`. Known protocols are `SSLv2`,
- `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`. Enabling a
- protocol is a short-hand for disabling all other protocols.
- (Default: `!SSLv2 !SSLv3 !TLSv1 !TLSv1.1`, i.e., only enable TLSv1.2
- and above.)
+: A space-separated list of SSL protocols to explicitly enable or
+ disable (if prefixed with an exclamation mark `!`. Known protocols
+ are `SSLv2`, `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`.
+ Enabling a protocol is a short-hand for disabling all other
+ protocols.
*SSL_cipher_list*
diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md
index ea93ed3..84cae46 100644
--- a/doc/pullimap.1.md
+++ b/doc/pullimap.1.md
@@ -202,12 +202,11 @@ Valid options are:
*SSL_protocols*
-: A space-separated list of SSL protocols to enable or disable (if
- prefixed with an exclamation mark `!`. Known protocols are `SSLv2`,
- `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`. Enabling a
- protocol is a short-hand for disabling all other protocols.
- (Default: `!SSLv2 !SSLv3 !TLSv1 !TLSv1.1`, i.e., only enable TLSv1.2
- and above.)
+: A space-separated list of SSL protocols to explicitly enable or
+ disable (if prefixed with an exclamation mark `!`. Known protocols
+ are `SSLv2`, `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`.
+ Enabling a protocol is a short-hand for disabling all other
+ protocols.
*SSL_cipher_list*
diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm
index 8b59ed2..221b016 100644
--- a/lib/Net/IMAP/InterIMAP.pm
+++ b/lib/Net/IMAP/InterIMAP.pm
@@ -1694,32 +1694,34 @@ sub _start_ssl($$) {
my ($self, $socket) = @_;
my $openssl_version = Net::SSLeay::OPENSSL_VERSION_NUMBER();
my $ctx = Net::SSLeay::CTX_new() or $self->panic("Failed to create SSL_CTX $!");
- my $ssl_options = Net::SSLeay::OP_SINGLE_DH_USE() | Net::SSLeay::OP_SINGLE_ECDH_USE();
if (defined $self->{_OUTBUF} and $self->{_OUTBUF} ne '') {
$self->warn("Truncating non-empty output buffer (unauthenticated response injection?)");
undef $self->{_OUTBUF};
}
- $self->{SSL_protocols} //= q{!SSLv2 !SSLv3 !TLSv1 !TLSv1.1};
- my ($proto_include, $proto_exclude) = (0, 0);
- foreach (split /\s+/, $self->{SSL_protocols}) {
- my $neg = s/^!// ? 1 : 0;
- s/\.0$//;
- ($neg ? $proto_exclude : $proto_include) |= $SSL_proto{$_} // $self->panic("Unknown SSL protocol: $_");
- }
- if ($proto_include != 0) {
- # exclude all protocols except those explictly included
- my $x = 0;
- $x |= $_ foreach values %SSL_proto;
- $x &= ~ $proto_include;
- $proto_exclude |= $x;
- }
- my @proto_exclude = grep { ($proto_exclude & $SSL_proto{$_}) != 0 } keys %SSL_proto;
- $self->log("Disabling SSL protocols: ".join(', ', sort @proto_exclude)) if $self->{debug};
- $ssl_options |= $SSL_proto{$_} foreach @proto_exclude;
+ my $ssl_options = Net::SSLeay::OP_SINGLE_DH_USE() | Net::SSLeay::OP_SINGLE_ECDH_USE();
$ssl_options |= Net::SSLeay::OP_NO_COMPRESSION();
+ if (defined (my $protos = $self->{SSL_protocols})) {
+ my ($proto_include, $proto_exclude) = (0, 0);
+ foreach (split /\s+/, $protos) {
+ my $neg = s/^!// ? 1 : 0;
+ s/\.0$//;
+ ($neg ? $proto_exclude : $proto_include) |= $SSL_proto{$_} // $self->panic("Unknown SSL protocol: $_");
+ }
+ if ($proto_include != 0) {
+ # exclude all protocols except those explictly included
+ my $x = 0;
+ $x |= $_ foreach values %SSL_proto;
+ $x &= ~ $proto_include;
+ $proto_exclude |= $x;
+ }
+ my @proto_exclude = grep { ($proto_exclude & $SSL_proto{$_}) != 0 } keys %SSL_proto;
+ $self->log("Disabling SSL protocols: ".join(', ', sort @proto_exclude)) if $self->{debug};
+ $ssl_options |= $SSL_proto{$_} foreach @proto_exclude;
+ }
+
# https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html
Net::SSLeay::CTX_set_options($ctx, $ssl_options);
diff --git a/tests/starttls/t b/tests/starttls/t
index 5f9bd4f..55caf99 100644
--- a/tests/starttls/t
+++ b/tests/starttls/t
@@ -21,7 +21,6 @@ grep -Fx "STARTTLS" <"$TMPDIR/capabilities" || error
grep -Fx "remote: C: 000000 STARTTLS" <"$STDERR" || error
grep -Fx "remote: C: 000001 CAPABILITY" <"$STDERR" || error
-grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1" <"$STDERR" || error
grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error
grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error
grep "^remote: SSL cipher: " <"$STDERR" || error
diff --git a/tests/tls-protocols/t b/tests/tls-protocols/t
index f34a95b..5444658 100644
--- a/tests/tls-protocols/t
+++ b/tests/tls-protocols/t
@@ -5,12 +5,7 @@ with_remote_tls_protocols() {
printf "SSL_protocols = %s\\n" "$*" >>"$XDG_CONFIG_HOME/interimap/config"
}
-# default
-interimap --debug || error
-grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1" <"$STDERR" || error
-grep -E "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error
-
-# also disable TLSv1.2
+# disable TLSv1.2 and earlier versions
with_remote_tls_protocols "!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"
interimap --debug || error
grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2" <"$STDERR" || error
diff --git a/tests/tls/t b/tests/tls/t
index 9fdd399..76f7c14 100644
--- a/tests/tls/t
+++ b/tests/tls/t
@@ -8,7 +8,6 @@ for ((i = 0; i < 32; i++)); do
done
interimap --debug || error
-grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1" <"$STDERR" || error
grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error
grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error
grep "^remote: SSL cipher: " <"$STDERR" || error