From e3b95b0da424e55682c8c7b025d9d272a4a35ffe Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Fri, 11 Dec 2020 15:09:15 +0100
Subject: libinterimap: remove default SSL_protocols value.

Namely, use the system default instead of "!SSLv2 !SSLv3 !TLSv1 !TLSv1.1".

As of Debian Buster (OpenSSL 1.1.1) this does not make a difference,
however using the system default provides better compatibility with
future libssl versions.
---
 Changelog                 | 10 ++++++++++
 doc/interimap.1.md        | 11 +++++------
 doc/pullimap.1.md         | 11 +++++------
 lib/Net/IMAP/InterIMAP.pm | 38 ++++++++++++++++++++------------------
 tests/starttls/t          |  1 -
 tests/tls-protocols/t     |  7 +------
 tests/tls/t               |  1 -
 7 files changed, 41 insertions(+), 38 deletions(-)

diff --git a/Changelog b/Changelog
index 42cac7a..b809cd3 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,13 @@
+interimap (0.5.5) upstream;
+
+ * libinterimap: remove default SSL_protocols value "!SSLv2 !SSLv3
+   !TLSv1 !TLSv1.1" and use the system default instead.  As of Debian
+   Buster (OpenSSL 1.1.1) this does not make a difference, however using
+   the system default provides better compatibility with future libssl
+   versions.
+
+ -- Guilhem Moulin <guilhem@fripost.org>  Fri, 11 Dec 2020 14:55:53 +0100
+
 interimap (0.5.4) upstream;
 
  * libinterimap: make SSL_verify also checks that the certificate
diff --git a/doc/interimap.1.md b/doc/interimap.1.md
index 5f19d66..9cfec7a 100644
--- a/doc/interimap.1.md
+++ b/doc/interimap.1.md
@@ -383,12 +383,11 @@ Valid options are:
 
 *SSL_protocols*
 
-:   A space-separated list of SSL protocols to enable or disable (if
-    prefixed with an exclamation mark `!`.  Known protocols are `SSLv2`,
-    `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`.  Enabling a
-    protocol is a short-hand for disabling all other protocols.
-    (Default: `!SSLv2 !SSLv3 !TLSv1 !TLSv1.1`, i.e., only enable TLSv1.2
-    and above.)
+:   A space-separated list of SSL protocols to explicitly enable or
+    disable (if prefixed with an exclamation mark `!`.  Known protocols
+    are `SSLv2`, `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`.
+    Enabling a protocol is a short-hand for disabling all other
+    protocols.
 
 *SSL_cipher_list*
 
diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md
index ea93ed3..84cae46 100644
--- a/doc/pullimap.1.md
+++ b/doc/pullimap.1.md
@@ -202,12 +202,11 @@ Valid options are:
 
 *SSL_protocols*
 
-:   A space-separated list of SSL protocols to enable or disable (if
-    prefixed with an exclamation mark `!`.  Known protocols are `SSLv2`,
-    `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`.  Enabling a
-    protocol is a short-hand for disabling all other protocols.
-    (Default: `!SSLv2 !SSLv3 !TLSv1 !TLSv1.1`, i.e., only enable TLSv1.2
-    and above.)
+:   A space-separated list of SSL protocols to explicitly enable or
+    disable (if prefixed with an exclamation mark `!`.  Known protocols
+    are `SSLv2`, `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`.
+    Enabling a protocol is a short-hand for disabling all other
+    protocols.
 
 *SSL_cipher_list*
 
diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm
index 8b59ed2..221b016 100644
--- a/lib/Net/IMAP/InterIMAP.pm
+++ b/lib/Net/IMAP/InterIMAP.pm
@@ -1694,32 +1694,34 @@ sub _start_ssl($$) {
     my ($self, $socket) = @_;
     my $openssl_version = Net::SSLeay::OPENSSL_VERSION_NUMBER();
     my $ctx = Net::SSLeay::CTX_new() or $self->panic("Failed to create SSL_CTX $!");
-    my $ssl_options = Net::SSLeay::OP_SINGLE_DH_USE() | Net::SSLeay::OP_SINGLE_ECDH_USE();
 
     if (defined $self->{_OUTBUF} and $self->{_OUTBUF} ne '') {
         $self->warn("Truncating non-empty output buffer (unauthenticated response injection?)");
         undef $self->{_OUTBUF};
     }
 
-    $self->{SSL_protocols} //= q{!SSLv2 !SSLv3 !TLSv1 !TLSv1.1};
-    my ($proto_include, $proto_exclude) = (0, 0);
-    foreach (split /\s+/, $self->{SSL_protocols}) {
-        my $neg = s/^!// ? 1 : 0;
-        s/\.0$//;
-        ($neg ? $proto_exclude : $proto_include) |= $SSL_proto{$_} // $self->panic("Unknown SSL protocol: $_");
-    }
-    if ($proto_include != 0) {
-        # exclude all protocols except those explictly included
-        my $x = 0;
-        $x |= $_ foreach values %SSL_proto;
-        $x &= ~ $proto_include;
-        $proto_exclude |= $x;
-    }
-    my @proto_exclude = grep { ($proto_exclude & $SSL_proto{$_}) != 0 } keys %SSL_proto;
-    $self->log("Disabling SSL protocols: ".join(', ', sort @proto_exclude)) if $self->{debug};
-    $ssl_options |= $SSL_proto{$_} foreach @proto_exclude;
+    my $ssl_options = Net::SSLeay::OP_SINGLE_DH_USE() | Net::SSLeay::OP_SINGLE_ECDH_USE();
     $ssl_options |= Net::SSLeay::OP_NO_COMPRESSION();
 
+    if (defined (my $protos = $self->{SSL_protocols})) {
+        my ($proto_include, $proto_exclude) = (0, 0);
+        foreach (split /\s+/, $protos) {
+            my $neg = s/^!// ? 1 : 0;
+            s/\.0$//;
+            ($neg ? $proto_exclude : $proto_include) |= $SSL_proto{$_} // $self->panic("Unknown SSL protocol: $_");
+        }
+        if ($proto_include != 0) {
+            # exclude all protocols except those explictly included
+            my $x = 0;
+            $x |= $_ foreach values %SSL_proto;
+            $x &= ~ $proto_include;
+            $proto_exclude |= $x;
+        }
+        my @proto_exclude = grep { ($proto_exclude & $SSL_proto{$_}) != 0 } keys %SSL_proto;
+        $self->log("Disabling SSL protocols: ".join(', ', sort @proto_exclude)) if $self->{debug};
+        $ssl_options |= $SSL_proto{$_} foreach @proto_exclude;
+    }
+
     # https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html
     Net::SSLeay::CTX_set_options($ctx, $ssl_options);
 
diff --git a/tests/starttls/t b/tests/starttls/t
index 5f9bd4f..55caf99 100644
--- a/tests/starttls/t
+++ b/tests/starttls/t
@@ -21,7 +21,6 @@ grep -Fx "STARTTLS"  <"$TMPDIR/capabilities" || error
 grep -Fx "remote: C: 000000 STARTTLS"   <"$STDERR" || error
 grep -Fx "remote: C: 000001 CAPABILITY" <"$STDERR" || error
 
-grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1" <"$STDERR" || error
 grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error
 grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error
 grep "^remote: SSL cipher: " <"$STDERR" || error
diff --git a/tests/tls-protocols/t b/tests/tls-protocols/t
index f34a95b..5444658 100644
--- a/tests/tls-protocols/t
+++ b/tests/tls-protocols/t
@@ -5,12 +5,7 @@ with_remote_tls_protocols() {
     printf "SSL_protocols = %s\\n" "$*" >>"$XDG_CONFIG_HOME/interimap/config"
 }
 
-# default
-interimap --debug || error
-grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1" <"$STDERR" || error
-grep -E "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error
-
-# also disable TLSv1.2
+# disable TLSv1.2 and earlier versions
 with_remote_tls_protocols "!SSLv2" "!SSLv3" "!TLSv1" "!TLSv1.1" "!TLSv1.2"
 interimap --debug || error
 grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2" <"$STDERR" || error
diff --git a/tests/tls/t b/tests/tls/t
index 9fdd399..76f7c14 100644
--- a/tests/tls/t
+++ b/tests/tls/t
@@ -8,7 +8,6 @@ for ((i = 0; i < 32; i++)); do
 done
 
 interimap --debug || error
-grep -Fx "remote: Disabling SSL protocols: SSLv3, TLSv1, TLSv1.1" <"$STDERR" || error
 grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error
 grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error
 grep "^remote: SSL cipher: " <"$STDERR" || error
-- 
cgit v1.2.3