From: Guilhem Moulin Date: Mon, 4 Jan 2021 10:19:53 +0100 Subject: Restore compatibility with Net::SSLeay 1.83 Buster has Net::SSLeay 1.85 so we can't use Net::SSLeay::version() in debug mode (we have to use the version number → protocol name map instead), and can use Net::SSLeay::CTX_set_ciphersuites() to set TLSv1.3 ciphersuites. It's unfortunate that Net::SSLeay manual doesn't say when these function were added… This partially reverts commits 55b8c321048b1d4ebfbd30968e11d2a68ee4d242, 35f4ecefa9c9ff55acfdb337b215e3d13345c86d and 57988c83bb4b3f1780f045880ac4a8f36a51c55c. Forwarded: not-needed --- doc/interimap.1.md | 6 +++--- doc/pullimap.1.md | 4 ++-- lib/Net/IMAP/InterIMAP.pm | 18 ++++++++++-------- tests/tls-ciphers/t | 9 --------- 4 files changed, 15 insertions(+), 22 deletions(-) diff --git a/doc/interimap.1.md b/doc/interimap.1.md index 03adbf5..58c8e98 100644 --- a/doc/interimap.1.md +++ b/doc/interimap.1.md @@ -401,10 +401,10 @@ Valid options are: `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`, depending on the OpenSSL version used. -*SSL_cipherlist*, *SSL_ciphersuites* +*SSL_cipherlist* -: Sets the TLSv1.2 and below cipher list resp. TLSv1.3 cipher suites. - The combination of these lists is sent to the server, which then +: Sets the TLSv1.2 and below cipher list. + This list is sent to the server, which then determines which cipher to use (normally the first supported one from the list sent by the client). The default suites depend on the OpenSSL version and its configuration, see [`ciphers`(1ssl)] for diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md index 900221a..c2fcee0 100644 --- a/doc/pullimap.1.md +++ b/doc/pullimap.1.md @@ -222,8 +222,8 @@ Valid options are: *SSL_cipherlist*, *SSL_ciphersuites* -: Sets the TLSv1.2 and below cipher list resp. TLSv1.3 cipher suites. - The combination of these lists is sent to the server, which then +: Sets the TLSv1.2 and below cipher list. + This list is sent to the server, which then determines which cipher to use (normally the first supported one from the list sent by the client). The default suites depend on the OpenSSL version and its configuration, see [`ciphers`(1ssl)] for diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm index a171554..cc5436b 100644 --- a/lib/Net/IMAP/InterIMAP.pm +++ b/lib/Net/IMAP/InterIMAP.pm @@ -24,7 +24,7 @@ use strict; use Compress::Raw::Zlib qw/Z_OK Z_STREAM_END Z_FULL_FLUSH Z_SYNC_FLUSH MAX_WBITS/; use Config::Tiny (); use Errno qw/EEXIST EINTR/; -use Net::SSLeay 1.86_06 (); +use Net::SSLeay 1.83 (); use List::Util qw/all first/; use POSIX ':signal_h'; use Socket qw/SOCK_STREAM SOCK_RAW SOCK_CLOEXEC IPPROTO_TCP SHUT_RDWR @@ -67,7 +67,6 @@ my %OPTIONS = ( SSL_protocol_max => qr/\A(\P{Control}+)\z/, SSL_fingerprint => qr/\A((?:[A-Za-z0-9]+\$)?\p{AHex}+(?: (?:[A-Za-z0-9]+\$)?\p{AHex}+)*)\z/, SSL_cipherlist => qr/\A(\P{Control}+)\z/, - SSL_ciphersuites => qr/\A(\P{Control}*)\z/, # "an empty list is permissible" SSL_hostname => qr/\A(\P{Control}*)\z/, SSL_verify => qr/\A(YES|NO)\z/i, SSL_CApath => qr/\A(\P{Control}+)\z/, @@ -1767,9 +1766,6 @@ sub _start_ssl($$) { if (defined (my $str = $self->{SSL_cipherlist})) { $self->_ssl_error("SSL_CTX_set_cipher_list()") unless Net::SSLeay::CTX_set_cipher_list($ctx, $str) == 1; } - if (defined (my $str = $self->{SSL_ciphersuites})) { - $self->_ssl_error("SSL_CTX_set_ciphersuites()") unless Net::SSLeay::CTX_set_ciphersuites($ctx, $str) == 1; - } my $vpm = Net::SSLeay::X509_VERIFY_PARAM_new() or $self->_ssl_error("X509_VERIFY_PARAM_new()"); my $purpose = Net::SSLeay::X509_PURPOSE_SSL_SERVER(); @@ -1823,9 +1819,15 @@ sub _start_ssl($$) { Net::SSLeay::X509_VERIFY_PARAM_free($vpm); if ($self->{debug}) { - $self->log(sprintf('SSL protocol: %s (0x%x)', - , Net::SSLeay::get_version($ssl) - , Net::SSLeay::version($ssl))); + my $v = Net::SSLeay::version($ssl); + $self->log(sprintf('SSL protocol: %s (0x%x)', ($v == 0x0002 ? 'SSLv2' : + $v == 0x0300 ? 'SSLv3' : + $v == 0x0301 ? 'TLSv1' : + $v == 0x0302 ? 'TLSv1.1' : + $v == 0x0303 ? 'TLSv1.2' : + $v == 0x0304 ? 'TLSv1.3' : + '??'), + $v)); $self->log(sprintf('SSL cipher: %s (%d bits)' , Net::SSLeay::get_cipher($ssl) , Net::SSLeay::get_cipher_bits($ssl))); diff --git a/tests/tls-ciphers/t b/tests/tls-ciphers/t index 0dfc771..677c8c1 100644 --- a/tests/tls-ciphers/t +++ b/tests/tls-ciphers/t @@ -15,17 +15,8 @@ grep -Fx "remote: SSL cipher: DHE-RSA-AES128-SHA256 (128 bits)" <"$STDERR" || er with_remote_config <<-EOF SSL_protocol_max = TLSv1.2 SSL_cipherlist = NONEXISTENT:ECDHE-RSA-AES256-SHA384:ALL:!COMPLEMENTOFDEFAULT:!eNULL - SSL_ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 EOF interimap --debug || error grep -Fx "remote: SSL cipher: ECDHE-RSA-AES256-SHA384 (256 bits)" <"$STDERR" || error -with_remote_config <<-EOF - SSL_protocol_min = TLSv1.3 - SSL_cipherlist = DHE-RSA-AES128-SHA256 - SSL_ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 -EOF -interimap --debug || error -grep -Fx "remote: SSL cipher: TLS_CHACHA20_POLY1305_SHA256 (256 bits)" <"$STDERR" || error - # vim: set filetype=sh :