1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
From: Guilhem Moulin <guilhem@debian.org>
Date: Mon, 4 Jan 2021 10:19:53 +0100
Subject: Restore compatibility with Net::SSLeay 1.83
Buster has Net::SSLeay 1.85 so we can't use Net::SSLeay::version() in
debug mode (we have to use the version number → protocol name map
instead), and can use Net::SSLeay::CTX_set_ciphersuites() to set TLSv1.3
ciphersuites.
It's unfortunate that Net::SSLeay manual doesn't say when these function
were added…
This partially reverts commits 55b8c321048b1d4ebfbd30968e11d2a68ee4d242,
35f4ecefa9c9ff55acfdb337b215e3d13345c86d and
57988c83bb4b3f1780f045880ac4a8f36a51c55c.
Forwarded: not-needed
---
doc/interimap.1.md | 6 +++---
doc/pullimap.1.md | 4 ++--
lib/Net/IMAP/InterIMAP.pm | 18 ++++++++++--------
tests/tls-ciphers/t | 9 ---------
4 files changed, 15 insertions(+), 22 deletions(-)
diff --git a/doc/interimap.1.md b/doc/interimap.1.md
index 03adbf5..58c8e98 100644
--- a/doc/interimap.1.md
+++ b/doc/interimap.1.md
@@ -401,10 +401,10 @@ Valid options are:
`TLSv1.1`, `TLSv1.2`, and `TLSv1.3`, depending on the OpenSSL
version used.
-*SSL_cipherlist*, *SSL_ciphersuites*
+*SSL_cipherlist*
-: Sets the TLSv1.2 and below cipher list resp. TLSv1.3 cipher suites.
- The combination of these lists is sent to the server, which then
+: Sets the TLSv1.2 and below cipher list.
+ This list is sent to the server, which then
determines which cipher to use (normally the first supported one
from the list sent by the client). The default suites depend on the
OpenSSL version and its configuration, see [`ciphers`(1ssl)] for
diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md
index 900221a..c2fcee0 100644
--- a/doc/pullimap.1.md
+++ b/doc/pullimap.1.md
@@ -222,8 +222,8 @@ Valid options are:
*SSL_cipherlist*, *SSL_ciphersuites*
-: Sets the TLSv1.2 and below cipher list resp. TLSv1.3 cipher suites.
- The combination of these lists is sent to the server, which then
+: Sets the TLSv1.2 and below cipher list.
+ This list is sent to the server, which then
determines which cipher to use (normally the first supported one
from the list sent by the client). The default suites depend on the
OpenSSL version and its configuration, see [`ciphers`(1ssl)] for
diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm
index a171554..cc5436b 100644
--- a/lib/Net/IMAP/InterIMAP.pm
+++ b/lib/Net/IMAP/InterIMAP.pm
@@ -24,7 +24,7 @@ use strict;
use Compress::Raw::Zlib qw/Z_OK Z_STREAM_END Z_FULL_FLUSH Z_SYNC_FLUSH MAX_WBITS/;
use Config::Tiny ();
use Errno qw/EEXIST EINTR/;
-use Net::SSLeay 1.86_06 ();
+use Net::SSLeay 1.83 ();
use List::Util qw/all first/;
use POSIX ':signal_h';
use Socket qw/SOCK_STREAM SOCK_RAW SOCK_CLOEXEC IPPROTO_TCP SHUT_RDWR
@@ -67,7 +67,6 @@ my %OPTIONS = (
SSL_protocol_max => qr/\A(\P{Control}+)\z/,
SSL_fingerprint => qr/\A((?:[A-Za-z0-9]+\$)?\p{AHex}+(?: (?:[A-Za-z0-9]+\$)?\p{AHex}+)*)\z/,
SSL_cipherlist => qr/\A(\P{Control}+)\z/,
- SSL_ciphersuites => qr/\A(\P{Control}*)\z/, # "an empty list is permissible"
SSL_hostname => qr/\A(\P{Control}*)\z/,
SSL_verify => qr/\A(YES|NO)\z/i,
SSL_CApath => qr/\A(\P{Control}+)\z/,
@@ -1767,9 +1766,6 @@ sub _start_ssl($$) {
if (defined (my $str = $self->{SSL_cipherlist})) {
$self->_ssl_error("SSL_CTX_set_cipher_list()") unless Net::SSLeay::CTX_set_cipher_list($ctx, $str) == 1;
}
- if (defined (my $str = $self->{SSL_ciphersuites})) {
- $self->_ssl_error("SSL_CTX_set_ciphersuites()") unless Net::SSLeay::CTX_set_ciphersuites($ctx, $str) == 1;
- }
my $vpm = Net::SSLeay::X509_VERIFY_PARAM_new() or $self->_ssl_error("X509_VERIFY_PARAM_new()");
my $purpose = Net::SSLeay::X509_PURPOSE_SSL_SERVER();
@@ -1823,9 +1819,15 @@ sub _start_ssl($$) {
Net::SSLeay::X509_VERIFY_PARAM_free($vpm);
if ($self->{debug}) {
- $self->log(sprintf('SSL protocol: %s (0x%x)',
- , Net::SSLeay::get_version($ssl)
- , Net::SSLeay::version($ssl)));
+ my $v = Net::SSLeay::version($ssl);
+ $self->log(sprintf('SSL protocol: %s (0x%x)', ($v == 0x0002 ? 'SSLv2' :
+ $v == 0x0300 ? 'SSLv3' :
+ $v == 0x0301 ? 'TLSv1' :
+ $v == 0x0302 ? 'TLSv1.1' :
+ $v == 0x0303 ? 'TLSv1.2' :
+ $v == 0x0304 ? 'TLSv1.3' :
+ '??'),
+ $v));
$self->log(sprintf('SSL cipher: %s (%d bits)'
, Net::SSLeay::get_cipher($ssl)
, Net::SSLeay::get_cipher_bits($ssl)));
diff --git a/tests/tls-ciphers/t b/tests/tls-ciphers/t
index 0dfc771..677c8c1 100644
--- a/tests/tls-ciphers/t
+++ b/tests/tls-ciphers/t
@@ -15,17 +15,8 @@ grep -Fx "remote: SSL cipher: DHE-RSA-AES128-SHA256 (128 bits)" <"$STDERR" || er
with_remote_config <<-EOF
SSL_protocol_max = TLSv1.2
SSL_cipherlist = NONEXISTENT:ECDHE-RSA-AES256-SHA384:ALL:!COMPLEMENTOFDEFAULT:!eNULL
- SSL_ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
EOF
interimap --debug || error
grep -Fx "remote: SSL cipher: ECDHE-RSA-AES256-SHA384 (256 bits)" <"$STDERR" || error
-with_remote_config <<-EOF
- SSL_protocol_min = TLSv1.3
- SSL_cipherlist = DHE-RSA-AES128-SHA256
- SSL_ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
-EOF
-interimap --debug || error
-grep -Fx "remote: SSL cipher: TLS_CHACHA20_POLY1305_SHA256 (256 bits)" <"$STDERR" || error
-
# vim: set filetype=sh :
|
