Accueil Explorer Aide
Connexion
noah
/
isync
1
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Parcourir la source

enable TLS 1.1 and 1.2 by default

there is no reason not to, and debian even disabled 1.0 globally,
because it's (theoretically) too insecure in some contexts (BEAST
attack).

in the compat wrapper, the UseTLSv1 option has been re-interpreted as
v1.x, to avoid adding new options.
Oswald Buddenhagen il y a 7 ans
Parent
fed0dcc60e
commit
47bdbb4aab
4 fichiers modifiés avec 8 ajouts et 7 suppressions
Vue séparée Afficher les stats Diff
  1. 3 2
      src/compat/config.c
  2. 1 1
      src/compat/isync.1
  3. 2 2
      src/drv_imap.c
  4. 2 2
      src/mbsync.1

+ 3 - 2
src/compat/config.c
Voir le fichier 

@@ -316,9 +316,10 @@ write_imap_server( FILE *fp, config_t *cfg )
 
 	if (cfg->pass)
 
 		fprintf( fp, "Pass %s\n", quotify( cfg->pass ) );
 
 	fprintf( fp, "RequireCRAM %s\nRequireSSL %s\n"
 
-	             "UseSSLv2 %s\nUseSSLv3 %s\nUseTLSv1 %s\n",
 
+	             "UseSSLv2 %s\nUseSSLv3 %s\nUseTLSv1 %s\nUseTLSv1.1 %s\nUseTLSv1.2 %s\n",
 
 	             tb(cfg->require_cram), tb(cfg->require_ssl),
 
-	             tb(cfg->use_sslv2), tb(cfg->use_sslv3), tb(cfg->use_tlsv1) );
 
+	             tb(cfg->use_sslv2), tb(cfg->use_sslv3),
 
+	             tb(cfg->use_tlsv1), tb(cfg->use_tlsv1), tb(cfg->use_tlsv1) );
 
 	if ((cfg->use_imaps || cfg->use_sslv2 || cfg->use_sslv3 || cfg->use_tlsv1) &&
 
 	    cfg->cert_file)
 
 		fprintf( fp, "CertificateFile %s\n", quotify( cfg->cert_file ) );

+ 1 - 1
src/compat/isync.1
Voir le fichier 

@@ -278,7 +278,7 @@ Should \fBisync\fR use SSLv3 for communication with the IMAP server over SSL?
 
 ..
 
 .TP
 
 \fBUseTLSv1\fR \fIyes\fR|\fIno\fR
 
-Should \fBisync\fR use TLSv1 for communication with the IMAP server over SSL?
 
+Should \fBisync\fR use TLSv1.x for communication with the IMAP server over SSL?
 
 (Default: \fIyes\fR)
 
 ..
 
 .TP

+ 2 - 2
src/drv_imap.c
Voir le fichier 

@@ -2767,7 +2767,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
 
 				arg += 6;
 
 				server->ssl_type = SSL_IMAPS;
 
 				if (server->sconf.ssl_versions == -1)
 
-					server->sconf.ssl_versions = SSLv2 | SSLv3 | TLSv1;
 
+					server->sconf.ssl_versions = SSLv2 | SSLv3 | TLSv1 | TLSv1_1 | TLSv1_2;
 
 			} else
 
 #endif
 
 			if (starts_with( arg, -1, "imap:", 5 ))
 
@@ -2930,7 +2930,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
 
 			}
 
 		} else {
 
 			if (server->sconf.ssl_versions < 0)
 
-				server->sconf.ssl_versions = TLSv1; /* Most compatible and still reasonably secure. */
 
+				server->sconf.ssl_versions = TLSv1 | TLSv1_1 | TLSv1_2;
 
 			if (server->ssl_type < 0)
 
 				server->ssl_type = server->sconf.tunnel ? SSL_None : SSL_STARTTLS;
 
 		}

+ 2 - 2
src/mbsync.1
Voir le fichier 

@@ -337,8 +337,8 @@ right after connecting the secure IMAP port 993.
 
 Select the acceptable SSL/TLS versions.
 
 Use of SSLv2 is strongly discouraged for security reasons, but might be the
 
 only option on some very old servers.
 
-Generally, the newest TLS version is recommended, but as this confuses some
 
-servers, \fBTLSv1\fR is the default.
 
+Use old versions only when the server has problems with newer ones.
 
+(Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]).
 
 ..
 
 .TP
 
 \fBSystemCertificates\fR \fByes\fR|\fBno\fR