Home Explore Help
Sign In
noah
/
isync
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

add support for (disabling) TLS v1.3

this is actually potentially counterproductive, as people who have set
SSLVersions and fail to adjust it will _lose_ tls 1.3 support. however,
without the option being there, people (incorrectly) believe that tls
1.3 is not supported.
Oswald Buddenhagen 5 years ago
parent
990cc112f1
commit
d09f988c70
5 changed files with 20 additions and 8 deletions
Unified View Show Diff Stats
  1. 2 0
      NEWS
  2. 10 5
      src/drv_imap.c
  3. 2 2
      src/mbsync.1
  4. 4 0
      src/socket.c
  5. 2 1
      src/socket.h

+ 2 - 0
NEWS
View File 

@@ -2,6 +2,8 @@
 
 
 
 The 'isync' compatibility wrapper was removed.
 
 The 'isync' compatibility wrapper was removed.
 
 
 
+Added support for disabling TLS v1.3 - adjust SSLVersions if you set it.
 
+
 
 The IMAP '$Forwarded' / Maildir 'P' (passed) flag is supported now.
 
 The IMAP '$Forwarded' / Maildir 'P' (passed) flag is supported now.
 
 
 
 Support for configuring a TLS cipher string was added.
 
 Support for configuring a TLS cipher string was added.

+ 10 - 5
src/drv_imap.c
View File 

@@ -3194,7 +3194,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
 
 #ifdef HAVE_LIBSSL
 
 #ifdef HAVE_LIBSSL
 
 	/* Legacy SSL options */
 
 	/* Legacy SSL options */
 
 	int require_ssl = -1, use_imaps = -1;
 
 	int require_ssl = -1, use_imaps = -1;
 
-	int use_sslv3 = -1, use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1;
 
+	int use_sslv3 = -1, use_tlsv1 = -1, use_tlsv11 = -1, use_tlsv12 = -1, use_tlsv13 = -1;
 
 #endif
 
 #endif
 
 	/* Legacy SASL option */
 
 	/* Legacy SASL option */
 
 	int require_cram = -1;
 
 	int require_cram = -1;
 
@@ -3234,7 +3234,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
 
 				arg += 6;
 
 				arg += 6;
 
 				server->ssl_type = SSL_IMAPS;
 
 				server->ssl_type = SSL_IMAPS;
 
 				if (server->sconf.ssl_versions == -1)
 
 				if (server->sconf.ssl_versions == -1)
 
-					server->sconf.ssl_versions = SSLv3 | TLSv1 | TLSv1_1 | TLSv1_2;
 
+					server->sconf.ssl_versions = SSLv3 | TLSv1 | TLSv1_1 | TLSv1_2 | TLSv1_3;
 
 			} else
 
 			} else
 
 #endif
 
 #endif
 
 			if (starts_with( arg, -1, "imap:", 5 ))
 
 			if (starts_with( arg, -1, "imap:", 5 ))
 
@@ -3333,6 +3333,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
 
 					server->sconf.ssl_versions |= TLSv1_1;
 
 					server->sconf.ssl_versions |= TLSv1_1;
 
 				} else if (!strcasecmp( "TLSv1.2", arg )) {
 
 				} else if (!strcasecmp( "TLSv1.2", arg )) {
 
 					server->sconf.ssl_versions |= TLSv1_2;
 
 					server->sconf.ssl_versions |= TLSv1_2;
 
+				} else if (!strcasecmp( "TLSv1.3", arg )) {
 
+					server->sconf.ssl_versions |= TLSv1_3;
 
 				} else {
 
 				} else {
 
 					error( "%s:%d: Unrecognized SSL version\n", cfg->file, cfg->line );
 
 					error( "%s:%d: Unrecognized SSL version\n", cfg->file, cfg->line );
 
 					cfg->err = 1;
 
 					cfg->err = 1;
 
@@ -3352,6 +3354,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
 
 			use_tlsv11 = parse_bool( cfg );
 
 			use_tlsv11 = parse_bool( cfg );
 
 		else if (!strcasecmp( "UseTLSv1.2", cfg->cmd ))
 
 		else if (!strcasecmp( "UseTLSv1.2", cfg->cmd ))
 
 			use_tlsv12 = parse_bool( cfg );
 
 			use_tlsv12 = parse_bool( cfg );
 
+		else if (!strcasecmp( "UseTLSv1.3", cfg->cmd ))
 
+			use_tlsv13 = parse_bool( cfg );
 
 #endif
 
 #endif
 
 		else if (!strcasecmp( "AuthMech", cfg->cmd ) ||
 
 		else if (!strcasecmp( "AuthMech", cfg->cmd ) ||
 
 		         !strcasecmp( "AuthMechs", cfg->cmd )) {
 
 		         !strcasecmp( "AuthMechs", cfg->cmd )) {
 
@@ -3412,7 +3416,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
 
 			return 1;
 
 			return 1;
 
 		}
 
 		}
 
 #ifdef HAVE_LIBSSL
 
 #ifdef HAVE_LIBSSL
 
-		if ((use_sslv3 & use_tlsv1 & use_tlsv11 & use_tlsv12) != -1 || use_imaps >= 0 || require_ssl >= 0) {
 
+		if ((use_sslv3 & use_tlsv1 & use_tlsv11 & use_tlsv12 & use_tlsv13) != -1 || use_imaps >= 0 || require_ssl >= 0) {
 
 			if (server->ssl_type >= 0 || server->sconf.ssl_versions >= 0) {
 
 			if (server->ssl_type >= 0 || server->sconf.ssl_versions >= 0) {
 
 				error( "%s '%s': The deprecated UseSSL*, UseTLS*, UseIMAPS, and RequireSSL options are mutually exclusive with SSLType and SSLVersions.\n", type, name );
 
 				error( "%s '%s': The deprecated UseSSL*, UseTLS*, UseIMAPS, and RequireSSL options are mutually exclusive with SSLType and SSLVersions.\n", type, name );
 
 				cfg->err = 1;
 
 				cfg->err = 1;
 
@@ -3423,7 +3427,8 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
 
 					(use_sslv3 != 1 ? 0 : SSLv3) |
 
 					(use_sslv3 != 1 ? 0 : SSLv3) |
 
 					(use_tlsv1 == 0 ? 0 : TLSv1) |
 
 					(use_tlsv1 == 0 ? 0 : TLSv1) |
 
 					(use_tlsv11 != 1 ? 0 : TLSv1_1) |
 
 					(use_tlsv11 != 1 ? 0 : TLSv1_1) |
 
-					(use_tlsv12 != 1 ? 0 : TLSv1_2);
 
+					(use_tlsv12 != 1 ? 0 : TLSv1_2) |
 
+					(use_tlsv13 != 1 ? 0 : TLSv1_3);
 
 			if (use_imaps == 1) {
 
 			if (use_imaps == 1) {
 
 				server->ssl_type = SSL_IMAPS;
 
 				server->ssl_type = SSL_IMAPS;
 
 			} else if (require_ssl) {
 
 			} else if (require_ssl) {
 
@@ -3441,7 +3446,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
 
 			}
 
 			}
 
 		} else {
 
 		} else {
 
 			if (server->sconf.ssl_versions < 0)
 
 			if (server->sconf.ssl_versions < 0)
 
-				server->sconf.ssl_versions = TLSv1 | TLSv1_1 | TLSv1_2;
 
+				server->sconf.ssl_versions = TLSv1 | TLSv1_1 | TLSv1_2 | TLSv1_3;
 
 			if (server->ssl_type < 0)
 
 			if (server->ssl_type < 0)
 
 				server->ssl_type = server->sconf.tunnel ? SSL_None : SSL_STARTTLS;
 
 				server->ssl_type = server->sconf.tunnel ? SSL_None : SSL_STARTTLS;
 
 		}
 
 		}

+ 2 - 2
src/mbsync.1
View File 

@@ -363,10 +363,10 @@ so it is the default (unless a tunnel is used).
 
 right after connecting the secure IMAP port 993.
 
 right after connecting the secure IMAP port 993.
 
 .
 
 .
 
 .TP
 
 .TP
 
-\fBSSLVersions\fR [\fBSSLv3\fR] [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]
 
+\fBSSLVersions\fR [\fBSSLv3\fR] [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR] [\fBTLSv1.3\fR]
 
 Select the acceptable SSL/TLS versions.
 
 Select the acceptable SSL/TLS versions.
 
 Use old versions only when the server has problems with newer ones.
 
 Use old versions only when the server has problems with newer ones.
 
-(Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR]).
 
+(Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR] [\fBTLSv1.3\fR]).
 
 .
 
 .
 
 .TP
 
 .TP
 
 \fBSystemCertificates\fR \fByes\fR|\fBno\fR
 
 \fBSystemCertificates\fR \fByes\fR|\fBno\fR

+ 4 - 0
src/socket.c
View File 

@@ -260,6 +260,10 @@ init_ssl_ctx( const server_conf_t *conf )
 
 	if (!(conf->ssl_versions & TLSv1_2))
 
 	if (!(conf->ssl_versions & TLSv1_2))
 
 		options |= SSL_OP_NO_TLSv1_2;
 
 		options |= SSL_OP_NO_TLSv1_2;
 
 #endif
 
 #endif
 
+#ifdef SSL_OP_NO_TLSv1_3
 
+	if (!(conf->ssl_versions & TLSv1_3))
 
+		options |= SSL_OP_NO_TLSv1_3;
 
+#endif
 
 
 
 	SSL_CTX_set_options( mconf->SSLContext, options );
 
 	SSL_CTX_set_options( mconf->SSLContext, options );

+ 2 - 1
src/socket.h
View File 

@@ -36,7 +36,8 @@ enum {
 
 	SSLv3 = 2,
 
 	SSLv3 = 2,
 
 	TLSv1 = 4,
 
 	TLSv1 = 4,
 
 	TLSv1_1 = 8,
 
 	TLSv1_1 = 8,
 
-	TLSv1_2 = 16
 
+	TLSv1_2 = 16,
 
+	TLSv1_3 = 32
 
 };
 
 };
 
 #endif
 
 #endif