WHERE char *SslCertFile INITVAL (NULL);
WHERE char *SslClientCert INITVAL (NULL);
WHERE char *SslEntropyFile INITVAL (NULL);
+WHERE char *SslCiphers INITVAL (NULL);
#ifdef USE_SSL_GNUTLS
WHERE short SslDHPrimeBits;
WHERE char *SslCACertFile INITVAL (NULL);
** URL. You should only unset this for particular known hosts, using
** the \fC$<account-hook>\fP function.
*/
+ { "ssl_ciphers", DT_STR, R_NONE, UL &SslCiphers, UL 0 },
+ /*
+ ** .pp
+ ** Contains a colon-seperated list of ciphers to use when using SSL.
+ ** For OpenSSL, see ciphers(1) for the syntax of the string.
+ ** .pp
+ ** For GnuTLS, this option will be used in place of "NORMAL" at the
+ ** start of the priority string. See gnutls_priority_init(3) for the
+ ** syntax and more details. (Note: GnuTLS version 2.1.7 or higher is
+ ** required.)
+ */
#endif /* defined(USE_SSL) */
{ "status_chars", DT_STR, R_BOTH, UL &StChars, UL "-*%A" },
/*
ssl_get_client_cert(ssldata, conn);
+ if (SslCiphers) {
+ if (!SSL_CTX_set_cipher_list (ssldata->ctx, SslCiphers)) {
+ dprint (1, (debugfile, "mutt_ssl_starttls: Could not select prefered ciphers\n"));
+ goto bail_ctx;
+ }
+ }
+
if (! (ssldata->ssl = SSL_new (ssldata->ctx)))
{
dprint (1, (debugfile, "mutt_ssl_starttls: Error allocating SSL\n"));
ssl_get_client_cert(data, conn);
+ if (SslCiphers) {
+ SSL_CTX_set_cipher_list (data->ctx, SslCiphers);
+ }
+
data->ssl = SSL_new (data->ctx);
SSL_set_fd (data->ssl, conn->fd);
static int tls_set_priority(tlssockdata *data)
{
size_t nproto = 4;
- char priority[SHORT_STRING];
+ char *priority;
+ size_t priority_size;
int err;
+ priority_size = SHORT_STRING + mutt_strlen (SslCiphers);
+ priority = safe_malloc (priority_size);
+
priority[0] = 0;
- safe_strcat (priority, sizeof (priority), "NORMAL");
+ if (SslCiphers)
+ safe_strcat (priority, priority_size, SslCiphers);
+ else
+ safe_strcat (priority, priority_size, "NORMAL");
if (! option(OPTTLSV1_2))
{
nproto--;
- safe_strcat (priority, sizeof (priority), ":-VERS-TLS1.2");
+ safe_strcat (priority, priority_size, ":-VERS-TLS1.2");
}
if (! option(OPTTLSV1_1))
{
nproto--;
- safe_strcat (priority, sizeof (priority), ":-VERS-TLS1.1");
+ safe_strcat (priority, priority_size, ":-VERS-TLS1.1");
}
if (! option(OPTTLSV1))
{
nproto--;
- safe_strcat (priority, sizeof (priority), ":-VERS-TLS1.0");
+ safe_strcat (priority, priority_size, ":-VERS-TLS1.0");
}
if (! option(OPTSSLV3))
{
nproto--;
- safe_strcat (priority, sizeof (priority), ":-VERS-SSL3.0");
+ safe_strcat (priority, priority_size, ":-VERS-SSL3.0");
}
if (nproto == 0)
{
mutt_error (_("All available protocols for TLS/SSL connection disabled"));
+ FREE (&priority);
return -1;
}
{
mutt_error ("gnutls_priority_set_direct(%s): %s", priority, gnutls_strerror(err));
mutt_sleep (2);
+ FREE (&priority);
return -1;
}
+ FREE (&priority);
return 0;
}
#else
return -1;
}
+ if (SslCiphers)
+ {
+ mutt_error (_("Explicit ciphersuite selection via $ssl_ciphers not supported"));
+ mutt_sleep (2);
+ }
+
/* We use default priorities (see gnutls documentation),
except for protocol version */
gnutls_set_default_priority (data->state);
projects / mutt / commitdiff