add variables for disabling TLSv1.1/1.2 when compiled against OpenSSL 1.0.1

see #3571

diff --git a/init.h b/init.h
index 62c6b57ab6727f4610b9380e823d6f7b7582a7a2..657dbd89ecb63f021dae94df7e6ac41d74f29370 100644 (file)
--- a/init.h
+++ b/init.h
@@ -3004,6 +3004,18 @@ struct option_t MuttVars[] = {
   ** This variable specifies whether to attempt to use TLSv1 in the
   ** SSL authentication process.
   */
+  { "ssl_use_tlsv1_1", DT_BOOL, R_NONE, OPTTLSV1_1, 1 },
+  /*
+  ** .pp
+  ** This variable specifies whether to attempt to use TLSv1.1 in the
+  ** SSL authentication process.
+  */
+  { "ssl_use_tlsv1_2", DT_BOOL, R_NONE, OPTTLSV1_2, 1 },
+  /*
+  ** .pp
+  ** This variable specifies whether to attempt to use TLSv1.2 in the
+  ** SSL authentication process.
+  */
 #ifdef USE_SSL_OPENSSL
   { "ssl_usesystemcerts", DT_BOOL, R_NONE, OPTSSLSYSTEMCERTS, 1 },
   /*

diff --git a/mutt.h b/mutt.h
index 45635173b7cebf8b761d8b25712538da65e8513d..041975e5da47a99dc3e4beec14777ce34c5994f8 100644 (file)
--- a/mutt.h
+++ b/mutt.h
@@ -374,6 +374,8 @@ enum
 # endif /* USE_SSL_GNUTLS */
   OPTSSLV3,
   OPTTLSV1,
+  OPTTLSV1_1,
+  OPTTLSV1_2,
   OPTSSLFORCETLS,
   OPTSSLVERIFYDATES,
   OPTSSLVERIFYHOST,

diff --git a/mutt_ssl.c b/mutt_ssl.c
index fc4aa263801db398c5d243bbf3f5062eff99b0a1..c9e0511927bd8e5c00dc0488d4b9573598e2a79e 100644 (file)
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -312,6 +312,21 @@ static int ssl_socket_open (CONNECTION * conn)
   {
     SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1);
   }
+  /* TLSv1.1/1.2 support was added in OpenSSL 1.0.1, but some OS distros such
+   * as Fedora 17 are on OpenSSL 1.0.0.
+   */
+#ifdef SSL_OP_NO_TLSv1_1
+  if (!option(OPTTLSV1_1))
+  {
+    SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_1);
+  }
+#endif
+#ifdef SSL_OP_NO_TLSv1_2
+  if (!option(OPTTLSV1_2))
+  {
+    SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_2);
+  }
+#endif
   if (!option(OPTSSLV2))
   {
     SSL_CTX_set_options(data->ctx, SSL_OP_NO_SSLv2);