Add options to disallow individual SSL protocols. From Jeremy Katz

<katzj@linuxpower.org>.

diff --git a/README.SSL b/README.SSL
index 102ef313bf22bc57db19c8fbc5f70f11c523b52d..71b28c9909196a508d33df4bbc0bf82e97d58a43 100644 (file)
--- a/README.SSL
+++ b/README.SSL
@@ -29,6 +29,22 @@ For example:
        set certificate_file=~/.mutt/certificates
 
 
+If after doing the above, you are unable to successfully connect, it
+is likely that your IMAP server does not support one of the SSL protocols.
+There exist three different protocols, TLSv1, SSLv2, and SSLv3.  To check
+each of these, you use the following:
+    openssl s_client -host <imap server> -port <port> -verify -debug -no_tls1
+    openssl s_client -host <imap server> -port <port> -verify -debug -no_ssl2
+    openssl s_client -host <imap server> -port <port> -verify -debug -no_ssl3
+
+You can also combine the options until you get a successfull connect.  Once
+you know which options do not work, you can set the variables for non-working
+protocols to know.  The variables for the protocols are ssl_use_tlsv1, 
+ssl_use_sslv2, and ssl_use_sslv3.
+
 -- 
 Tommi Komulainen
 Tommi.Komulainen@iki.fi
+
+Updated by Jeremy Katz
+katzj@linuxpower.org

diff --git a/imap/imap_ssl.c b/imap/imap_ssl.c
index b4e6db272d24668f00b06b8414e78af81ebd94e2..ca077e4a2c6525ec3eda86bc0eb209a3a0c9d4bb 100644 (file)
--- a/imap/imap_ssl.c
+++ b/imap/imap_ssl.c
@@ -77,6 +77,21 @@ int ssl_socket_open (CONNECTION * conn)
   SSLeay_add_ssl_algorithms ();
   data->ctx = SSL_CTX_new (SSLv23_client_method ());
 
+  /* disable SSL protocols as needed */
+  if (!option(OPTTLSV1)) 
+  {
+    SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1);
+  }
+
+  if (!option(OPTSSLV2)) 
+  {
+    SSL_CTX_set_options(data->ctx, SSL_OP_NO_SSLv2);
+  }
+  if (!option(OPTSSLV3)) 
+  {
+    SSL_CTX_set_options(data->ctx, SSL_OP_NO_SSLv3);
+  }
+
   data->ssl = SSL_new (data->ctx);
   SSL_set_fd (data->ssl, conn->fd);
 

diff --git a/init.h b/init.h
index 66c4911c943bcafd2befd03c13b553f434cf33d4..0a3a5295d9c6b37c5b8897fffd7407df7a09507b 100644 (file)
--- a/init.h
+++ b/init.h
@@ -660,7 +660,7 @@ struct option_t MuttVars[] = {
   /*
   ** .pp
   ** Specifies the password for your IMAP account.  If unset, Mutt will
-  ** prompt you for your password when you invoke the fetch-mail function.
+  * prompt you for your password when you invoke the fetch-mail function.
   ** \fBWarning\fP: you should only use this option when you are on a
   ** fairly secure machine, because the superuser can read your muttrc even
   ** if you are the only one who can read the file.
@@ -1324,6 +1324,24 @@ struct option_t MuttVars[] = {
   ** be saved in this file and further connections are automatically 
   ** accepted.
   */
+  { "ssl_use_sslv2", DT_BOOL, R_NONE, OPTSSLV2, 1 },
+  /*
+  ** .pp
+  ** This variables specifies whether to attempt to use SSLv2 in the
+  ** SSL authentication process.
+  */
+  { "ssl_use_sslv3", DT_BOOL, R_NONE, OPTSSLV3, 1 },
+  /*
+  ** .pp
+  ** This variables specifies whether to attempt to use SSLv3 in the
+  ** SSL authentication process.
+  */
+  { "ssl_use_tlsv1", DT_BOOL, R_NONE, OPTTLSV1, 1 },
+  /*
+  ** .pp
+  ** This variables specifies whether to attempt to use TLSv1 in the
+  ** SSL authentication process.
+  */
 #endif
 
   { "pipe_split",      DT_BOOL, R_NONE, OPTPIPESPLIT, 0 },

diff --git a/mutt.h b/mutt.h
index 9e03e71c7f42ff0b7de2230b8aeb8d18c53c3c0e..5b0d685458764fcd8be37574b16afdc731b52583 100644 (file)
--- a/mutt.h
+++ b/mutt.h
@@ -300,6 +300,11 @@ enum
 #ifdef USE_IMAP
   OPTIMAPLSUB,
   OPTIMAPPASSIVE,
+#endif
+#ifdef USE_SSL
+  OPTSSLV2,
+  OPTSSLV3,
+  OPTTLSV1,
 #endif
   OPTIMPLICITAUTOVIEW,
   OPTMAILCAPSANITIZE,