use TLSv1.2 if available in the system OpenSSL when using starttls

diff --git a/configure.ac b/configure.ac
index c4f5b48b50b7f52328e52ffc24b16b3038f3c2a3..368e2910d1002369ae288a25811f7ede730779a6 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -677,6 +677,9 @@ AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl@<:@=PFX@:>@], [Enable TLS support us
             LIBS="$LIBS $crypto_libs"
             AC_CHECK_FUNCS(RAND_status RAND_egd)
 
+           dnl -- TLSv1_2_client_method() was added in OpenSSL 1.0.1 --
+           AC_CHECK_FUNCS(TLSv1_2_client_method)
+
             AC_DEFINE(USE_SSL,1,[ Define if you want support for SSL. ])
             AC_DEFINE(USE_SSL_OPENSSL,1,[ Define if you want support for SSL via OpenSSL. ])
             LIBS="$saved_LIBS"

diff --git a/mutt_ssl.c b/mutt_ssl.c
index 1b628fcdcd677909c3eae6759bf6af7d84d554be..fc4aa263801db398c5d243bbf3f5062eff99b0a1 100644 (file)
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -100,8 +100,17 @@ int mutt_ssl_starttls (CONNECTION* conn)
     goto bail;
 
   ssldata = (sslsockdata*) safe_calloc (1, sizeof (sslsockdata));
-  /* the ssl_use_xxx protocol options don't apply. We must use TLS in TLS. */
-  if (! (ssldata->ctx = SSL_CTX_new (TLSv1_client_method ())))
+  /* the ssl_use_xxx protocol options don't apply. We must use TLS in TLS.
+   * TLSv1.2 support was added in OpenSSL 1.0.1.  RHEL6 shipped with 1.0.0 so
+   * our configure script checks for TLSv1.2 availability.
+   */
+  if (! (ssldata->ctx = SSL_CTX_new (
+#ifdef HAVE_TLSV1_2_CLIENT_METHOD
+                                 TLSv1_2_client_method ()
+#else
+                                 TLSv1_client_method ()
+#endif
+                                 )))
   {
     dprint (1, (debugfile, "mutt_ssl_starttls: Error allocating SSL_CTX\n"));
     goto bail_ssldata;