Uses SSLv23_client_method() in mutt_ssl_starttls() because TLSv1_2_client_method...

closes #3612

diff --git a/configure.ac b/configure.ac
index 2f36a3961989c4b200b828b3b39253bd1a8cf843..3a679ba0bcfcfd4dfdc8dc6e4d2750a3afccfcd6 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -676,9 +676,6 @@ AC_ARG_WITH(ssl, AS_HELP_STRING([--with-ssl@<:@=PFX@:>@],[Enable TLS support usi
             LIBS="$LIBS $crypto_libs"
             AC_CHECK_FUNCS(RAND_status RAND_egd)
 
-           dnl -- TLSv1_2_client_method() was added in OpenSSL 1.0.1 --
-           AC_CHECK_FUNCS(TLSv1_2_client_method)
-
             AC_DEFINE(USE_SSL,1,[ Define if you want support for SSL. ])
             AC_DEFINE(USE_SSL_OPENSSL,1,[ Define if you want support for SSL via OpenSSL. ])
             LIBS="$saved_LIBS"

diff --git a/init.h b/init.h
index 657dbd89ecb63f021dae94df7e6ac41d74f29370..c2fa7283229998cebd1d4e7de085931b42a80968 100644 (file)
--- a/init.h
+++ b/init.h
@@ -3001,7 +3001,7 @@ struct option_t MuttVars[] = {
   { "ssl_use_tlsv1", DT_BOOL, R_NONE, OPTTLSV1, 1 },
   /*
   ** .pp
-  ** This variable specifies whether to attempt to use TLSv1 in the
+  ** This variable specifies whether to attempt to use TLSv1.0 in the
   ** SSL authentication process.
   */
   { "ssl_use_tlsv1_1", DT_BOOL, R_NONE, OPTTLSV1_1, 1 },

diff --git a/mutt_ssl.c b/mutt_ssl.c
index ec28b02738f7883bd01c7539c396820ee1e3811c..ea758710a95d264f2471b6b3af4c405ace0a1697 100644 (file)
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -95,38 +95,48 @@ int mutt_ssl_starttls (CONNECTION* conn)
 {
   sslsockdata* ssldata;
   int maxbits;
+  long ssl_options = 0;
 
   if (ssl_init())
     goto bail;
 
   ssldata = (sslsockdata*) safe_calloc (1, sizeof (sslsockdata));
   /* the ssl_use_xxx protocol options don't apply. We must use TLS in TLS.
-   * TLSv1.2 support was added in OpenSSL 1.0.1.  RHEL6 shipped with 1.0.0 so
-   * our configure script checks for TLSv1.2 availability.
+   *
+   * However, we need to be able to negotiate amongst various TLS versions,
+   * which at present can only be done with the SSLv23_client_method;
+   * TLSv1_client_method gives us explicitly TLSv1.0, not 1.1 or 1.2 (True as
+   * of OpenSSL 1.0.1c)
    */
-  if (! (ssldata->ctx = SSL_CTX_new (
-#ifdef HAVE_TLSV1_2_CLIENT_METHOD
-                                 TLSv1_2_client_method ()
-#else
-                                 TLSv1_client_method ()
-#endif
-                                 )))
+  if (! (ssldata->ctx = SSL_CTX_new (SSLv23_client_method())))
   {
     dprint (1, (debugfile, "mutt_ssl_starttls: Error allocating SSL_CTX\n"));
     goto bail_ssldata;
   }
+#ifdef SSL_OP_NO_TLSv1_2
+  if (!option(OPTTLSV1_2))
+    ssl_options |= SSL_OP_NO_TLSv1_2;
+#endif
 #ifdef SSL_OP_NO_TLSv1_1
   if (!option(OPTTLSV1_1))
-  {
-    SSL_CTX_set_options(ssldata->ctx, SSL_OP_NO_TLSv1_1);
-  }
+    ssl_options |= SSL_OP_NO_TLSv1_1;
 #endif
-#ifdef SSL_OP_NO_TLSv1_2
-  if (!option(OPTTLSV1_2))
+#ifdef SSL_OP_NO_TLSv1
+  if (!option(OPTTLSV1))
+    ssl_options |= SSL_OP_NO_TLSv1;
+#endif
+  /* these are always set */
+#ifdef SSL_OP_NO_SSLv3
+  ssl_options |= SSL_OP_NO_SSLv3;
+#endif
+#ifdef SSL_OP_NO_SSLv2
+  ssl_options |= SSL_OP_NO_SSLv2;
+#endif
+  if (! SSL_CTX_set_options(ssldata->ctx, ssl_options))
   {
-    SSL_CTX_set_options(ssldata->ctx, SSL_OP_NO_TLSv1_2);
+    dprint(1, (debugfile, "mutt_ssl_starttls: Error setting options to %ld\n", ssl_options));
+    goto bail_ctx;
   }
-#endif
 
   ssl_get_client_cert(ssldata, conn);