** If \fIset\fP , Mutt will use TLSv1.2 when communicating with servers that
** request it.
*/
+ { "ssl_use_tlsv1_3", DT_BOOL, R_NONE, {.l=OPTTLSV1_3}, {.l=1} },
+ /*
+ ** .pp
+ ** If \fIset\fP , Mutt will use TLSv1.3 when communicating with servers that
+ ** request it.
+ */
#ifdef USE_SSL_OPENSSL
{ "ssl_usesystemcerts", DT_BOOL, R_NONE, {.l=OPTSSLSYSTEMCERTS}, {.l=1} },
/*
dprint (1, (debugfile, "mutt_ssl_starttls: Error allocating SSL_CTX\n"));
goto bail_ssldata;
}
+#ifdef SSL_OP_NO_TLSv1_3
+ if (!option(OPTTLSV1_3))
+ ssl_options |= SSL_OP_NO_TLSv1_3;
+#endif
#ifdef SSL_OP_NO_TLSv1_2
if (!option(OPTTLSV1_2))
ssl_options |= SSL_OP_NO_TLSv1_2;
{
SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_2);
}
+#endif
+#ifdef SSL_OP_NO_TLSv1_3
+ if (!option(OPTTLSV1_3))
+ {
+ SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_3);
+ }
#endif
if (!option(OPTSSLV2))
{
#if HAVE_GNUTLS_PRIORITY_SET_DIRECT
static int tls_set_priority(tlssockdata *data)
{
- size_t nproto = 4;
- char *priority;
- size_t priority_size;
- int err;
+ size_t nproto = 5;
+ BUFFER *priority = NULL;
+ int err, rv = -1;
- priority_size = SHORT_STRING + mutt_strlen (SslCiphers);
- priority = safe_malloc (priority_size);
+ priority = mutt_buffer_pool_get ();
- priority[0] = 0;
if (SslCiphers)
- safe_strcat (priority, priority_size, SslCiphers);
+ mutt_buffer_strcpy (priority, SslCiphers);
else
- safe_strcat (priority, priority_size, "NORMAL");
+ mutt_buffer_strcpy (priority, "NORMAL");
- if (! option(OPTTLSV1_2))
+ if (!option(OPTTLSV1_3))
{
nproto--;
- safe_strcat (priority, priority_size, ":-VERS-TLS1.2");
+ mutt_buffer_addstr (priority, ":-VERS-TLS1.3");
}
- if (! option(OPTTLSV1_1))
+ if (!option(OPTTLSV1_2))
{
nproto--;
- safe_strcat (priority, priority_size, ":-VERS-TLS1.1");
+ mutt_buffer_addstr (priority, ":-VERS-TLS1.2");
}
- if (! option(OPTTLSV1))
+ if (!option(OPTTLSV1_1))
{
nproto--;
- safe_strcat (priority, priority_size, ":-VERS-TLS1.0");
+ mutt_buffer_addstr (priority, ":-VERS-TLS1.1");
}
- if (! option(OPTSSLV3))
+ if (!option(OPTTLSV1))
{
nproto--;
- safe_strcat (priority, priority_size, ":-VERS-SSL3.0");
+ mutt_buffer_addstr (priority, ":-VERS-TLS1.0");
+ }
+ if (!option(OPTSSLV3))
+ {
+ nproto--;
+ mutt_buffer_addstr (priority, ":-VERS-SSL3.0");
}
if (nproto == 0)
{
mutt_error (_("All available protocols for TLS/SSL connection disabled"));
- FREE (&priority);
- return -1;
+ goto cleanup;
}
- if ((err = gnutls_priority_set_direct (data->state, priority, NULL)) < 0)
+ if ((err = gnutls_priority_set_direct (data->state, mutt_b2s (priority), NULL)) < 0)
{
- mutt_error ("gnutls_priority_set_direct(%s): %s", priority, gnutls_strerror(err));
+ mutt_error ("gnutls_priority_set_direct(%s): %s", mutt_b2s (priority), gnutls_strerror(err));
mutt_sleep (2);
- FREE (&priority);
- return -1;
+ goto cleanup;
}
- FREE (&priority);
- return 0;
+ rv = 0;
+
+cleanup:
+ mutt_buffer_pool_release (&priority);
+ return rv;
}
#else
/* This array needs to be large enough to hold all the possible values support
* by Mutt. The initialized values are just placeholders--the array gets
* overwrriten in tls_negotiate() depending on the $ssl_use_* options.
+ *
+ * Note: gnutls_protocol_set_priority() was removed in GnuTLS version
+ * 3.4 (2015-04). TLS 1.3 support wasn't added until version 3.6.5.
+ * Therefore, no attempt is made to support $ssl_use_tlsv1_3 in this code.
*/
static int protocol_priority[] = {GNUTLS_TLS1_2, GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3, 0};