From: Michael Elkins <me@mutt.org>
Date: Wed, 19 Dec 2012 04:38:46 +0000 (-0800)
Subject: add support for TLSv1.1/1.2 when using GNUTLS.
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1f33e0b1365427966b9576332707742186bd7de6;p=neomutt

add support for TLSv1.1/1.2 when using GNUTLS.

see #3571
---

diff --git a/mutt_ssl_gnutls.c b/mutt_ssl_gnutls.c
index 5383b4f79..970a9c90b 100644
--- a/mutt_ssl_gnutls.c
+++ b/mutt_ssl_gnutls.c
@@ -238,7 +238,11 @@ err_crt:
   gnutls_x509_crt_deinit (clientcrt);
 }
 
-static int protocol_priority[] = {GNUTLS_TLS1, GNUTLS_SSL3, 0};
+/* This array needs to be large enough to hold all the possible values support
+ * by Mutt.  The initialized values are just placeholders--the array gets
+ * overwrriten in tls_negotiate() depending on the $ssl_use_* options.
+ */
+static int protocol_priority[] = {GNUTLS_TLS1_2, GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3, 0};
 
 /* tls_negotiate: After TLS state has been initialised, attempt to negotiate
  *   TLS over the wire, including certificate checks. */
@@ -246,6 +250,7 @@ static int tls_negotiate (CONNECTION * conn)
 {
   tlssockdata *data;
   int err;
+  size_t nproto = 0; /* number of tls/ssl protocols */
 
   data = (tlssockdata *) safe_calloc (1, sizeof (tlssockdata));
   conn->sockdata = data;
@@ -291,22 +296,22 @@ static int tls_negotiate (CONNECTION * conn)
   /* set socket */
   gnutls_transport_set_ptr (data->state, (gnutls_transport_ptr)conn->fd);
 
+  if (option(OPTTLSV1_2))
+    protocol_priority[nproto++] = GNUTLS_TLS1_2;
+  if (option(OPTTLSV1_1))
+    protocol_priority[nproto++] = GNUTLS_TLS1_1;
+  if (option(OPTTLSV1))
+    protocol_priority[nproto++] = GNUTLS_TLS1;
+  if (option(OPTSSLV3))
+    protocol_priority[nproto++] = GNUTLS_SSL3;
+  protocol_priority[nproto] = 0;
+
   /* disable TLS/SSL protocols as needed */
-  if (!option(OPTTLSV1) && !option(OPTSSLV3))
+  if (nproto == 0)
   {
     mutt_error (_("All available protocols for TLS/SSL connection disabled"));
     goto fail;
   }
-  else if (!option(OPTTLSV1))
-  {
-    protocol_priority[0] = GNUTLS_SSL3;
-    protocol_priority[1] = 0;
-  }
-  else if (!option(OPTSSLV3))
-  {
-    protocol_priority[0] = GNUTLS_TLS1;
-    protocol_priority[1] = 0;
-  }
   /*
   else
     use the list set above