From: hncaldwell Date: Wed, 19 Dec 2012 03:44:57 +0000 (-0800) Subject: add variables for disabling TLSv1.1/1.2 when compiled against OpenSSL 1.0.1 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=213ddd148bae66565b53add14b5e848024cc9c63;p=neomutt add variables for disabling TLSv1.1/1.2 when compiled against OpenSSL 1.0.1 see #3571 --- diff --git a/init.h b/init.h index 62c6b57ab..657dbd89e 100644 --- a/init.h +++ b/init.h @@ -3004,6 +3004,18 @@ struct option_t MuttVars[] = { ** This variable specifies whether to attempt to use TLSv1 in the ** SSL authentication process. */ + { "ssl_use_tlsv1_1", DT_BOOL, R_NONE, OPTTLSV1_1, 1 }, + /* + ** .pp + ** This variable specifies whether to attempt to use TLSv1.1 in the + ** SSL authentication process. + */ + { "ssl_use_tlsv1_2", DT_BOOL, R_NONE, OPTTLSV1_2, 1 }, + /* + ** .pp + ** This variable specifies whether to attempt to use TLSv1.2 in the + ** SSL authentication process. + */ #ifdef USE_SSL_OPENSSL { "ssl_usesystemcerts", DT_BOOL, R_NONE, OPTSSLSYSTEMCERTS, 1 }, /* diff --git a/mutt.h b/mutt.h index 45635173b..041975e5d 100644 --- a/mutt.h +++ b/mutt.h @@ -374,6 +374,8 @@ enum # endif /* USE_SSL_GNUTLS */ OPTSSLV3, OPTTLSV1, + OPTTLSV1_1, + OPTTLSV1_2, OPTSSLFORCETLS, OPTSSLVERIFYDATES, OPTSSLVERIFYHOST, diff --git a/mutt_ssl.c b/mutt_ssl.c index fc4aa2638..c9e051192 100644 --- a/mutt_ssl.c +++ b/mutt_ssl.c @@ -312,6 +312,21 @@ static int ssl_socket_open (CONNECTION * conn) { SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1); } + /* TLSv1.1/1.2 support was added in OpenSSL 1.0.1, but some OS distros such + * as Fedora 17 are on OpenSSL 1.0.0. + */ +#ifdef SSL_OP_NO_TLSv1_1 + if (!option(OPTTLSV1_1)) + { + SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_1); + } +#endif +#ifdef SSL_OP_NO_TLSv1_2 + if (!option(OPTTLSV1_2)) + { + SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_2); + } +#endif if (!option(OPTSSLV2)) { SSL_CTX_set_options(data->ctx, SSL_OP_NO_SSLv2);