From: Brendan Cully Date: Sat, 6 Aug 2005 21:19:39 +0000 (+0000) Subject: Replace pointless imap_force_ssl option with ssl_force_tls, which requires X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e03ec7624073f602d90ff0e68a03be1508233379;p=neomutt Replace pointless imap_force_ssl option with ssl_force_tls, which requires any connection (POP or IMAP) to a remote server to be encrypted, and attempts to negotiate encryption even if the capability isn't advertised (this last bit is of dubious utility, but essentially harmless since the connection would otherwise fail anyway). Closes: #1284. --- diff --git a/imap/imap.c b/imap/imap.c index 11d13df49..7ad1e3803 100644 --- a/imap/imap.c +++ b/imap/imap.c @@ -440,11 +440,14 @@ int imap_open_connection (IMAP_DATA* idata) goto bail; #if defined(USE_SSL) || defined(USE_GNUTLS) /* Attempt STARTTLS if available and desired. */ - if (mutt_bit_isset (idata->capabilities, STARTTLS) && !idata->conn->ssf) + if (!idata->conn->ssf && (option(OPTSSLFORCETLS) || + mutt_bit_isset (idata->capabilities, STARTTLS))) { int rc; - - if ((rc = query_quadoption (OPT_SSLSTARTTLS, + + if (option(OPTSSLFORCETLS)) + rc = M_YES; + else if ((rc = query_quadoption (OPT_SSLSTARTTLS, _("Secure connection with TLS?"))) == -1) goto err_close_conn; if (rc == M_YES) { @@ -471,6 +474,13 @@ int imap_open_connection (IMAP_DATA* idata) } } } + + if (option(OPTSSLFORCETLS) && ! idata->conn->ssf) + { + mutt_error _("Encrypted connection unavailable"); + mutt_sleep (1); + goto err_close_conn; + } #endif } else if (ascii_strncasecmp ("* PREAUTH", idata->cmd.buf, 9) == 0) diff --git a/imap/util.c b/imap/util.c index 5062786b3..4c4f3f820 100644 --- a/imap/util.c +++ b/imap/util.c @@ -166,11 +166,6 @@ int imap_parse_path (const char* path, IMAP_MBOX* mx) } } -#if defined(USE_SSL) || defined(USE_GNUTLS) - if (option (OPTIMAPFORCESSL)) - mx->account.flags |= M_ACCT_SSL; -#endif - if ((mx->account.flags & M_ACCT_SSL) && !(mx->account.flags & M_ACCT_PORT)) mx->account.port = ImapsPort; diff --git a/init.h b/init.h index 8bc74fddb..3e57ec5a7 100644 --- a/init.h +++ b/init.h @@ -827,14 +827,6 @@ struct option_t MuttVars[] = { ** as folder separators for displaying IMAP paths. In particular it ** helps in using the '=' shortcut for your \fIfolder\fP variable. */ -# if defined(USE_SSL) || defined(USE_GNUTLS) - { "imap_force_ssl", DT_BOOL, R_NONE, OPTIMAPFORCESSL, 0 }, - /* - ** .pp - ** If this variable is set, Mutt will always use SSL when - ** connecting to IMAP servers. - */ -# endif { "imap_headers", DT_STR, R_INDEX, UL &ImapHeaders, UL 0}, /* ** .pp @@ -1886,8 +1878,16 @@ struct option_t MuttVars[] = { ** The file containing a client certificate and its associated private ** key. */ -#endif -# if defined(USE_SSL)||defined(USE_GNUTLS) +#endif /* USE_SSL */ + { "ssl_force_tls", DT_BOOL, R_NONE, OPTSSLFORCETLS, 0 }, + /* + ** .pp + ** If this variable is set, Mutt will require that all connections + ** to remote servers be encrypted. Furthermore it will attempt to + ** negotiate TLS even if the server does not advertise the capability, + ** since it would otherwise have to abort the connection anyway. This + ** option supersedes ``$$ssl_starttls''. + */ { "ssl_starttls", DT_QUAD, R_NONE, OPT_SSLSTARTTLS, M_YES }, /* ** .pp @@ -1895,7 +1895,6 @@ struct option_t MuttVars[] = { ** advertising the capability. When unset, mutt will not attempt to ** use STARTTLS regardless of the server's capabilities. */ -# endif { "certificate_file", DT_PATH, R_NONE, UL &SslCertFile, UL "~/.mutt_certificates" }, /* ** .pp @@ -1931,7 +1930,7 @@ struct option_t MuttVars[] = { ** This variables specifies whether to attempt to use SSLv2 in the ** SSL authentication process. */ -# endif +# endif /* defined _MAKEDOC || !defined(USE_GNUTLS) */ { "ssl_use_sslv3", DT_BOOL, R_NONE, OPTSSLV3, 1 }, /* ** .pp @@ -1944,7 +1943,7 @@ struct option_t MuttVars[] = { ** This variables specifies whether to attempt to use TLSv1 in the ** SSL authentication process. */ -#ifdef USE_GNUTLS +# ifdef USE_GNUTLS { "ssl_min_dh_prime_bits", DT_NUM, R_NONE, UL &SslDHPrimeBits, 0 }, /* ** .pp @@ -1961,8 +1960,8 @@ struct option_t MuttVars[] = { ** .pp ** Example: set ssl_ca_certificates_file=/etc/ssl/certs/ca-certificates.crt */ -#endif -#endif +# endif /* USE_GNUTLS */ +#endif /* defined(USE_SSL) || defined(USE_GNUTLS) */ { "pipe_split", DT_BOOL, R_NONE, OPTPIPESPLIT, 0 }, /* diff --git a/mutt.h b/mutt.h index 5512e6462..0c251967a 100644 --- a/mutt.h +++ b/mutt.h @@ -372,20 +372,16 @@ enum OPTIMAPPASSIVE, OPTIMAPPEEK, OPTIMAPSERVERNOISE, -# if defined(USE_SSL) || defined(USE_GNUTLS) - OPTIMAPFORCESSL, -# endif #endif #if defined(USE_SSL) || defined(USE_GNUTLS) # ifndef USE_GNUTLS + OPTSSLSYSTEMCERTS, OPTSSLV2, -# endif +# endif /* USE_GNUTLS */ OPTSSLV3, OPTTLSV1, -# ifndef USE_GNUTLS - OPTSSLSYSTEMCERTS, -# endif -#endif + OPTSSLFORCETLS, +#endif /* defined(USE_SSL) || defined(USE_GNUTLS) */ OPTIMPLICITAUTOVIEW, OPTINCLUDEONLYFIRST, OPTKEEPFLAGGED, diff --git a/pop_lib.c b/pop_lib.c index 46d6138ed..a4d5c3a87 100644 --- a/pop_lib.c +++ b/pop_lib.c @@ -276,8 +276,10 @@ int pop_open_connection (POP_DATA *pop_data) #if defined(USE_SSL) || defined(USE_GNUTLS) /* Attempt STLS if available and desired. */ - if (pop_data->cmd_stls && !pop_data->conn->ssf) + if (!pop_data->conn->ssf && (pop_data->cmd_stls || option(OPTSSLFORCETLS))) { + if (option(OPTSSLFORCETLS)) + pop_data->use_stls = 2; if (pop_data->use_stls == 0) { ret = query_quadoption (OPT_SSLSTARTTLS, @@ -323,6 +325,13 @@ int pop_open_connection (POP_DATA *pop_data) } } } + + if (option(OPTSSLFORCETLS) && !pop_data->conn->ssf) + { + mutt_error _("Encrypted connection unavailable"); + mutt_sleep (1); + return -2; + } #endif ret = pop_authenticate (pop_data);