Mercurial > dovecot > core-2.2
changeset 22861:898ef4d4ee48
lib-ssl-iostream,login-common: Use SSL_CTX_set_min_proto_version
Use SSL_CTX_set_min_proto_version to set the minimum ssl protocol
version where available.
author | Martti Rannanjärvi <martti.rannanjarvi@dovecot.fi> |
---|---|
date | Thu, 30 Nov 2017 12:03:36 +0200 |
parents | ad9c924ec91f |
children | dfa00b3e819f |
files | src/lib-ssl-iostream/iostream-openssl-context.c src/lib-ssl-iostream/iostream-openssl.c src/login-common/ssl-proxy-openssl.c |
diffstat | 3 files changed, 45 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/src/lib-ssl-iostream/iostream-openssl-context.c Sat Nov 11 04:28:57 2017 +0200 +++ b/src/lib-ssl-iostream/iostream-openssl-context.c Thu Nov 30 12:03:36 2017 +0200 @@ -336,8 +336,25 @@ SSL_OP_CIPHER_SERVER_PREFERENCE); } if (ctx->set->protocols != NULL) { +#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION + int min_protocol; + const char *error; + if (ssl_protocols_to_min_protocol(ctx->set->protocols, + &min_protocol, &error) < 0) { + *error_r = t_strdup_printf( + "Unknown ssl_protocols setting: %s", error); + return -1; + } else if (SSL_CTX_set_min_proto_version(ctx->ssl_ctx, + min_protocol) != 1) { + *error_r = t_strdup_printf( + "Failed to set SSL minimum protocol version to %d", + min_protocol); + return -1; + } +#else SSL_CTX_set_options(ctx->ssl_ctx, openssl_get_protocol_options(ctx->set->protocols)); +#endif } if (set->cert != NULL &&
--- a/src/lib-ssl-iostream/iostream-openssl.c Sat Nov 11 04:28:57 2017 +0200 +++ b/src/lib-ssl-iostream/iostream-openssl.c Thu Nov 30 12:03:36 2017 +0200 @@ -173,8 +173,25 @@ #if defined(HAVE_SSL_CLEAR_OPTIONS) SSL_clear_options(ssl_io->ssl, OPENSSL_ALL_PROTOCOL_OPTIONS); #endif +#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION + int min_protocol; + const char *error; + if (ssl_protocols_to_min_protocol(set->protocols, + &min_protocol, &error) < 0) { + *error_r = t_strdup_printf( + "Unknown ssl_protocols setting: %s", error); + return -1; + } else if (SSL_set_min_proto_version(ssl_io->ssl, + min_protocol) != 1) { + *error_r = t_strdup_printf( + "Failed to set SSL minimum protocol version to %d", + min_protocol); + return -1; + } +#else SSL_set_options(ssl_io->ssl, openssl_get_protocol_options(set->protocols)); +#endif } if (set->cert != NULL && strcmp(ctx_set->cert, set->cert) != 0) {
--- a/src/login-common/ssl-proxy-openssl.c Sat Nov 11 04:28:57 2017 +0200 +++ b/src/login-common/ssl-proxy-openssl.c Thu Nov 30 12:03:36 2017 +0200 @@ -1301,7 +1301,18 @@ } if (ctx->prefer_server_ciphers) SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); +#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION + int min_protocol; + const char *error; + if (ssl_protocols_to_min_protocol(ctx->protocols, &min_protocol, + &error) < 0) + i_fatal("Unknown ssl_protocols setting: %s", error); + else if (SSL_CTX_set_min_proto_version(ssl_ctx, min_protocol) != 1) + i_fatal("Failed to set SSL minimum protocol version to %d", + min_protocol); +#else SSL_CTX_set_options(ssl_ctx, openssl_get_protocol_options(ctx->protocols)); +#endif if (ctx->pri.cert != NULL && *ctx->pri.cert != '\0' && ssl_proxy_ctx_use_certificate_chain(ctx->ctx, ctx->pri.cert) != 1) {