Mercurial > dovecot > original-hg > dovecot-1.2

changeset 1996:d8f06a0c818e HEAD

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Added ssl_cipher_list setting.
author Timo Sirainen <tss@iki.fi>
date Mon, 10 May 2004 04:55:41 +0300
parents cc64f8bb4716
children 1d0985f6bdd9
files dovecot-example.conf src/login-common/ssl-proxy-openssl.c src/master/login-process.c src/master/master-settings.c src/master/master-settings.h
diffstat 5 files changed, 17 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/dovecot-example.conf	Mon May 10 04:47:08 2004 +0300
+++ b/dovecot-example.conf	Mon May 10 04:55:41 2004 +0300
@@ -43,6 +43,9 @@
 # entirely.
 #ssl_parameters_regenerate = 24
 
+# SSL ciphers to use
+#ssl_cipher_list = all:!low
+
 # Disable LOGIN command and all other plaintext authentications unless
 # SSL/TLS is used (LOGINDISABLED capability). Note that 127.*.*.* and
 # IPv6 ::1 addresses are considered secure, this setting has no effect if
--- a/src/login-common/ssl-proxy-openssl.c	Mon May 10 04:47:08 2004 +0300
+++ b/src/login-common/ssl-proxy-openssl.c	Mon May 10 04:55:41 2004 +0300
@@ -15,7 +15,7 @@
 #include <openssl/err.h>
 #include <openssl/rand.h>
 
-#define SSL_CIPHER_LIST "ALL:!LOW"
+#define DOVECOT_SSL_DEFAULT_CIPHER_LIST "ALL:!LOW"
 
 enum ssl_io_action {
 	SSL_ADD_INPUT,
@@ -403,7 +403,7 @@
 
 void ssl_proxy_init(void)
 {
-	const char *cafile, *certfile, *keyfile, *paramfile;
+	const char *cafile, *certfile, *keyfile, *paramfile, *cipher_list;
 	char buf;
 
 	cafile = getenv("SSL_CA_FILE");
@@ -424,9 +424,12 @@
 
 	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
 
-	if (SSL_CTX_set_cipher_list(ssl_ctx, SSL_CIPHER_LIST) != 1) {
+	cipher_list = getenv("SSL_CIPHER_LIST");
+	if (cipher_list == NULL)
+		cipher_list = DOVECOT_SSL_DEFAULT_CIPHER_LIST;
+	if (SSL_CTX_set_cipher_list(ssl_ctx, cipher_list) != 1) {
 		i_fatal("Can't set cipher list to '%s': %s",
-			SSL_CIPHER_LIST, ssl_last_error());
+			cipher_list, ssl_last_error());
 	}
 
 	if (cafile != NULL) {
--- a/src/master/login-process.c	Mon May 10 04:47:08 2004 +0300
+++ b/src/master/login-process.c	Mon May 10 04:55:41 2004 +0300
@@ -392,6 +392,10 @@
 				    set->ssl_key_file, NULL));
 		env_put(t_strconcat("SSL_PARAM_FILE=",
 				    set->ssl_parameters_file, NULL));
+		if (set->ssl_cipher_list != NULL) {
+			env_put(t_strconcat("SSL_CIPHER_LIST=",
+					    set->ssl_cipher_list, NULL));
+		}
 	}
 
 	if (set->disable_plaintext_auth)
--- a/src/master/master-settings.c	Mon May 10 04:47:08 2004 +0300
+++ b/src/master/master-settings.c	Mon May 10 04:55:41 2004 +0300
@@ -51,6 +51,7 @@
 	DEF(SET_STR, ssl_key_file),
 	DEF(SET_STR, ssl_parameters_file),
 	DEF(SET_STR, ssl_parameters_regenerate),
+	DEF(SET_STR, ssl_cipher_list),
 	DEF(SET_BOOL, disable_plaintext_auth),
 	DEF(SET_BOOL, verbose_ssl),
 
@@ -172,6 +173,7 @@
 	MEMBER(ssl_key_file) SSLDIR"/private/dovecot.pem",
 	MEMBER(ssl_parameters_file) "ssl-parameters.dat",
 	MEMBER(ssl_parameters_regenerate) 24,
+	MEMBER(ssl_cipher_list) NULL,
 	MEMBER(disable_plaintext_auth) TRUE,
 	MEMBER(verbose_ssl) FALSE,
 
--- a/src/master/master-settings.h	Mon May 10 04:47:08 2004 +0300
+++ b/src/master/master-settings.h	Mon May 10 04:55:41 2004 +0300
@@ -28,6 +28,7 @@
 	const char *ssl_key_file;
 	const char *ssl_parameters_file;
 	unsigned int ssl_parameters_regenerate;
+	const char *ssl_cipher_list;
 	int disable_plaintext_auth;
 	int verbose_ssl;