lib-ssl-iostream,login-common: Use SSL_CTX_set_min_proto_version

author Martti Rannanjärvi <martti.rannanjarvi@dovecot.fi>

Thu, 30 Nov 2017 10:03:36 +0000 (12:03 +0200)

committer Timo Sirainen <timo.sirainen@dovecot.fi>

Mon, 19 Feb 2018 14:29:57 +0000 (16:29 +0200)
author Martti Rannanjärvi <martti.rannanjarvi@dovecot.fi>
Thu, 30 Nov 2017 10:03:36 +0000 (12:03 +0200)
committer Timo Sirainen <timo.sirainen@dovecot.fi>
Mon, 19 Feb 2018 14:29:57 +0000 (16:29 +0200)
diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c

index d5b1b3cf434f050359cb0e1144bbfa2be1fb79d0..05e07588ac1d4241aa0040dd7768aeba3296fb84 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -336,8 +336,25 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx,
                                     SSL_OP_CIPHER_SERVER_PREFERENCE);
         }
         if (ctx->set->protocols != NULL) {
+#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
+               int min_protocol;
+               const char *error;
+               if (ssl_protocols_to_min_protocol(ctx->set->protocols,
+                                                 &min_protocol, &error) < 0) {
+                       *error_r = t_strdup_printf(
+                               "Unknown ssl_protocols setting: %s", error);
+                       return -1;
+               } else if (SSL_CTX_set_min_proto_version(ctx->ssl_ctx,
+                                                        min_protocol) != 1) {
+                       *error_r = t_strdup_printf(
+                               "Failed to set SSL minimum protocol version to %d",
+                               min_protocol);
+                       return -1;
+               }
+#else
                 SSL_CTX_set_options(ctx->ssl_ctx,
                             openssl_get_protocol_options(ctx->set->protocols));
+#endif
         }
  
         if (set->cert != NULL &&
diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c

index cce25b61fff68007ada9eca760c1a84395e213c3..68ec221787b545b270828cf1f08662fb73339d73 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -173,8 +173,25 @@ openssl_iostream_set(struct ssl_iostream *ssl_io,
  #if defined(HAVE_SSL_CLEAR_OPTIONS)
                 SSL_clear_options(ssl_io->ssl, OPENSSL_ALL_PROTOCOL_OPTIONS);
  #endif
+#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
+               int min_protocol;
+               const char *error;
+               if (ssl_protocols_to_min_protocol(set->protocols,
+                                                 &min_protocol, &error) < 0) {
+                       *error_r = t_strdup_printf(
+                               "Unknown ssl_protocols setting: %s", error);
+                       return -1;
+               } else if (SSL_set_min_proto_version(ssl_io->ssl,
+                                                    min_protocol) != 1) {
+                       *error_r = t_strdup_printf(
+                               "Failed to set SSL minimum protocol version to %d",
+                               min_protocol);
+                       return -1;
+               }
+#else
                 SSL_set_options(ssl_io->ssl,
                                 openssl_get_protocol_options(set->protocols));
+#endif
         }
  
         if (set->cert != NULL && strcmp(ctx_set->cert, set->cert) != 0) {
diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c

index 14afeaf026bcae3d9025db82d1ca08697f324d57..947c8ef700fcdf5bee990e75c2a1a5105fd9d352 100644 (file)
--- a/src/login-common/ssl-proxy-openssl.c
+++ b/src/login-common/ssl-proxy-openssl.c
@@ -1301,7 +1301,18 @@ ssl_server_context_init(const struct login_settings *login_set,
         }
         if (ctx->prefer_server_ciphers)
                 SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
+       int min_protocol;
+       const char *error;
+       if (ssl_protocols_to_min_protocol(ctx->protocols, &min_protocol,
+                                         &error) < 0)
+               i_fatal("Unknown ssl_protocols setting: %s", error);
+       else if (SSL_CTX_set_min_proto_version(ssl_ctx, min_protocol) != 1)
+               i_fatal("Failed to set SSL minimum protocol version to %d",
+                       min_protocol);
+#else
         SSL_CTX_set_options(ssl_ctx, openssl_get_protocol_options(ctx->protocols));
+#endif
  
         if (ctx->pri.cert != NULL && *ctx->pri.cert != '\0' &&
             ssl_proxy_ctx_use_certificate_chain(ctx->ctx, ctx->pri.cert) != 1) {
author	Martti Rannanjärvi <martti.rannanjarvi@dovecot.fi>
	Thu, 30 Nov 2017 10:03:36 +0000 (12:03 +0200)
committer	Timo Sirainen <timo.sirainen@dovecot.fi>
	Mon, 19 Feb 2018 14:29:57 +0000 (16:29 +0200)
src/lib-ssl-iostream/iostream-openssl-context.c		patch \| blob \| blame \| history
src/lib-ssl-iostream/iostream-openssl.c		patch \| blob \| blame \| history
src/login-common/ssl-proxy-openssl.c		patch \| blob \| blame \| history