From: Aki Tuomi Date: Fri, 26 Mar 2021 10:08:40 +0000 (+0200) Subject: lib-master: Add ssl_cipher_suites X-Git-Tag: 2.3.15~107 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=57aa5d271f6801c6961bc7d2c42c68248e710078;p=thirdparty%2Fdovecot%2Fcore.git lib-master: Add ssl_cipher_suites --- diff --git a/src/lib-master/master-service-ssl-settings.c b/src/lib-master/master-service-ssl-settings.c index dbe306c4d2..90cd6383e0 100644 --- a/src/lib-master/master-service-ssl-settings.c +++ b/src/lib-master/master-service-ssl-settings.c @@ -29,6 +29,7 @@ static const struct setting_define master_service_ssl_setting_defines[] = { DEF(STR, ssl_client_key), DEF(STR, ssl_dh), DEF(STR, ssl_cipher_list), + DEF(STR, ssl_cipher_suites), DEF(STR, ssl_curve_list), DEF(STR, ssl_min_protocol), DEF(STR, ssl_cert_username_field), @@ -62,6 +63,7 @@ static const struct master_service_ssl_settings master_service_ssl_default_setti .ssl_client_key = "", .ssl_dh = "", .ssl_cipher_list = "ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH", + .ssl_cipher_suites = "", /* Use TLS library provided value */ .ssl_curve_list = "", .ssl_min_protocol = "TLSv1", .ssl_cert_username_field = "commonName", @@ -177,6 +179,8 @@ void master_service_ssl_settings_to_iostream_set( i_zero(set_r); set_r->min_protocol = p_strdup(pool, ssl_set->ssl_min_protocol); set_r->cipher_list = p_strdup(pool, ssl_set->ssl_cipher_list); + /* leave NULL if empty - let library decide */ + set_r->ciphersuites = p_strdup_empty(pool, ssl_set->ssl_cipher_suites); /* NOTE: It's a bit questionable whether ssl_ca should be used for clients. But at least for now it's needed for login-proxy. */ set_r->ca = p_strdup_empty(pool, ssl_set->ssl_ca); diff --git a/src/lib-master/master-service-ssl-settings.h b/src/lib-master/master-service-ssl-settings.h index 3d75ee4714..ec79c1f1d3 100644 --- a/src/lib-master/master-service-ssl-settings.h +++ b/src/lib-master/master-service-ssl-settings.h @@ -18,6 +18,7 @@ struct master_service_ssl_settings { const char *ssl_client_key; const char *ssl_dh; const char *ssl_cipher_list; + const char *ssl_cipher_suites; const char *ssl_curve_list; const char *ssl_min_protocol; const char *ssl_cert_username_field; diff --git a/src/lib-storage/mail-storage-settings.c b/src/lib-storage/mail-storage-settings.c index 21808b9bfc..7a6e66e5b6 100644 --- a/src/lib-storage/mail-storage-settings.c +++ b/src/lib-storage/mail-storage-settings.c @@ -87,6 +87,7 @@ static const struct setting_define mail_storage_setting_defines[] = { DEF(STR, ssl_client_cert), DEF(STR, ssl_client_key), DEF(STR, ssl_cipher_list), + DEF(STR, ssl_cipher_suites), DEF(STR, ssl_curve_list), DEF(STR, ssl_min_protocol), DEF(STR, ssl_crypto_device), @@ -155,6 +156,7 @@ const struct mail_storage_settings mail_storage_default_settings = { .ssl_client_cert = "", .ssl_client_key = "", .ssl_cipher_list = "ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH", + .ssl_cipher_suites = "", /* Use TLS library provided value */ .ssl_curve_list = "", .ssl_min_protocol = "TLSv1", .ssl_crypto_device = "", @@ -824,6 +826,8 @@ void mail_storage_settings_init_ssl_client_settings(const struct mail_storage_se if (*mail_set->ssl_client_key != '\0') ssl_set_r->cert.key = mail_set->ssl_client_key; ssl_set_r->cipher_list = mail_set->ssl_cipher_list; + if (*mail_set->ssl_cipher_suites != '\0') + ssl_set_r->ciphersuites = mail_set->ssl_cipher_suites; ssl_set_r->curve_list = mail_set->ssl_curve_list; ssl_set_r->min_protocol = mail_set->ssl_min_protocol; ssl_set_r->crypto_device = mail_set->ssl_crypto_device; diff --git a/src/lib-storage/mail-storage-settings.h b/src/lib-storage/mail-storage-settings.h index e09fe84519..66e578d948 100644 --- a/src/lib-storage/mail-storage-settings.h +++ b/src/lib-storage/mail-storage-settings.h @@ -69,6 +69,7 @@ struct mail_storage_settings { const char *ssl_client_cert; const char *ssl_client_key; const char *ssl_cipher_list; + const char *ssl_cipher_suites; const char *ssl_curve_list; const char *ssl_min_protocol; const char *ssl_crypto_device;