From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Fri, 26 Mar 2021 12:11:48 +0000 (+0200)
Subject: lib-ssl-iostream: Add additional supported protocols
X-Git-Tag: 2.3.15~106
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=585e09f4d7b1788f45c0b88ed729758ee56c5980;p=thirdparty%2Fdovecot%2Fcore.git

lib-ssl-iostream: Add additional supported protocols

ANY - Any protocol version accepted
TLSv1.3 - Self-explanatory
LATEST - The newest protocol only
---

diff --git a/src/lib-ssl-iostream/iostream-openssl-common.c b/src/lib-ssl-iostream/iostream-openssl-common.c
index 6fd67490dc..104d6f78f5 100644
--- a/src/lib-ssl-iostream/iostream-openssl-common.c
+++ b/src/lib-ssl-iostream/iostream-openssl-common.c
@@ -18,11 +18,30 @@ static const struct {
 	int version;
 	long opt;
 } protocol_versions[] = {
+#ifdef TLS_ANY_VERSION
+	{ "ANY",	   TLS_ANY_VERSION,	0 },
+#else
+	{ "ANY",	   SSL3_VERSION,   0 },
+#endif
 	{ SSL_TXT_SSLV3,   SSL3_VERSION,   0 },
 	{ SSL_TXT_TLSV1,   TLS1_VERSION,   SSL_OP_NO_SSLv3 },
 	{ SSL_TXT_TLSV1_1, TLS1_1_VERSION, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 },
 	{ SSL_TXT_TLSV1_2, TLS1_2_VERSION,
 		SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 },
+#if defined(TLS1_3_VERSION)
+	{ "TLSv1.3",	   TLS1_3_VERSION,
+		SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 |
+		SSL_OP_NO_TLSv1_2 },
+#endif
+	/* Use latest protocol version. If this is used on some
+	   ancient system which does not support ssl_min_protocol,
+	   ensure only TLSv1.2 is supported. */
+#ifdef TLS_MAX_VERSION
+	{ "LATEST",	   TLS_MAX_VERSION,
+#else
+	{ "LATEST",	   0,
+#endif
+		SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 },
 };
 int openssl_min_protocol_to_options(const char *min_protocol, long *opt_r,
 				    int *version_r)