# entirely.
#ssl_parameters_regenerate = 24
+# SSL ciphers to use
+#ssl_cipher_list = all:!low
+
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that 127.*.*.* and
# IPv6 ::1 addresses are considered secure, this setting has no effect if
#include <openssl/err.h>
#include <openssl/rand.h>
-#define SSL_CIPHER_LIST "ALL:!LOW"
+#define DOVECOT_SSL_DEFAULT_CIPHER_LIST "ALL:!LOW"
enum ssl_io_action {
SSL_ADD_INPUT,
void ssl_proxy_init(void)
{
- const char *cafile, *certfile, *keyfile, *paramfile;
+ const char *cafile, *certfile, *keyfile, *paramfile, *cipher_list;
char buf;
cafile = getenv("SSL_CA_FILE");
SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
- if (SSL_CTX_set_cipher_list(ssl_ctx, SSL_CIPHER_LIST) != 1) {
+ cipher_list = getenv("SSL_CIPHER_LIST");
+ if (cipher_list == NULL)
+ cipher_list = DOVECOT_SSL_DEFAULT_CIPHER_LIST;
+ if (SSL_CTX_set_cipher_list(ssl_ctx, cipher_list) != 1) {
i_fatal("Can't set cipher list to '%s': %s",
- SSL_CIPHER_LIST, ssl_last_error());
+ cipher_list, ssl_last_error());
}
if (cafile != NULL) {
set->ssl_key_file, NULL));
env_put(t_strconcat("SSL_PARAM_FILE=",
set->ssl_parameters_file, NULL));
+ if (set->ssl_cipher_list != NULL) {
+ env_put(t_strconcat("SSL_CIPHER_LIST=",
+ set->ssl_cipher_list, NULL));
+ }
}
if (set->disable_plaintext_auth)
DEF(SET_STR, ssl_key_file),
DEF(SET_STR, ssl_parameters_file),
DEF(SET_STR, ssl_parameters_regenerate),
+ DEF(SET_STR, ssl_cipher_list),
DEF(SET_BOOL, disable_plaintext_auth),
DEF(SET_BOOL, verbose_ssl),
MEMBER(ssl_key_file) SSLDIR"/private/dovecot.pem",
MEMBER(ssl_parameters_file) "ssl-parameters.dat",
MEMBER(ssl_parameters_regenerate) 24,
+ MEMBER(ssl_cipher_list) NULL,
MEMBER(disable_plaintext_auth) TRUE,
MEMBER(verbose_ssl) FALSE,
const char *ssl_key_file;
const char *ssl_parameters_file;
unsigned int ssl_parameters_regenerate;
+ const char *ssl_cipher_list;
int disable_plaintext_auth;
int verbose_ssl;
projects / thirdparty / dovecot / core.git / commitdiff
