From: Timo Sirainen <tss@iki.fi>
Date: Mon, 10 May 2004 01:55:41 +0000 (+0300)
Subject: Added ssl_cipher_list setting.
X-Git-Tag: 1.1.alpha1~4110
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=861d373feea39d3fe8c3cda75ea25cf418a2e26c;p=thirdparty%2Fdovecot%2Fcore.git

Added ssl_cipher_list setting.

--HG--
branch : HEAD
---

diff --git a/dovecot-example.conf b/dovecot-example.conf
index 12ffe02e00..17ba4dab55 100644
--- a/dovecot-example.conf
+++ b/dovecot-example.conf
@@ -43,6 +43,9 @@
 # entirely.
 #ssl_parameters_regenerate = 24
 
+# SSL ciphers to use
+#ssl_cipher_list = all:!low
+
 # Disable LOGIN command and all other plaintext authentications unless
 # SSL/TLS is used (LOGINDISABLED capability). Note that 127.*.*.* and
 # IPv6 ::1 addresses are considered secure, this setting has no effect if
diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c
index fc80534ee0..6e5722ea25 100644
--- a/src/login-common/ssl-proxy-openssl.c
+++ b/src/login-common/ssl-proxy-openssl.c
@@ -15,7 +15,7 @@
 #include <openssl/err.h>
 #include <openssl/rand.h>
 
-#define SSL_CIPHER_LIST "ALL:!LOW"
+#define DOVECOT_SSL_DEFAULT_CIPHER_LIST "ALL:!LOW"
 
 enum ssl_io_action {
 	SSL_ADD_INPUT,
@@ -403,7 +403,7 @@ static RSA *ssl_gen_rsa_key(SSL *ssl __attr_unused__,
 
 void ssl_proxy_init(void)
 {
-	const char *cafile, *certfile, *keyfile, *paramfile;
+	const char *cafile, *certfile, *keyfile, *paramfile, *cipher_list;
 	char buf;
 
 	cafile = getenv("SSL_CA_FILE");
@@ -424,9 +424,12 @@ void ssl_proxy_init(void)
 
 	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
 
-	if (SSL_CTX_set_cipher_list(ssl_ctx, SSL_CIPHER_LIST) != 1) {
+	cipher_list = getenv("SSL_CIPHER_LIST");
+	if (cipher_list == NULL)
+		cipher_list = DOVECOT_SSL_DEFAULT_CIPHER_LIST;
+	if (SSL_CTX_set_cipher_list(ssl_ctx, cipher_list) != 1) {
 		i_fatal("Can't set cipher list to '%s': %s",
-			SSL_CIPHER_LIST, ssl_last_error());
+			cipher_list, ssl_last_error());
 	}
 
 	if (cafile != NULL) {
diff --git a/src/master/login-process.c b/src/master/login-process.c
index 91564e3d80..6f773286fb 100644
--- a/src/master/login-process.c
+++ b/src/master/login-process.c
@@ -392,6 +392,10 @@ static void login_process_init_env(struct login_group *group, pid_t pid)
 				    set->ssl_key_file, NULL));
 		env_put(t_strconcat("SSL_PARAM_FILE=",
 				    set->ssl_parameters_file, NULL));
+		if (set->ssl_cipher_list != NULL) {
+			env_put(t_strconcat("SSL_CIPHER_LIST=",
+					    set->ssl_cipher_list, NULL));
+		}
 	}
 
 	if (set->disable_plaintext_auth)
diff --git a/src/master/master-settings.c b/src/master/master-settings.c
index 495738a9d0..b17a7b6d14 100644
--- a/src/master/master-settings.c
+++ b/src/master/master-settings.c
@@ -51,6 +51,7 @@ static struct setting_def setting_defs[] = {
 	DEF(SET_STR, ssl_key_file),
 	DEF(SET_STR, ssl_parameters_file),
 	DEF(SET_STR, ssl_parameters_regenerate),
+	DEF(SET_STR, ssl_cipher_list),
 	DEF(SET_BOOL, disable_plaintext_auth),
 	DEF(SET_BOOL, verbose_ssl),
 
@@ -172,6 +173,7 @@ struct settings default_settings = {
 	MEMBER(ssl_key_file) SSLDIR"/private/dovecot.pem",
 	MEMBER(ssl_parameters_file) "ssl-parameters.dat",
 	MEMBER(ssl_parameters_regenerate) 24,
+	MEMBER(ssl_cipher_list) NULL,
 	MEMBER(disable_plaintext_auth) TRUE,
 	MEMBER(verbose_ssl) FALSE,
 
diff --git a/src/master/master-settings.h b/src/master/master-settings.h
index 4c7221fe3c..84ec964cfb 100644
--- a/src/master/master-settings.h
+++ b/src/master/master-settings.h
@@ -28,6 +28,7 @@ struct settings {
 	const char *ssl_key_file;
 	const char *ssl_parameters_file;
 	unsigned int ssl_parameters_regenerate;
+	const char *ssl_cipher_list;
 	int disable_plaintext_auth;
 	int verbose_ssl;