Commit 14decaf5 authored by Brendan Cully's avatar Brendan Cully

Replace pointless imap_force_ssl option with ssl_force_tls, which requires

any connection (POP or IMAP) to a remote server to be encrypted, and attempts
to negotiate encryption even if the capability isn't advertised (this last
bit is of dubious utility, but essentially harmless since the connection
would otherwise fail anyway). Closes: #1284.
parent 0c516bd1
......@@ -440,11 +440,14 @@ int imap_open_connection (IMAP_DATA* idata)
goto bail;
#if defined(USE_SSL) || defined(USE_GNUTLS)
/* Attempt STARTTLS if available and desired. */
if (mutt_bit_isset (idata->capabilities, STARTTLS) && !idata->conn->ssf)
if (!idata->conn->ssf && (option(OPTSSLFORCETLS) ||
mutt_bit_isset (idata->capabilities, STARTTLS)))
{
int rc;
if ((rc = query_quadoption (OPT_SSLSTARTTLS,
if (option(OPTSSLFORCETLS))
rc = M_YES;
else if ((rc = query_quadoption (OPT_SSLSTARTTLS,
_("Secure connection with TLS?"))) == -1)
goto err_close_conn;
if (rc == M_YES) {
......@@ -471,6 +474,13 @@ int imap_open_connection (IMAP_DATA* idata)
}
}
}
if (option(OPTSSLFORCETLS) && ! idata->conn->ssf)
{
mutt_error _("Encrypted connection unavailable");
mutt_sleep (1);
goto err_close_conn;
}
#endif
}
else if (ascii_strncasecmp ("* PREAUTH", idata->cmd.buf, 9) == 0)
......
......@@ -166,11 +166,6 @@ int imap_parse_path (const char* path, IMAP_MBOX* mx)
}
}
#if defined(USE_SSL) || defined(USE_GNUTLS)
if (option (OPTIMAPFORCESSL))
mx->account.flags |= M_ACCT_SSL;
#endif
if ((mx->account.flags & M_ACCT_SSL) && !(mx->account.flags & M_ACCT_PORT))
mx->account.port = ImapsPort;
......
......@@ -827,14 +827,6 @@ struct option_t MuttVars[] = {
** as folder separators for displaying IMAP paths. In particular it
** helps in using the '=' shortcut for your \fIfolder\fP variable.
*/
# if defined(USE_SSL) || defined(USE_GNUTLS)
{ "imap_force_ssl", DT_BOOL, R_NONE, OPTIMAPFORCESSL, 0 },
/*
** .pp
** If this variable is set, Mutt will always use SSL when
** connecting to IMAP servers.
*/
# endif
{ "imap_headers", DT_STR, R_INDEX, UL &ImapHeaders, UL 0},
/*
** .pp
......@@ -1886,8 +1878,16 @@ struct option_t MuttVars[] = {
** The file containing a client certificate and its associated private
** key.
*/
#endif
# if defined(USE_SSL)||defined(USE_GNUTLS)
#endif /* USE_SSL */
{ "ssl_force_tls", DT_BOOL, R_NONE, OPTSSLFORCETLS, 0 },
/*
** .pp
** If this variable is set, Mutt will require that all connections
** to remote servers be encrypted. Furthermore it will attempt to
** negotiate TLS even if the server does not advertise the capability,
** since it would otherwise have to abort the connection anyway. This
** option supersedes ``$$ssl_starttls''.
*/
{ "ssl_starttls", DT_QUAD, R_NONE, OPT_SSLSTARTTLS, M_YES },
/*
** .pp
......@@ -1895,7 +1895,6 @@ struct option_t MuttVars[] = {
** advertising the capability. When unset, mutt will not attempt to
** use STARTTLS regardless of the server's capabilities.
*/
# endif
{ "certificate_file", DT_PATH, R_NONE, UL &SslCertFile, UL "~/.mutt_certificates" },
/*
** .pp
......@@ -1931,7 +1930,7 @@ struct option_t MuttVars[] = {
** This variables specifies whether to attempt to use SSLv2 in the
** SSL authentication process.
*/
# endif
# endif /* defined _MAKEDOC || !defined(USE_GNUTLS) */
{ "ssl_use_sslv3", DT_BOOL, R_NONE, OPTSSLV3, 1 },
/*
** .pp
......@@ -1944,7 +1943,7 @@ struct option_t MuttVars[] = {
** This variables specifies whether to attempt to use TLSv1 in the
** SSL authentication process.
*/
#ifdef USE_GNUTLS
# ifdef USE_GNUTLS
{ "ssl_min_dh_prime_bits", DT_NUM, R_NONE, UL &SslDHPrimeBits, 0 },
/*
** .pp
......@@ -1961,8 +1960,8 @@ struct option_t MuttVars[] = {
** .pp
** Example: set ssl_ca_certificates_file=/etc/ssl/certs/ca-certificates.crt
*/
#endif
#endif
# endif /* USE_GNUTLS */
#endif /* defined(USE_SSL) || defined(USE_GNUTLS) */
{ "pipe_split", DT_BOOL, R_NONE, OPTPIPESPLIT, 0 },
/*
......
......@@ -372,20 +372,16 @@ enum
OPTIMAPPASSIVE,
OPTIMAPPEEK,
OPTIMAPSERVERNOISE,
# if defined(USE_SSL) || defined(USE_GNUTLS)
OPTIMAPFORCESSL,
# endif
#endif
#if defined(USE_SSL) || defined(USE_GNUTLS)
# ifndef USE_GNUTLS
OPTSSLSYSTEMCERTS,
OPTSSLV2,
# endif
# endif /* USE_GNUTLS */
OPTSSLV3,
OPTTLSV1,
# ifndef USE_GNUTLS
OPTSSLSYSTEMCERTS,
# endif
#endif
OPTSSLFORCETLS,
#endif /* defined(USE_SSL) || defined(USE_GNUTLS) */
OPTIMPLICITAUTOVIEW,
OPTINCLUDEONLYFIRST,
OPTKEEPFLAGGED,
......
......@@ -276,8 +276,10 @@ int pop_open_connection (POP_DATA *pop_data)
#if defined(USE_SSL) || defined(USE_GNUTLS)
/* Attempt STLS if available and desired. */
if (pop_data->cmd_stls && !pop_data->conn->ssf)
if (!pop_data->conn->ssf && (pop_data->cmd_stls || option(OPTSSLFORCETLS)))
{
if (option(OPTSSLFORCETLS))
pop_data->use_stls = 2;
if (pop_data->use_stls == 0)
{
ret = query_quadoption (OPT_SSLSTARTTLS,
......@@ -323,6 +325,13 @@ int pop_open_connection (POP_DATA *pop_data)
}
}
}
if (option(OPTSSLFORCETLS) && !pop_data->conn->ssf)
{
mutt_error _("Encrypted connection unavailable");
mutt_sleep (1);
return -2;
}
#endif
ret = pop_authenticate (pop_data);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment