Commit 445a0479 authored by Thomas Roessler's avatar Thomas Roessler

Add options to disallow individual SSL protocols. From Jeremy Katz

<katzj@linuxpower.org>.
parent b2c26254
......@@ -29,6 +29,22 @@ For example:
set certificate_file=~/.mutt/certificates
If after doing the above, you are unable to successfully connect, it
is likely that your IMAP server does not support one of the SSL protocols.
There exist three different protocols, TLSv1, SSLv2, and SSLv3. To check
each of these, you use the following:
openssl s_client -host <imap server> -port <port> -verify -debug -no_tls1
openssl s_client -host <imap server> -port <port> -verify -debug -no_ssl2
openssl s_client -host <imap server> -port <port> -verify -debug -no_ssl3
You can also combine the options until you get a successfull connect. Once
you know which options do not work, you can set the variables for non-working
protocols to know. The variables for the protocols are ssl_use_tlsv1,
ssl_use_sslv2, and ssl_use_sslv3.
--
Tommi Komulainen
Tommi.Komulainen@iki.fi
Updated by Jeremy Katz
katzj@linuxpower.org
......@@ -77,6 +77,21 @@ int ssl_socket_open (CONNECTION * conn)
SSLeay_add_ssl_algorithms ();
data->ctx = SSL_CTX_new (SSLv23_client_method ());
/* disable SSL protocols as needed */
if (!option(OPTTLSV1))
{
SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1);
}
if (!option(OPTSSLV2))
{
SSL_CTX_set_options(data->ctx, SSL_OP_NO_SSLv2);
}
if (!option(OPTSSLV3))
{
SSL_CTX_set_options(data->ctx, SSL_OP_NO_SSLv3);
}
data->ssl = SSL_new (data->ctx);
SSL_set_fd (data->ssl, conn->fd);
......
......@@ -660,7 +660,7 @@ struct option_t MuttVars[] = {
/*
** .pp
** Specifies the password for your IMAP account. If unset, Mutt will
** prompt you for your password when you invoke the fetch-mail function.
* prompt you for your password when you invoke the fetch-mail function.
** \fBWarning\fP: you should only use this option when you are on a
** fairly secure machine, because the superuser can read your muttrc even
** if you are the only one who can read the file.
......@@ -1324,6 +1324,24 @@ struct option_t MuttVars[] = {
** be saved in this file and further connections are automatically
** accepted.
*/
{ "ssl_use_sslv2", DT_BOOL, R_NONE, OPTSSLV2, 1 },
/*
** .pp
** This variables specifies whether to attempt to use SSLv2 in the
** SSL authentication process.
*/
{ "ssl_use_sslv3", DT_BOOL, R_NONE, OPTSSLV3, 1 },
/*
** .pp
** This variables specifies whether to attempt to use SSLv3 in the
** SSL authentication process.
*/
{ "ssl_use_tlsv1", DT_BOOL, R_NONE, OPTTLSV1, 1 },
/*
** .pp
** This variables specifies whether to attempt to use TLSv1 in the
** SSL authentication process.
*/
#endif
{ "pipe_split", DT_BOOL, R_NONE, OPTPIPESPLIT, 0 },
......
......@@ -300,6 +300,11 @@ enum
#ifdef USE_IMAP
OPTIMAPLSUB,
OPTIMAPPASSIVE,
#endif
#ifdef USE_SSL
OPTSSLV2,
OPTSSLV3,
OPTTLSV1,
#endif
OPTIMPLICITAUTOVIEW,
OPTMAILCAPSANITIZE,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment