qpsmtpd/qpsmtpd-0.95-allow_tls_proto_from_conf.patch

57 lines
2.3 KiB
Diff
Raw Normal View History

diff -Nur -x '*.orig' -x '*.rej' qpsmtpd-0.95/plugins/tls mezzanine_patched_qpsmtpd-0.95/plugins/tls
--- qpsmtpd-0.95/plugins/tls 2016-01-07 19:14:45.099736554 +0100
+++ mezzanine_patched_qpsmtpd-0.95/plugins/tls 2016-01-07 19:14:30.152736181 +0100
@@ -62,6 +62,14 @@
and put a suitable string in config/tls_ciphers (e.g. "DEFAULT" or
"HIGH:MEDIUM")
+=head1 SSL/TLS protocols versions
+
+By default, SSLv2 and SSLv3 are not accepted, leaving only TLSv1,
+TLSv1.1 or TLSv1.2 enabled. You can customize this in config/tls_protocols
+For example, this will also disabled TLSv1, leaving only TLSv1.1 and TLSv1.2
+
+SSLv23:!SSLv2:!SSLv3:!TLSv1
+
=cut
use strict;
@@ -94,6 +102,7 @@
$self->tls_ca($ca);
$self->tls_dhparam($dhparam);
$self->tls_ciphers($self->qp->config('tls_ciphers') || 'HIGH');
+ $self->tls_protocols($self->qp->config('tls_protocols') || 'SSLv23:!SSLv2:!SSLv3');
$self->log(LOGDEBUG, "ciphers: " . $self->tls_ciphers);
@@ -102,7 +111,7 @@
IO::Socket::SSL::SSL_Context->new(
# Disable SSLv2 and SSLv3 to avoid POODLE attacks. This is already
# the default in sufficiently recent versions of IO::Socket::SSL
- SSL_version => 'SSLv23:!SSLv3:!SSLv2',
+ SSL_version => $self->tls_protocols,
SSL_use_cert => 1,
SSL_cert_file => $self->tls_cert,
SSL_key_file => $self->tls_key,
@@ -226,6 +235,7 @@
my $tlssocket =
IO::Socket::SSL->new_from_fd(
fileno(STDIN), '+>',
+ SSL_version => $self->tls_protocols,
SSL_use_cert => 1,
SSL_cert_file => $self->tls_cert,
SSL_key_file => $self->tls_key,
@@ -286,6 +296,12 @@
$self->{_tls_ciphers};
}
+sub tls_protocols {
+ my $self = shift;
+ @_ and $self->{_tls_protocols} = shift;
+ $self->{_tls_protocols};
+}
+
sub ssl_context {
my $self = shift;
@_ and $self->{_ssl_ctx} = shift;