57 lines
2.3 KiB
Diff
57 lines
2.3 KiB
Diff
diff -Nur -x '*.orig' -x '*.rej' qpsmtpd-0.95/plugins/tls mezzanine_patched_qpsmtpd-0.95/plugins/tls
|
|
--- qpsmtpd-0.95/plugins/tls 2016-01-07 19:14:45.099736554 +0100
|
|
+++ mezzanine_patched_qpsmtpd-0.95/plugins/tls 2016-01-07 19:14:30.152736181 +0100
|
|
@@ -62,6 +62,14 @@
|
|
and put a suitable string in config/tls_ciphers (e.g. "DEFAULT" or
|
|
"HIGH:MEDIUM")
|
|
|
|
+=head1 SSL/TLS protocols versions
|
|
+
|
|
+By default, SSLv2 and SSLv3 are not accepted, leaving only TLSv1,
|
|
+TLSv1.1 or TLSv1.2 enabled. You can customize this in config/tls_protocols
|
|
+For example, this will also disabled TLSv1, leaving only TLSv1.1 and TLSv1.2
|
|
+
|
|
+SSLv23:!SSLv2:!SSLv3:!TLSv1
|
|
+
|
|
=cut
|
|
|
|
use strict;
|
|
@@ -94,6 +102,7 @@
|
|
$self->tls_ca($ca);
|
|
$self->tls_dhparam($dhparam);
|
|
$self->tls_ciphers($self->qp->config('tls_ciphers') || 'HIGH');
|
|
+ $self->tls_protocols($self->qp->config('tls_protocols') || 'SSLv23:!SSLv2:!SSLv3');
|
|
|
|
$self->log(LOGDEBUG, "ciphers: " . $self->tls_ciphers);
|
|
|
|
@@ -102,7 +111,7 @@
|
|
IO::Socket::SSL::SSL_Context->new(
|
|
# Disable SSLv2 and SSLv3 to avoid POODLE attacks. This is already
|
|
# the default in sufficiently recent versions of IO::Socket::SSL
|
|
- SSL_version => 'SSLv23:!SSLv3:!SSLv2',
|
|
+ SSL_version => $self->tls_protocols,
|
|
SSL_use_cert => 1,
|
|
SSL_cert_file => $self->tls_cert,
|
|
SSL_key_file => $self->tls_key,
|
|
@@ -226,6 +235,7 @@
|
|
my $tlssocket =
|
|
IO::Socket::SSL->new_from_fd(
|
|
fileno(STDIN), '+>',
|
|
+ SSL_version => $self->tls_protocols,
|
|
SSL_use_cert => 1,
|
|
SSL_cert_file => $self->tls_cert,
|
|
SSL_key_file => $self->tls_key,
|
|
@@ -286,6 +296,12 @@
|
|
$self->{_tls_ciphers};
|
|
}
|
|
|
|
+sub tls_protocols {
|
|
+ my $self = shift;
|
|
+ @_ and $self->{_tls_protocols} = shift;
|
|
+ $self->{_tls_protocols};
|
|
+}
|
|
+
|
|
sub ssl_context {
|
|
my $self = shift;
|
|
@_ and $self->{_ssl_ctx} = shift;
|