dovecot-2.2: Added ssl_prefer_server_ciphers setting.
dovecot at dovecot.org
dovecot at dovecot.org
Sun Sep 22 02:20:16 EEST 2013
details: http://hg.dovecot.org/dovecot-2.2/rev/897484f45a87
changeset: 16804:897484f45a87
user: Timo Sirainen <tss at iki.fi>
date: Sun Sep 22 02:20:09 2013 +0300
description:
Added ssl_prefer_server_ciphers setting.
diffstat:
doc/example-config/conf.d/10-ssl.conf | 3 +++
src/lib-master/master-service-ssl-settings.c | 4 +++-
src/lib-master/master-service-ssl-settings.h | 1 +
src/lib-master/master-service-ssl.c | 1 +
src/lib-ssl-iostream/iostream-openssl-context.c | 4 ++++
src/lib-ssl-iostream/iostream-openssl.c | 2 ++
src/lib-ssl-iostream/iostream-ssl.h | 1 +
src/login-common/ssl-proxy-openssl.c | 5 +++++
8 files changed, 20 insertions(+), 1 deletions(-)
diffs (128 lines):
diff -r 2a209302d064 -r 897484f45a87 doc/example-config/conf.d/10-ssl.conf
--- a/doc/example-config/conf.d/10-ssl.conf Sun Sep 22 02:07:16 2013 +0300
+++ b/doc/example-config/conf.d/10-ssl.conf Sun Sep 22 02:20:09 2013 +0300
@@ -53,5 +53,8 @@
# SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
+# Prefer the server's order of ciphers over client's.
+#ssl_prefer_server_ciphers = no
+
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
diff -r 2a209302d064 -r 897484f45a87 src/lib-master/master-service-ssl-settings.c
--- a/src/lib-master/master-service-ssl-settings.c Sun Sep 22 02:07:16 2013 +0300
+++ b/src/lib-master/master-service-ssl-settings.c Sun Sep 22 02:20:09 2013 +0300
@@ -27,6 +27,7 @@
DEF(SET_BOOL, ssl_verify_client_cert),
DEF(SET_BOOL, ssl_require_crl),
DEF(SET_BOOL, verbose_ssl),
+ DEF(SET_BOOL, ssl_prefer_server_ciphers),
SETTING_DEFINE_LIST_END
};
@@ -47,7 +48,8 @@
.ssl_crypto_device = "",
.ssl_verify_client_cert = FALSE,
.ssl_require_crl = TRUE,
- .verbose_ssl = FALSE
+ .verbose_ssl = FALSE,
+ .ssl_prefer_server_ciphers = FALSE
};
const struct setting_parser_info master_service_ssl_setting_parser_info = {
diff -r 2a209302d064 -r 897484f45a87 src/lib-master/master-service-ssl-settings.h
--- a/src/lib-master/master-service-ssl-settings.h Sun Sep 22 02:07:16 2013 +0300
+++ b/src/lib-master/master-service-ssl-settings.h Sun Sep 22 02:20:09 2013 +0300
@@ -16,6 +16,7 @@
bool ssl_verify_client_cert;
bool ssl_require_crl;
bool verbose_ssl;
+ bool ssl_prefer_server_ciphers;
};
extern const struct setting_parser_info master_service_ssl_setting_parser_info;
diff -r 2a209302d064 -r 897484f45a87 src/lib-master/master-service-ssl.c
--- a/src/lib-master/master-service-ssl.c Sun Sep 22 02:07:16 2013 +0300
+++ b/src/lib-master/master-service-ssl.c Sun Sep 22 02:20:09 2013 +0300
@@ -119,6 +119,7 @@
ssl_set.verbose = set->verbose_ssl;
ssl_set.verify_remote_cert = set->ssl_verify_client_cert;
+ ssl_set.prefer_server_ciphers = set->ssl_prefer_server_ciphers;
if (ssl_iostream_context_init_server(&ssl_set, &service->ssl_ctx,
&error) < 0) {
diff -r 2a209302d064 -r 897484f45a87 src/lib-ssl-iostream/iostream-openssl-context.c
--- a/src/lib-ssl-iostream/iostream-openssl-context.c Sun Sep 22 02:07:16 2013 +0300
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c Sun Sep 22 02:20:09 2013 +0300
@@ -369,6 +369,10 @@
set->cipher_list, openssl_iostream_error());
return -1;
}
+ if (set->prefer_server_ciphers) {
+ SSL_CTX_set_options(ctx->ssl_ctx,
+ SSL_OP_CIPHER_SERVER_PREFERENCE);
+ }
if (ctx->set->protocols != NULL) {
SSL_CTX_set_options(ctx->ssl_ctx,
openssl_get_protocol_options(ctx->set->protocols));
diff -r 2a209302d064 -r 897484f45a87 src/lib-ssl-iostream/iostream-openssl.c
--- a/src/lib-ssl-iostream/iostream-openssl.c Sun Sep 22 02:07:16 2013 +0300
+++ b/src/lib-ssl-iostream/iostream-openssl.c Sun Sep 22 02:20:09 2013 +0300
@@ -154,6 +154,8 @@
return -1;
}
}
+ if (set->prefer_server_ciphers)
+ SSL_set_options(ssl_io->ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);
if (set->protocols != NULL) {
SSL_clear_options(ssl_io->ssl, OPENSSL_ALL_PROTOCOL_OPTIONS);
SSL_set_options(ssl_io->ssl,
diff -r 2a209302d064 -r 897484f45a87 src/lib-ssl-iostream/iostream-ssl.h
--- a/src/lib-ssl-iostream/iostream-ssl.h Sun Sep 22 02:07:16 2013 +0300
+++ b/src/lib-ssl-iostream/iostream-ssl.h Sun Sep 22 02:20:09 2013 +0300
@@ -17,6 +17,7 @@
bool verbose, verbose_invalid_cert; /* stream-only */
bool verify_remote_cert; /* neither/both */
bool require_valid_cert; /* stream-only */
+ bool prefer_server_ciphers;
};
/* Returns 0 if ok, -1 and sets error_r if failed. The returned error string
diff -r 2a209302d064 -r 897484f45a87 src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c Sun Sep 22 02:07:16 2013 +0300
+++ b/src/login-common/ssl-proxy-openssl.c Sun Sep 22 02:20:09 2013 +0300
@@ -99,6 +99,7 @@
const char *cipher_list;
const char *protocols;
bool verify_client_cert;
+ bool prefer_server_ciphers;
};
static int extdata_index;
@@ -634,6 +635,7 @@
lookup_ctx.verify_client_cert = set->ssl_verify_client_cert ||
login_set->auth_ssl_require_client_cert ||
login_set->auth_ssl_username_from_cert;
+ lookup_ctx.prefer_server_ciphers = set->ssl_prefer_server_ciphers;
ctx = hash_table_lookup(ssl_servers, &lookup_ctx);
if (ctx == NULL)
@@ -1271,6 +1273,7 @@
ctx->verify_client_cert = ssl_set->ssl_verify_client_cert ||
login_set->auth_ssl_require_client_cert ||
login_set->auth_ssl_username_from_cert;
+ ctx->prefer_server_ciphers = ssl_set->ssl_prefer_server_ciphers;
ctx->ctx = ssl_ctx = SSL_CTX_new(SSLv23_server_method());
if (ssl_ctx == NULL)
@@ -1281,6 +1284,8 @@
i_fatal("Can't set cipher list to '%s': %s",
ctx->cipher_list, ssl_last_error());
}
+ if (ctx->prefer_server_ciphers)
+ SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
SSL_CTX_set_options(ssl_ctx, openssl_get_protocol_options(ctx->protocols));
if (ssl_proxy_ctx_use_certificate_chain(ctx->ctx, ctx->cert) != 1) {
More information about the dovecot-cvs
mailing list