[PATCH] Add support for lower TLS version than default

Sebastian Andrzej Siewior sebastian at breakpoint.cc
Sat Aug 26 19:47:34 EEST 2017 

The openssl library in Debian unstable (targeting Buster) supports
TLS1.2 by default. The library itself supports also TLS1.1 and TLS1.0.
If the admin decides to also support TLS1.[01] users he can then enable
the lower protocol version in case the users can't update their system.

Signed-off-by: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
---
 src/config/all-settings.c                    |    1 +
 src/lib-master/master-service-ssl-settings.c |    2 ++
 src/lib-master/master-service-ssl-settings.h |    1 +
 src/login-common/ssl-proxy-openssl.c         |   15 ++++++++++++++-
 4 files changed, 18 insertions(+), 1 deletion(-)

--- a/src/config/all-settings.c
+++ b/src/config/all-settings.c
@@ -308,6 +308,7 @@ struct master_service_ssl_settings {
 	const char *ssl_cert_username_field;
 	const char *ssl_crypto_device;
 	const char *ssl_options;
+	const char *ssl_lowest_version;
 
 	bool ssl_verify_client_cert;
 	bool ssl_require_crl;
--- a/src/lib-master/master-service-ssl-settings.c
+++ b/src/lib-master/master-service-ssl-settings.c
@@ -26,6 +26,7 @@ static const struct setting_define maste
 	DEF(SET_STR, ssl_protocols),
 	DEF(SET_STR, ssl_cert_username_field),
 	DEF(SET_STR, ssl_crypto_device),
+	DEF(SET_STR, ssl_lowest_version),
 	DEF(SET_BOOL, ssl_verify_client_cert),
 	DEF(SET_BOOL, ssl_require_crl),
 	DEF(SET_BOOL, verbose_ssl),
@@ -54,6 +55,7 @@ static const struct master_service_ssl_s
 	.ssl_protocols = "!SSLv3",
 #endif
 	.ssl_cert_username_field = "commonName",
+	.ssl_lowest_version = NULL,
 	.ssl_crypto_device = "",
 	.ssl_verify_client_cert = FALSE,
 	.ssl_require_crl = TRUE,
--- a/src/lib-master/master-service-ssl-settings.h
+++ b/src/lib-master/master-service-ssl-settings.h
@@ -16,6 +16,7 @@ struct master_service_ssl_settings {
 	const char *ssl_cert_username_field;
 	const char *ssl_crypto_device;
 	const char *ssl_options;
+	const char *ssl_lowest_version;
 
 	bool ssl_verify_client_cert;
 	bool ssl_require_crl;
--- a/src/login-common/ssl-proxy-openssl.c
+++ b/src/login-common/ssl-proxy-openssl.c
@@ -1302,7 +1302,20 @@ ssl_server_context_init(const struct log
 	if (ctx->prefer_server_ciphers)
 		SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
 	SSL_CTX_set_options(ssl_ctx, openssl_get_protocol_options(ctx->protocols));
-
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+	if (ssl_set->ssl_lowest_version) {
+		if (!strcmp(ssl_set->ssl_lowest_version, "TLS1.0"))
+		    SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION);
+		else if (!strcmp(ssl_set->ssl_lowest_version, "TLS1.1"))
+		    SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_1_VERSION);
+		else if (!strcmp(ssl_set->ssl_lowest_version, "TLS1.2"))
+		    SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_2_VERSION);
+		else
+			i_fatal("TLS min version: '%s' is invalid. Only "
+				"'TLS1.0' and 'TLS1.1' is supported",
+				ssl_set->ssl_lowest_version);
+	}
+#endif
 	if (ctx->pri.cert != NULL && *ctx->pri.cert != '\0' &&
 	    ssl_proxy_ctx_use_certificate_chain(ctx->ctx, ctx->pri.cert) != 1) {
 		i_fatal("Can't load ssl_cert: %s",

More information about the dovecot mailing list