Package: isync
Version: 1.2.1-2
Severity: important
Tags: patch
User: pkg-openssl-de...@lists.alioth.debian.org
Usertags: TLS1.0_1.1_removal
The package uses TLS1.0 by default. The patched should allow using
TLS1.0+ by default. Could someone please test this?
Sebastian
From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
Date: Fri, 11 Aug 2017 20:49:13 +0200
Subject: [PATCH] Use TLS1.1 and TLS1.2 by default
The program uses by default TLSv1.0 at most and enables SSLv3. openssl
does not allow SSLv3 so that is not a problem and as of 2017 TLS1.1 and
TLS1.2 should not be a problemm as well.
Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
---
src/compat/isync.h | 2 ++
src/compat/main.c | 4 ++--
src/drv_imap.c | 4 ++--
src/mbsync.1 | 3 +--
4 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/src/compat/isync.h b/src/compat/isync.h
index 04739005a9b2..baf7e7782df4 100644
--- a/src/compat/isync.h
+++ b/src/compat/isync.h
@@ -52,6 +52,8 @@ typedef struct config {
unsigned int use_sslv2:1;
unsigned int use_sslv3:1;
unsigned int use_tlsv1:1;
+ unsigned int use_tlsv1_1:1;
+ unsigned int use_tlsv1_2:1;
char *cert_file;
const char *store_name;
diff --git a/src/compat/main.c b/src/compat/main.c
index 2ad6f07df6e6..b6bd83b8eb5a 100644
--- a/src/compat/main.c
+++ b/src/compat/main.c
@@ -178,6 +178,8 @@ main( int argc, char **argv )
global.use_namespace = 1;
global.require_ssl = 1;
global.use_tlsv1 = 1;
+ global.use_tlsv1_1 = 1;
+ global.use_tlsv1_2 = 1;
folder = "";
maildir = "~";
xmaildir = Home;
@@ -254,8 +256,6 @@ main( int argc, char **argv )
if (!strncasecmp( "imaps:", optarg, 6 )) {
global.use_imaps = 1;
global.port = 993;
- global.use_sslv2 = 0;
- global.use_sslv3 = 1;
optarg += 6;
}
#endif
diff --git a/src/drv_imap.c b/src/drv_imap.c
index 5ec3783c1785..094cc95a604e 100644
--- a/src/drv_imap.c
+++ b/src/drv_imap.c
@@ -2711,7 +2711,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
arg += 6;
server->ssl_type = SSL_IMAPS;
if (server->sconf.ssl_versions == -1)
- server->sconf.ssl_versions = SSLv2 | SSLv3 | TLSv1;
+ server->sconf.ssl_versions = TLSv1 | TLSv1_1 | TLSv1_2;
} else
#endif
if (starts_with( arg, -1, "imap:", 5 ))
@@ -2874,7 +2874,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
}
} else {
if (server->sconf.ssl_versions < 0)
- server->sconf.ssl_versions = TLSv1; /* Most compatible and still reasonably secure. */
+ server->sconf.ssl_versions = TLSv1 | TLSv1_1 | TLSv1_2;
if (server->ssl_type < 0)
server->ssl_type = server->sconf.tunnel ? SSL_None : SSL_STARTTLS;
}
diff --git a/src/mbsync.1 b/src/mbsync.1
index fc572b276261..8803bd2c235f 100644
--- a/src/mbsync.1
+++ b/src/mbsync.1
@@ -336,8 +336,7 @@ right after connecting the secure IMAP port 993.
Select the acceptable SSL/TLS versions.
Use of SSLv2 is strongly discouraged for security reasons, but might be the
only option on some very old servers.
-Generally, the newest TLS version is recommended, but as this confuses some
-servers, \fBTLSv1\fR is the default.
+Generally, the newest TLS version is recommended.
..
.TP
\fBSystemCertificates\fR \fByes\fR|\fBno\fR
--
2.13.3
