support to disable some newer openssl tls protocols in mutt

To: pkgsrc-users%NetBSD.org@localhost
Subject: support to disable some newer openssl tls protocols in mutt
From: Bernd Ernesti <netbsd%lists.veego.de@localhost>
Date: Sat, 5 May 2012 22:14:01 +0200

Hi,

see the orginal ticket http://dev.mutt.org/trac/ticket/3571
for more information. Which is for mutt-devel. The normal
mutt package needs a different patch, which I also append to
this mail.

In case someone has also the need to disable tls 1.1 or 1.2
for some servers, which stop working because of the openssl
support in NetBSD-6 for these protocols and the broken support
on these servers.

Bernd

--- init.h.orig 2012-05-02 21:49:56.000000000 +0200
+++ init.h      2012-05-02 21:53:55.000000000 +0200
@@ -1471,6 +1471,18 @@
   ** .pp
   ** Example: set certificate_file=~/.mutt/certificates
   */
+  { "ssl_use_tlsv1_1", DT_BOOL, R_NONE, OPTTLSV1_1, 1 }, 
+  /*
+  ** .pp
+  ** This variable specifies whether to attempt to use TLSv1.1 in the
+  ** SSL authentication process.
+  */
+  { "ssl_use_tlsv1_2", DT_BOOL, R_NONE, OPTTLSV1_2, 1 },
+  /*
+  ** .pp
+  ** This variable specifies whether to attempt to use TLSv1.2 in the
+  ** SSL authentication process.
+  */
   { "ssl_usesystemcerts", DT_BOOL, R_NONE, OPTSSLSYSTEMCERTS, 1 },
   /*
   ** .pp
--- mutt.h.orig 2012-05-02 21:55:18.000000000 +0200
+++ mutt.h      2012-05-02 21:56:21.000000000 +0200
@@ -362,6 +362,8 @@
   OPTSSLV2,
   OPTSSLV3,
   OPTTLSV1,
+  OPTTLSV1_1,
+  OPTTLSV1_2,
   OPTSSLSYSTEMCERTS,
 #endif
   OPTIMPLICITAUTOVIEW,
--- mutt_ssl.c.orig     2007-05-23 03:17:53.000000000 +0200
+++ mutt_ssl.c  2012-05-02 21:58:26.000000000 +0200
@@ -270,6 +270,14 @@
   {
     SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1);
   }
+  if (!option(OPTTLSV1_1))
+  {
+    SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_1);
+  }
+  if (!option(OPTTLSV1_2))
+  {
+    SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_2);
+  }
   if (!option(OPTSSLV2)) 
   {
     SSL_CTX_set_options(data->ctx, SSL_OP_NO_SSLv2);

# http://dev.mutt.org/trac/ticket/3571

--- init.h      2010-09-15 08:39:31.000000000 -0700
+++ init.h      2012-03-28 10:58:42.870572835 -0700
@@ -2972,6 +2972,18 @@ struct option_t MuttVars[] = {
   ** SSL authentication process.
   */
 #ifdef USE_SSL_OPENSSL
+  { "ssl_use_tlsv1_1", DT_BOOL, R_NONE, OPTTLSV1_1, 1 },
+  /*
+  ** .pp
+  ** This variable specifies whether to attempt to use TLSv1.1 in the
+  ** SSL authentication process.
+  */
+  { "ssl_use_tlsv1_2", DT_BOOL, R_NONE, OPTTLSV1_2, 1 },
+  /*
+  ** .pp
+  ** This variable specifies whether to attempt to use TLSv1.2 in the
+  ** SSL authentication process.
+  */
   { "ssl_usesystemcerts", DT_BOOL, R_NONE, OPTSSLSYSTEMCERTS, 1 },
   /*
   ** .pp
--- mutt.h      2010-09-13 10:19:55.000000000 -0700
+++ mutt.h      2012-03-28 10:59:24.437237530 -0700
@@ -376,6 +376,8 @@ enum
 # endif /* USE_SSL_GNUTLS */
   OPTSSLV3,
   OPTTLSV1,
+  OPTTLSV1_1,
+  OPTTLSV1_2,
   OPTSSLFORCETLS,
   OPTSSLVERIFYDATES,
   OPTSSLVERIFYHOST,
--- mutt_ssl.c  2010-08-25 09:31:40.000000000 -0700
+++ mutt_ssl.c  2012-03-28 11:02:56.037227487 -0700
@@ -303,6 +303,14 @@ static int ssl_socket_open (CONNECTION *
   {
     SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1);
   }
+  if (!option(OPTTLSV1_1))
+  {
+    SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_1);
+  }
+  if (!option(OPTTLSV1_2))
+  {
+    SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_2);
+  }
   if (!option(OPTSSLV2))
   {
     SSL_CTX_set_options(data->ctx, SSL_OP_NO_SSLv2);

Prev by Date: webmin and SolarisRBAC.so
Next by Date: Re: webmin and SolarisRBAC.so
Previous by Thread: webmin and SolarisRBAC.so
Next by Thread: openoffice build problem
Indexes:

Home | Main Index | Thread Index | Old Index