Page MenuHomeFreeBSD

TLSv1.1/TLSv1.2 support for imap-uw
Needs ReviewPublic

Authored by dan_freebsd.org_obluda.cz on Nov 8 2015, 1:49 PM.

Details

Reviewers
None
Group Reviewers
Contributor Reviewers (ports)
Summary

IMAP-UW is no longer developed, but it's still in wide use.

It's STARTTLS implementation lacks support for TLSv1.1/TLSv1.2. The TLSv1 is the only supported protocol. Note that native SSL mode (e.g. immediate SSL with no STARTTLS command) use all protocols supported by underlying OpenSSL library, including the SSLv3 (and even SSLv2 if avaiable). Neither STARTTLS nor native mode list of supported ciphers is configurable.

Nowadays, SSLv3 in native mode become unacceptable. And lack of support for TLSv1.2 in STARTTLS cause issues as well.

This patch introduce two c-client.conf options
set ssl-protocols
set ssl-cipher-list

Both options apply to both native and STARTTLS mode of operation.

The first one is the list of allowed protocols. It's the same as Apache's SSLProtocol option. Example (enable all but SSLv2/SSLv3):
set ssl-protocols All -SSLv2 -SSLv3

The second one is the list of ciphers supported. It use 'openssl ciphers' format. Example:
set ssl-cipher-list HIGH:!ADH:!EXPORT56:!aNULL

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Lint Skipped
Unit
Unit Tests Skipped

Event Timeline

dan_freebsd.org_obluda.cz retitled this revision from to TLSv1.1/TLSv1.2 support for imap-uw.
dan_freebsd.org_obluda.cz updated this object.
dan_freebsd.org_obluda.cz edited the test plan for this revision. (Show Details)
dan_freebsd.org_obluda.cz set the repository for this revision to rP FreeBSD ports repository.
dan_freebsd.org_obluda.cz edited edge metadata.

Previous diff has been wrong from scratch (wrong file imported).

Note: mail/panda-cclient is a bit more recent.