byterazor/qpsmtpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #252 from dani/tls_proto

Browse Source 
Allow setting TLS protocol versions in a config file
This commit is contained in:
Matt Simerson 2016-04-19 17:55:26 -10:00
commit 4f27f360e9
1 changed files with 17 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
plugins/tls
View File

@ -62,6 +62,14 @@ ciphers at L<http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS>,
and put a suitable string in config/tls_ciphers (e.g. "DEFAULT" or and put a suitable string in config/tls_ciphers (e.g. "DEFAULT" or
"HIGH:MEDIUM") "HIGH:MEDIUM")
=head1 SSL/TLS protocols versions
By default, SSLv2 and SSLv3 are not accepted, leaving only TLSv1,
TLSv1.1 or TLSv1.2 enabled. You can customize this in config/tls_protocols
For example, this will also disabled TLSv1, leaving only TLSv1.1 and TLSv1.2
SSLv23:!SSLv2:!SSLv3:!TLSv1
=cut =cut
use strict; use strict;
@ -94,15 +102,14 @@ sub init {
$self->tls_ca($ca); $self->tls_ca($ca);
$self->tls_dhparam($dhparam); $self->tls_dhparam($dhparam);
$self->tls_ciphers($self->qp->config('tls_ciphers') || 'HIGH'); $self->tls_ciphers($self->qp->config('tls_ciphers') || 'HIGH');
$self->tls_protocols($self->qp->config('tls_protocols') || 'SSLv23:!SSLv2:!SSLv3');
$self->log(LOGDEBUG, "ciphers: " . $self->tls_ciphers); $self->log(LOGDEBUG, "ciphers: " . $self->tls_ciphers);
local $^W; # this bit is very noisy... local $^W; # this bit is very noisy...
my $ssl_ctx = my $ssl_ctx =
IO::Socket::SSL::SSL_Context->new( IO::Socket::SSL::SSL_Context->new(
# Disable SSLv2 and SSLv3 to avoid POODLE attacks. This is already SSL_version => $self->tls_protocols,
# the default in sufficiently recent versions of IO::Socket::SSL
SSL_version => 'SSLv23:!SSLv3:!SSLv2',
SSL_use_cert => 1, SSL_use_cert => 1,
SSL_cert_file => $self->tls_cert, SSL_cert_file => $self->tls_cert,
SSL_key_file => $self->tls_key, SSL_key_file => $self->tls_key,
@ -204,6 +211,7 @@ sub _convert_to_ssl {
my $tlssocket = my $tlssocket =
IO::Socket::SSL->new_from_fd( IO::Socket::SSL->new_from_fd(
fileno(STDIN), '+>', fileno(STDIN), '+>',
SSL_version => $self->tls_protocols,
SSL_use_cert => 1, SSL_use_cert => 1,
SSL_cert_file => $self->tls_cert, SSL_cert_file => $self->tls_cert,
SSL_key_file => $self->tls_key, SSL_key_file => $self->tls_key,
@ -264,6 +272,12 @@ sub tls_ciphers {
$self->{_tls_ciphers}; $self->{_tls_ciphers};
} }
sub tls_protocols {
my $self = shift;
@_ and $self->{_tls_protocols} = shift;
$self->{_tls_protocols};
}
sub ssl_context { sub ssl_context {
my $self = shift; my $self = shift;
@_ and $self->{_ssl_ctx} = shift; @_ and $self->{_ssl_ctx} = shift;