diff --git a/config.sample/tls_ciphers b/config.sample/tls_ciphers new file mode 100644 index 0000000..4b02935 --- /dev/null +++ b/config.sample/tls_ciphers @@ -0,0 +1,4 @@ +# Override HIGH security using suitable string from available ciphers at +# L +# See plugins/tls for details. +MEDIUM diff --git a/plugins/tls b/plugins/tls index 8b0e082..c21c792 100644 --- a/plugins/tls +++ b/plugins/tls @@ -46,6 +46,15 @@ certificate with the appropriate characteristics. Otherwise, you should give absolute pathnames to the certificate, key, and the CA root cert used to sign that certificate. +=head1 CIPHERS and COMPATIBILITY + +By default, we use only the plugins that openssl considers to be +"high security". If you need to tweak the available ciphers for some +broken client (such as Versamail 3.x), have a look at the available +ciphers at L, +and put a suitable string in config/tls_ciphers (e.g. "DEFAULT" or +"HIGH:MEDIUM") + =cut use IO::Socket::SSL;# qw(debug1 debug2 debug3 debug4); @@ -62,14 +71,17 @@ sub init { $self->tls_cert($cert); $self->tls_key($key); $self->tls_ca($ca); + $self->tls_ciphers($self->qp->config('tls_ciphers') || 'HIGH'); + $self->log(LOGINFO, "ciphers: $self->tls_ciphers"); + local $^W; # this bit is very noisy... my $ssl_ctx = IO::Socket::SSL::SSL_Context->new( SSL_use_cert => 1, SSL_cert_file => $self->tls_cert, SSL_key_file => $self->tls_key, SSL_ca_file => $self->tls_ca, - SSL_cipher_list => 'HIGH', + SSL_cipher_list => $self->tls_ciphers, SSL_server => 1 ) or die "Could not create SSL context: $!"; # now extract the password... @@ -149,7 +161,7 @@ sub _convert_to_ssl { SSL_cert_file => $self->tls_cert, SSL_key_file => $self->tls_key, SSL_ca_file => $self->tls_ca, - SSL_cipher_list => 'HIGH', + SSL_cipher_list => $self->tls_ciphers, SSL_server => 1, SSL_reuse_ctx => $self->ssl_context, ) or die "Could not create SSL socket: $!"; @@ -191,6 +203,12 @@ sub tls_ca { $self->{_tls_ca}; } +sub tls_ciphers { + my $self = shift; + @_ and $self->{_tls_ciphers} = shift; + $self->{_tls_ciphers}; +} + sub ssl_context { my $self = shift; @_ and $self->{_ssl_ctx} = shift;