File cyrus-imapd-enhance-ssl-tls-config.patch of Package cyrus-imapd

Overview Repositories Revisions Requests Users Attributes Meta

File cyrus-imapd-enhance-ssl-tls-config.patch of Package cyrus-imapd

From 4b26d2d7244eeaa481871c337e57cd393fd76dfe Mon Sep 17 00:00:00 2001
From: "Jeroen van Meeuwen (Kolab Systems)" <vanmeeuwen@kolabsys.com>
Date: Thu, 16 Oct 2014 11:12:20 +0200
Subject: Enhance SSL/TLS configuration options

New settings:

tls_compression: 0

Enable TLS compression. Disabled by default.

tls_eccurve: prime256v1

Select the elliptic curve used for ECDHE.

tls_prefer_server_ciphers: 0

Prefer the cipher order configured on the server-side.

tls_versions: ssl2 ssl3 tls1_0 tls1_1 tls1_2

Disable SSL/TLS protocols not in this list.

Bugzilla #3822, #3830, #3843, #3861.
---
 imap/tls.c      | 75 ++++++++++++++++++++++++++++++++++++++++++++-------------
 imtest/imtest.c |  2 +-
 lib/imapoptions | 16 ++++++++++++
 3 files changed, 75 insertions(+), 18 deletions(-)

Index: cyrus-imapd-2.3.18/imap/tls.c
===================================================================
--- cyrus-imapd-2.3.18.orig/imap/tls.c
+++ cyrus-imapd-2.3.18/imap/tls.c
@@ -633,6 +633,7 @@ int     tls_init_serverengine(const char
     const char   *s_key_file;
     const char   *ec;
     int    requirecert;
+    int    server_cipher_order;
     int    timeout;
 
     if (tls_serverengine)
@@ -648,13 +649,6 @@ int     tls_init_serverengine(const char
 	return -1;
     }
 
-#if 0
-    if (tlsonly) {
-	s_ctx = SSL_CTX_new(TLSv1_server_method());
-    } else {
-	s_ctx = SSL_CTX_new(SSLv23_server_method());
-    }
-#endif
     /* even if we want TLS only, we use SSLv23 server method so we can
        deal with a client sending an SSLv2 greeting message */
 
@@ -663,12 +657,40 @@ int     tls_init_serverengine(const char
 	return (-1);
     };
 
-    off |= SSL_OP_ALL;		/* Work around all known bugs */
-    if (tlsonly) {
-	off |= SSL_OP_NO_SSLv2;
-	off |= SSL_OP_NO_SSLv3;
+
+    const char *tls_versions = config_getstring(IMAPOPT_TLS_VERSIONS);
+
+    if (strstr(tls_versions, "ssl2") == NULL || tlsonly) {
+    	off |= SSL_OP_NO_SSLv2;
+    }
+
+    if (strstr(tls_versions, "ssl3") == NULL || tlsonly) {
+     	off |= SSL_OP_NO_SSLv3;
     }
 
+    if (strstr(tls_versions, "tls1_2") == NULL) {
+#if (OPENSSL_VERSION_NUMBER >= 0x1000105fL)
+    	off |= SSL_OP_NO_TLSv1_2;
+#else
+        syslog(LOG_ERR, "ERROR: TLSv1.2 configured, OpenSSL < 1.0.1e insufficient");
+#endif
+    }
+
+    if (strstr(tls_versions, "tls1_1") == NULL) {
+#if (OPENSSL_VERSION_NUMBER >= 0x1000000fL)
+        off |= SSL_OP_NO_TLSv1_1;
+#else
+        syslog(LOG_ERR, "ERROR: TLSv1.1 configured, OpenSSL < 1.0.0 insufficient");
+#endif
+    }
+    if (strstr(tls_versions, "tls1_0") == NULL) {
+        off |= SSL_OP_NO_TLSv1;
+    }
+
+    server_cipher_order = config_getswitch(IMAPOPT_TLS_PREFER_SERVER_CIPHERS);
+    if (server_cipher_order)
+        off |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+
     SSL_CTX_set_options(s_ctx, off);
 
 #ifdef SSL_OP_NO_COMPRESSION
@@ -731,10 +753,15 @@ int     tls_init_serverengine(const char
     CAfile = config_getstring(IMAPOPT_TLS_CA_FILE);
     CApath = config_getstring(IMAPOPT_TLS_CA_PATH);
 
-    if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
-	(!SSL_CTX_set_default_verify_paths(s_ctx))) {
-	/* just a warning since this is only necessary for client auth */
-	syslog(LOG_NOTICE,"TLS server engine: cannot load CA data");	
+    if (CAfile || CApath) {
+	if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
+	    (!SSL_CTX_set_default_verify_paths(s_ctx))) {
+	    /* just a warning since this is only necessary for client auth */
+	    syslog(LOG_NOTICE,"TLS server engine: cannot load CA data. Disabling client certs.");
+	    askcert = 0;
+	}
+    } else {
+	askcert = 0;
     }
 
     s_cert_file = config_getstring(IMAPOPT_TLS_CERT_FILE);
@@ -781,7 +808,7 @@ int     tls_init_serverengine(const char
       if (CAfile == NULL) {
 	  syslog(LOG_ERR, 
 		 "TLS server engine: No CA file specified. "
-		 "Client side certs may not work");
+		 "Client side certs will not work.");
       } else {
 	  SSL_CTX_set_client_CA_list(s_ctx, SSL_load_client_CA_file(CAfile));
       }
@@ -1222,7 +1249,7 @@ int tls_init_clientengine(int verifydept
 	return -1;
     }
     
-    c_ctx = SSL_CTX_new(TLSv1_client_method());
+    c_ctx = SSL_CTX_new(SSLv23_client_method());
     if (c_ctx == NULL) {
 	return (-1);
     };
@@ -1237,7 +1264,7 @@ int tls_init_clientengine(int verifydept
     if ((!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) ||
 	(!SSL_CTX_set_default_verify_paths(c_ctx))) {
 	/* just a warning since this is only necessary for client auth */
-	syslog(LOG_NOTICE,"TLS client engine: cannot load CA data");	
+	syslog(LOG_NOTICE,"TLS client engine: cannot load CA data");
     }
 
     if (strlen(var_tls_cert_file) == 0)
Index: cyrus-imapd-2.3.18/imtest/imtest.c
===================================================================
--- cyrus-imapd-2.3.18.orig/imtest/imtest.c
+++ cyrus-imapd-2.3.18/imtest/imtest.c
@@ -510,7 +510,7 @@ static int tls_init_clientengine(int ver
 	return IMTEST_FAIL;
     }
     
-    tls_ctx = SSL_CTX_new(TLSv1_client_method());
+    tls_ctx = SSL_CTX_new(SSLv23_client_method());
     if (tls_ctx == NULL) {
 	return IMTEST_FAIL;
     };
Index: cyrus-imapd-2.3.18/lib/imapoptions
===================================================================
--- cyrus-imapd-2.3.18.orig/lib/imapoptions
+++ cyrus-imapd-2.3.18/lib/imapoptions
@@ -1222,10 +1222,20 @@ product version in the capabilities */
 /* The list of SSL/TLS ciphers to allow.  The format of the string is
    described in ciphers(1). */
 
+{ "tls_compression", 0, SWITCH }
+/* deactivate TLS compression by default */
+
+{ "tls_eccurve", "prime256v1", STRING }
+/* The elliptic curve used for ECDHE. Default is NIST Suite B prime256.
+   See 'openssl ecparam -list_curves' for possible values. */
+
 { "tls_key_file", NULL, STRING }
 /* File containing the private key belonging to the server
    certificate.  A value of "disabled" will disable SSL/TLS. */
 
+{ "tls_prefer_server_ciphers", 0, SWITCH }
+/* Prefer the ciphers on the server side instead of client side */
+
 { "tls_require_cert", 0, SWITCH }
 /* Require a client certificate for ALL services (imap, pop3, lmtp, sieve). */
 
@@ -1238,6 +1248,12 @@ product version in the capabilities */
 /* The default elliptical curve parameter.
    For list of curves see: openssl ecparam -list_curves */
 
+{ "tls_versions", "ssl2 ssl3 tls1_0 tls1_1 tls1_2", STRING }
+/* A list of SSL/TLS versions to not disable. Cyrus IMAP SSL/TLS starts
+   with all protocols, and substracts protocols not in this list. Newer
+   versions of SSL/TLS will need to be added here to allow them to get
+   disabled. */
+
 { "umask", "077", STRING }
 /* The umask value used by various Cyrus IMAP programs. */

Places

File cyrus-imapd-enhance-ssl-tls-config.patch of Package cyrus-imapd

Places