diff --git a/doc/imapfilter_config.5 b/doc/imapfilter_config.5 index d4e4c66..dc0488f 100644 --- a/doc/imapfilter_config.5 +++ b/doc/imapfilter_config.5 @@ -1,4 +1,4 @@ -.Dd April 25, 2012 +.Dd May 20, 2013 .Dt IMAPFILTER_CONFIG 5 .Os .Sh NAME @@ -241,9 +241,11 @@ Forces an imaps connection and specifies the SSL/TLS protocol to be used. It takes a .Vt string as a value, specifically one of: -.Dq ssl2 , .Dq ssl3 , -.Dq tls1 . +.Dq ssl23 , +.Dq tls1 , +.Dq tls11 , +.Dq tls12 . .El .Pp .Ss LISTING diff --git a/src/imapfilter.c b/src/imapfilter.c index 551d781..ff68e35 100644 --- a/src/imapfilter.c +++ b/src/imapfilter.c @@ -21,6 +21,7 @@ extern buffer ibuf, obuf, nbuf, cbuf; extern regexp responses[]; +extern SSL_CTX *ssl3ctx, *ssl23ctx, *tls1ctx, *tls11ctx, *tls12ctx; options opts; /* Program options. */ environment env; /* Environment variables. */ @@ -100,6 +101,11 @@ main(int argc, char *argv[]) SSL_library_init(); SSL_load_error_strings(); + ssl3ctx = SSL_CTX_new(SSLv3_client_method()); + ssl23ctx = SSL_CTX_new(SSLv23_client_method()); + tls1ctx = SSL_CTX_new(TLSv1_client_method()); + tls11ctx = SSL_CTX_new(TLSv1_1_client_method()); + tls12ctx = SSL_CTX_new(TLSv1_2_client_method()); start_lua(); #if LUA_VERSION_NUM < 502 @@ -118,6 +124,11 @@ main(int argc, char *argv[]) #endif stop_lua(); + SSL_CTX_free(ssl3ctx); + SSL_CTX_free(ssl23ctx); + SSL_CTX_free(tls1ctx); + SSL_CTX_free(tls11ctx); + SSL_CTX_free(tls12ctx); ERR_free_strings(); regexp_free(responses); diff --git a/src/request.c b/src/request.c index e8e7aaa..0052182 100644 --- a/src/request.c +++ b/src/request.c @@ -167,9 +167,7 @@ request_login(session **ssnptr, const char *server, const char *port, const ssn->username = user; ssn->password = pass; - if ((!strncasecmp(ssl, "tls1", 4) || - !strncasecmp(ssl, "ssl3", 4) || - !strncasecmp(ssl, "ssl2", 4))) + if (strlen(ssl) != 0) ssn->sslproto = ssl; } else { debug("recovering connection: %s://%s@%s:%s/%s\n", diff --git a/src/socket.c b/src/socket.c index 28df5db..2f169c4 100644 --- a/src/socket.c +++ b/src/socket.c @@ -17,6 +17,9 @@ #include "session.h" +SSL_CTX *ssl3ctx, *ssl23ctx, *tls1ctx, *tls11ctx, *tls12ctx; + + /* * Connect to mail server. */ @@ -85,22 +88,20 @@ open_secure_connection(session *ssn) { int r, e; SSL_CTX *ctx; -#if OPENSSL_VERSION_NUMBER >= 0x1000000fL - const SSL_METHOD *method; -#else - SSL_METHOD *method; -#endif - method = NULL; - - if (ssn->sslproto && (!strncasecmp(ssn->sslproto, "ssl3", 4) || - !strncasecmp(ssn->sslproto, "ssl2", 4))) - method = SSLv23_client_method(); - else - method = TLSv1_client_method(); - - if (!(ctx = SSL_CTX_new(method))) - goto fail; + if (!ssn->sslproto) { + ctx = ssl23ctx; + } else if (!strcasecmp(ssn->sslproto, "ssl3")) { + ctx = ssl3ctx; + } else if (!strcasecmp(ssn->sslproto, "tls1")) { + ctx = tls1ctx; + } else if (!strcasecmp(ssn->sslproto, "tls11")) { + ctx = tls11ctx; + } else if (!strcasecmp(ssn->sslproto, "tls12")) { + ctx = tls12ctx; + } else { + ctx = ssl23ctx; + } if (!(ssn->sslconn = SSL_new(ctx))) goto fail; @@ -148,13 +149,10 @@ open_secure_connection(session *ssn) if (get_option_boolean("certificates") && get_cert(ssn) == -1) goto fail; - SSL_CTX_free(ctx); - return 0; fail: ssn->sslconn = NULL; - SSL_CTX_free(ctx); return -1; }