|
|
- Description: Add TLSv1.1 and TLSv1.2 support
- Origin: vendor
- Bug-Debian: https://bugs.debian.org/802658
- Forwarded: yes
- Author: Salvatore Bonaccorso <carnil@debian.org>
- Last-Update: 2015-11-07
-
- --- a/smtp-tls.c
- +++ b/smtp-tls.c
- @@ -202,11 +202,24 @@ starttls_create_ctx (smtp_session_t sess
- ckf_t status;
-
- /* The decision not to support SSL v2 and v3 but instead to use only
- - TLSv1 is deliberate. This is in line with the intentions of RFC
- + TLSv1.X is deliberate. This is in line with the intentions of RFC
- 3207. Servers typically support SSL as well as TLS because some
- versions of Netscape do not support TLS. I am assuming that all
- currently deployed servers correctly support TLS. */
- - ctx = SSL_CTX_new (TLSv1_client_method ());
- +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
- + !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
- + ctx = SSL_CTX_new (TLS_client_method ());
- +#else
- + ctx = SSL_CTX_new (SSLv23_client_method ());
- +#endif
- +
- +#ifdef OPENSSL_NO_SSL3
- + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
- +#endif
- +
- +#ifdef OPENSSL_NO_SSL2
- + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
- +#endif
-
- /* Load our keys and certificates. To avoid messing with configuration
- variables etc, use fixed paths for the certificate store. These are
|