Description: Add TLSv1.1 and TLSv1.2 support
Origin: vendor
Bug-Debian: https://bugs.debian.org/802658
Forwarded: yes
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2015-11-07

--- a/smtp-tls.c
+++ b/smtp-tls.c
@@ -197,11 +197,24 @@ starttls_create_ctx (smtp_session_t sess
   ckf_t status;
 
   /* The decision not to support SSL v2 and v3 but instead to use only
-     TLSv1 is deliberate.  This is in line with the intentions of RFC
+     TLSv1.X is deliberate.  This is in line with the intentions of RFC
      3207.  Servers typically support SSL as well as TLS because some
      versions of Netscape do not support TLS.  I am assuming that all
      currently deployed servers correctly support TLS.  */
-  ctx = SSL_CTX_new (TLSv1_client_method ());
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
+    !defined(LIBRESSL_VERSION_NUMBER)  && !defined(OPENSSL_IS_BORINGSSL)
+    ctx = SSL_CTX_new (TLS_client_method ());
+#else
+    ctx = SSL_CTX_new (SSLv23_client_method ());
+#endif
+
+#ifdef OPENSSL_NO_SSL3
+    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
+#endif
+
+#ifdef OPENSSL_NO_SSL2
+    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+#endif
 
   /* Load our keys and certificates.  To avoid messing with configuration
      variables etc, use fixed paths for the certificate store.  These are