|
Description: Add TLSv1.1 and TLSv1.2 support
|
|
Origin: vendor
|
|
Bug-Debian: https://bugs.debian.org/802658
|
|
Forwarded: yes
|
|
Author: Salvatore Bonaccorso <carnil@debian.org>
|
|
Last-Update: 2015-11-07
|
|
|
|
--- a/smtp-tls.c
|
|
+++ b/smtp-tls.c
|
|
@@ -202,11 +202,24 @@ starttls_create_ctx (smtp_session_t sess
|
|
ckf_t status;
|
|
|
|
/* The decision not to support SSL v2 and v3 but instead to use only
|
|
- TLSv1 is deliberate. This is in line with the intentions of RFC
|
|
+ TLSv1.X is deliberate. This is in line with the intentions of RFC
|
|
3207. Servers typically support SSL as well as TLS because some
|
|
versions of Netscape do not support TLS. I am assuming that all
|
|
currently deployed servers correctly support TLS. */
|
|
- ctx = SSL_CTX_new (TLSv1_client_method ());
|
|
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
|
|
+ !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
|
|
+ ctx = SSL_CTX_new (TLS_client_method ());
|
|
+#else
|
|
+ ctx = SSL_CTX_new (SSLv23_client_method ());
|
|
+#endif
|
|
+
|
|
+#ifdef OPENSSL_NO_SSL3
|
|
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
|
|
+#endif
|
|
+
|
|
+#ifdef OPENSSL_NO_SSL2
|
|
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
|
|
+#endif
|
|
|
|
/* Load our keys and certificates. To avoid messing with configuration
|
|
variables etc, use fixed paths for the certificate store. These are
|