Require TLS 1.2 or above for smtp auth/submission

author: manuel <manuel@mausz.at> 2020-08-31 00:21:59 +0200
committer: manuel <manuel@mausz.at> 2020-08-31 00:21:59 +0200
commit: 761862206401416f69aee98e81d67fb749fb9607 (patch)
tree: 48e9f57c47887f4182c7a9130aa365a35a1c52ba
parent: 083c1cc688d6567bba50f8fb1302863516d2b6f7 (diff)
download: qmail-761862206401416f69aee98e81d67fb749fb9607.tar.gz
qmail-761862206401416f69aee98e81d67fb749fb9607.tar.bz2
qmail-761862206401416f69aee98e81d67fb749fb9607.zip
1 files changed, 3 insertions, 4 deletions
diff --git a/qmail-smtpd.c b/qmail-smtpd.c
index fcda68c..1036eef 100644
--- a/qmail-smtpd.c
+++ b/qmail-smtpd.c
@@ -1460,11 +1460,10 @@ void tls_init()
  /* a new SSL context with the bare minimum of options */
  ctx = SSL_CTX_new(SSLv23_server_method());
  if (!ctx) { tls_err("unable to initialize ctx"); return; }
-  SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3 |
+  int min_ssl_version = (*childargs) ? TLS1_2_VERSION : TLS1_VERSION;
-                           SSL_OP_CIPHER_SERVER_PREFERENCE |
+  SSL_CTX_set_min_proto_version(ctx, min_ssl_version);
+  SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE |
                           SSL_OP_PRIORITIZE_CHACHA);
-  if (*childargs)
-    SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
  if (!SSL_CTX_use_certificate_chain_file(ctx, servercert))
    { SSL_CTX_free(ctx); tls_err("missing certificate"); return; }
author	manuel <manuel@mausz.at>	2020-08-31 00:21:59 +0200
committer	manuel <manuel@mausz.at>	2020-08-31 00:21:59 +0200
commit	761862206401416f69aee98e81d67fb749fb9607 (patch)
tree	48e9f57c47887f4182c7a9130aa365a35a1c52ba
parent	083c1cc688d6567bba50f8fb1302863516d2b6f7 (diff)
download	qmail-761862206401416f69aee98e81d67fb749fb9607.tar.gz qmail-761862206401416f69aee98e81d67fb749fb9607.tar.bz2 qmail-761862206401416f69aee98e81d67fb749fb9607.zip