From 761862206401416f69aee98e81d67fb749fb9607 Mon Sep 17 00:00:00 2001
From: manuel <manuel@mausz.at>
Date: Mon, 31 Aug 2020 00:21:59 +0200
Subject: Require TLS 1.2 or above for smtp auth/submission

---
 qmail-smtpd.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/qmail-smtpd.c b/qmail-smtpd.c
index fcda68c..1036eef 100644
--- a/qmail-smtpd.c
+++ b/qmail-smtpd.c
@@ -1460,11 +1460,10 @@ void tls_init()
   /* a new SSL context with the bare minimum of options */
   ctx = SSL_CTX_new(SSLv23_server_method());
   if (!ctx) { tls_err("unable to initialize ctx"); return; }
-  SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3 |
-                           SSL_OP_CIPHER_SERVER_PREFERENCE |
+  int min_ssl_version = (*childargs) ? TLS1_2_VERSION : TLS1_VERSION;
+  SSL_CTX_set_min_proto_version(ctx, min_ssl_version);
+  SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE |
                            SSL_OP_PRIORITIZE_CHACHA);
-  if (*childargs)
-    SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
 
   if (!SSL_CTX_use_certificate_chain_file(ctx, servercert))
     { SSL_CTX_free(ctx); tls_err("missing certificate"); return; }
-- 
cgit v1.2.3