From 5568b4be97963627154c8f0c6f21a9af70ca7b8a Mon Sep 17 00:00:00 2001 From: manuel Date: Wed, 26 Dec 2018 01:59:25 +0100 Subject: Disable TLS 1.0 only for smtp auth/submission --- qmail-smtpd.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'qmail-smtpd.c') diff --git a/qmail-smtpd.c b/qmail-smtpd.c index 2a1fd71..8ae6af3 100644 --- a/qmail-smtpd.c +++ b/qmail-smtpd.c @@ -84,6 +84,10 @@ int tls_before_auth = 0; int smtputf8 = 0; #endif +/* SMTP AUTH */ +int flagauth = 0; +char **childargs; + int safewrite(fd,buf,len) int fd; char *buf; int len; { int r; @@ -199,8 +203,6 @@ extern void realrcptto_start(); extern int realrcptto(); extern int realrcptto_deny(); -int flagauth = 0; - stralloc greeting = {0}; void smtp_greet(code) char *code; @@ -960,7 +962,6 @@ static stralloc chal = {0}; /* plain challenge */ static stralloc slop = {0}; /* b64 challenge */ #endif -char **childargs; char ssauthbuf[512]; char ssauth2buf[512]; substdio ssauth = SUBSTDIO_FDBUF(safewrite,3,ssauthbuf,sizeof(ssauthbuf)); @@ -1432,9 +1433,11 @@ void tls_init() /* a new SSL context with the bare minimum of options */ ctx = SSL_CTX_new(SSLv23_server_method()); if (!ctx) { tls_err("unable to initialize ctx"); return; } - SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3 | SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_PRIORITIZE_CHACHA); + if (*childargs) + SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); if (!SSL_CTX_use_certificate_chain_file(ctx, servercert)) { SSL_CTX_free(ctx); tls_err("missing certificate"); return; } -- cgit v1.2.3