mirror of
https://bitbucket.org/jsuto/piler.git
synced 2024-12-25 07:40:12 +01:00
Added support to set min. TLS protocol version
Signed-off-by: Janos SUTO <sj@acts.hu>
This commit is contained in:
parent
2139f8e9e4
commit
105ff4110a
@ -1,3 +1,17 @@
|
|||||||
|
1.3.12:
|
||||||
|
-------
|
||||||
|
|
||||||
|
- Introduced new piler.conf variable: tls_min_version
|
||||||
|
|
||||||
|
It sets the minimum TLS protocol version the piler-smtp daemon supports.
|
||||||
|
|
||||||
|
Possible values:
|
||||||
|
- TLSv1 (not recommended)
|
||||||
|
- TLSv1.1 (not recommended)
|
||||||
|
- TLSv1.2 (default)
|
||||||
|
- TLSv1.3
|
||||||
|
|
||||||
|
|
||||||
1.3.11:
|
1.3.11:
|
||||||
-------
|
-------
|
||||||
|
|
||||||
|
@ -107,6 +107,13 @@ pemfile=
|
|||||||
cipher_list=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
|
cipher_list=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
|
||||||
|
|
||||||
|
|
||||||
|
; set the minimum TLS protocol version for piler-smtp daemon
|
||||||
|
;
|
||||||
|
; Valid values: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
|
||||||
|
; TLSv1 and TLSv1.1 are not recommended for security reasons
|
||||||
|
tls_min_version=TLSv1.2
|
||||||
|
|
||||||
|
|
||||||
; piler's own header to indicate previously archived messages
|
; piler's own header to indicate previously archived messages
|
||||||
piler_header_field=X-piler-id:
|
piler_header_field=X-piler-id:
|
||||||
|
|
||||||
|
22
src/cfg.c
22
src/cfg.c
@ -91,6 +91,7 @@ struct _parse_rule config_parse_rules[] =
|
|||||||
{ "spam_header_line", "string", (void*) string_parser, offsetof(struct config, spam_header_line), "", MAXVAL-1},
|
{ "spam_header_line", "string", (void*) string_parser, offsetof(struct config, spam_header_line), "", MAXVAL-1},
|
||||||
{ "syslog_recipients", "integer", (void*) int_parser, offsetof(struct config, syslog_recipients), "0", sizeof(int)},
|
{ "syslog_recipients", "integer", (void*) int_parser, offsetof(struct config, syslog_recipients), "0", sizeof(int)},
|
||||||
{ "tls_enable", "integer", (void*) int_parser, offsetof(struct config, tls_enable), "0", sizeof(int)},
|
{ "tls_enable", "integer", (void*) int_parser, offsetof(struct config, tls_enable), "0", sizeof(int)},
|
||||||
|
{ "tls_min_version", "string", (void*) string_parser, offsetof(struct config, tls_min_version), "TLSv1.2", MAXVAL-1},
|
||||||
{ "tweak_sent_time_offset", "integer", (void*) int_parser, offsetof(struct config, tweak_sent_time_offset), "0", sizeof(int)},
|
{ "tweak_sent_time_offset", "integer", (void*) int_parser, offsetof(struct config, tweak_sent_time_offset), "0", sizeof(int)},
|
||||||
{ "update_counters_to_memcached", "integer", (void*) int_parser, offsetof(struct config, update_counters_to_memcached), "0", sizeof(int)},
|
{ "update_counters_to_memcached", "integer", (void*) int_parser, offsetof(struct config, update_counters_to_memcached), "0", sizeof(int)},
|
||||||
{ "username", "string", (void*) string_parser, offsetof(struct config, username), "piler", MAXVAL-1},
|
{ "username", "string", (void*) string_parser, offsetof(struct config, username), "piler", MAXVAL-1},
|
||||||
@ -146,6 +147,24 @@ int parse_config_file(char *configfile, struct config *target_cfg, struct _parse
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
int get_tls_protocol_number(char *protocol){
|
||||||
|
struct tls_protocol tls_protocols[] = {
|
||||||
|
{ "TLSv1", TLS1_VERSION },
|
||||||
|
{ "TLSv1.1", TLS1_1_VERSION },
|
||||||
|
{ "TLSv1.2", TLS1_2_VERSION },
|
||||||
|
{ "TLSv1.3", TLS1_3_VERSION },
|
||||||
|
};
|
||||||
|
|
||||||
|
for(unsigned int i=0; i<sizeof(tls_protocols)/sizeof(struct tls_protocol); i++){
|
||||||
|
if(!strcmp(protocol, tls_protocols[i].proto)) {
|
||||||
|
return tls_protocols[i].version;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
int load_default_config(struct config *cfg, struct _parse_rule *rules){
|
int load_default_config(struct config *cfg, struct _parse_rule *rules){
|
||||||
int i=0;
|
int i=0;
|
||||||
|
|
||||||
@ -178,6 +197,9 @@ struct config read_config(char *configfile){
|
|||||||
|
|
||||||
cfg.hostid_len = strlen(cfg.hostid);
|
cfg.hostid_len = strlen(cfg.hostid);
|
||||||
|
|
||||||
|
// Get the TLS protocol constant from string, ie. TLSv1.3 -> 772
|
||||||
|
cfg.tls_min_version_number = get_tls_protocol_number(cfg.tls_min_version);
|
||||||
|
|
||||||
return cfg;
|
return cfg;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -29,6 +29,8 @@ struct config {
|
|||||||
int tls_enable;
|
int tls_enable;
|
||||||
char pemfile[MAXVAL];
|
char pemfile[MAXVAL];
|
||||||
char cipher_list[MAXVAL];
|
char cipher_list[MAXVAL];
|
||||||
|
char tls_min_version[MAXVAL];
|
||||||
|
int tls_min_version_number;
|
||||||
|
|
||||||
int use_antivirus;
|
int use_antivirus;
|
||||||
|
|
||||||
|
@ -413,4 +413,9 @@ struct smtp_session {
|
|||||||
struct net net;
|
struct net net;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
struct tls_protocol {
|
||||||
|
char *proto;
|
||||||
|
int version;
|
||||||
|
};
|
||||||
|
|
||||||
#endif /* _DEFS_H */
|
#endif /* _DEFS_H */
|
||||||
|
13
src/smtp.c
13
src/smtp.c
@ -171,6 +171,11 @@ int init_ssl(struct smtp_session *session){
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if(SSL_CTX_set_min_proto_version(session->net.ctx, session->cfg->tls_min_version_number) == 0){
|
||||||
|
syslog(LOG_PRIORITY, "failed SSL_CTX_set_min_proto_version() to %s/%d", session->cfg->tls_min_version, session->cfg->tls_min_version_number);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
if(SSL_CTX_set_cipher_list(session->net.ctx, session->cfg->cipher_list) == 0){
|
if(SSL_CTX_set_cipher_list(session->net.ctx, session->cfg->cipher_list) == 0){
|
||||||
syslog(LOG_PRIORITY, "failed to set cipher list: '%s'", session->cfg->cipher_list);
|
syslog(LOG_PRIORITY, "failed to set cipher list: '%s'", session->cfg->cipher_list);
|
||||||
return 0;
|
return 0;
|
||||||
@ -198,8 +203,6 @@ void process_command_starttls(struct smtp_session *session){
|
|||||||
session->net.ssl = SSL_new(session->net.ctx);
|
session->net.ssl = SSL_new(session->net.ctx);
|
||||||
if(session->net.ssl){
|
if(session->net.ssl){
|
||||||
|
|
||||||
SSL_set_options(session->net.ssl, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
|
|
||||||
|
|
||||||
if(SSL_set_fd(session->net.ssl, session->net.socket) == 1){
|
if(SSL_set_fd(session->net.ssl, session->net.socket) == 1){
|
||||||
session->net.starttls = 1;
|
session->net.starttls = 1;
|
||||||
send_smtp_response(session, SMTP_RESP_220_READY_TO_START_TLS);
|
send_smtp_response(session, SMTP_RESP_220_READY_TO_START_TLS);
|
||||||
@ -209,9 +212,9 @@ void process_command_starttls(struct smtp_session *session){
|
|||||||
wait_for_ssl_accept(session);
|
wait_for_ssl_accept(session);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
} syslog(LOG_PRIORITY, "%s: SSL_set_fd() failed", session->ttmpfile);
|
} syslog(LOG_PRIORITY, "ERROR: %s: SSL_set_fd() failed", session->ttmpfile);
|
||||||
} syslog(LOG_PRIORITY, "%s: SSL_new() failed", session->ttmpfile);
|
} syslog(LOG_PRIORITY, "ERROR: %s: SSL_new() failed", session->ttmpfile);
|
||||||
} syslog(LOG_PRIORITY, "SSL ctx is null!");
|
} syslog(LOG_PRIORITY, "ERROR: init_ssl()");
|
||||||
|
|
||||||
send_smtp_response(session, SMTP_RESP_454_ERR_TLS_TEMP_ERROR);
|
send_smtp_response(session, SMTP_RESP_454_ERR_TLS_TEMP_ERROR);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user