Added support to set min. TLS protocol version

Signed-off-by: Janos SUTO <sj@acts.hu>
2024-11-07 23:31:58 +01:00 · 2021-03-26 05:19:11 +01:00 · 2021-03-26 05:19:11 +01:00 · 105ff4110a
commit 105ff4110a
parent 2139f8e9e4
7 changed files with 59 additions and 6 deletions
--- a/14
+++ b/14
@ -1,3 +1,17 @@
+1.3.12:
+-------
+
+- Introduced new piler.conf variable: tls_min_version
+
+  It sets the minimum TLS protocol version the piler-smtp daemon supports.
+
+  Possible values:
+  - TLSv1   (not recommended)
+  - TLSv1.1 (not recommended)
+  - TLSv1.2 (default)
+  - TLSv1.3
+
+
 1.3.11:
 -------

--- a/2
+++ b/2
@ -1 +1 @@
-1.3.11
+1.3.12
--- a/etc/example.conf
+++ b/etc/example.conf
@ -107,6 +107,13 @@ pemfile=
 cipher_list=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS


+; set the minimum TLS protocol version for piler-smtp daemon
+;
+; Valid values: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
+; TLSv1 and TLSv1.1 are not recommended for security reasons
+tls_min_version=TLSv1.2
+
+
 ; piler's own header to indicate previously archived messages
 piler_header_field=X-piler-id:

--- a/src/cfg.c
+++ b/src/cfg.c
@ -91,6 +91,7 @@ struct _parse_rule config_parse_rules[] =
   { "spam_header_line", "string", (void*) string_parser, offsetof(struct config, spam_header_line), "", MAXVAL-1},
   { "syslog_recipients", "integer", (void*) int_parser, offsetof(struct config, syslog_recipients), "0", sizeof(int)},
   { "tls_enable", "integer", (void*) int_parser, offsetof(struct config, tls_enable), "0", sizeof(int)},
+   { "tls_min_version", "string", (void*) string_parser, offsetof(struct config, tls_min_version), "TLSv1.2", MAXVAL-1},
   { "tweak_sent_time_offset", "integer", (void*) int_parser, offsetof(struct config, tweak_sent_time_offset), "0", sizeof(int)},
   { "update_counters_to_memcached", "integer", (void*) int_parser, offsetof(struct config, update_counters_to_memcached), "0", sizeof(int)},
   { "username", "string", (void*) string_parser, offsetof(struct config, username), "piler", MAXVAL-1},
@ -146,6 +147,24 @@ int parse_config_file(char *configfile, struct config *target_cfg, struct _parse
 }


+int get_tls_protocol_number(char *protocol){
+   struct tls_protocol tls_protocols[] = {
+      { "TLSv1", TLS1_VERSION },
+      { "TLSv1.1", TLS1_1_VERSION },
+      { "TLSv1.2", TLS1_2_VERSION },
+      { "TLSv1.3", TLS1_3_VERSION },
+   };
+
+   for(unsigned int i=0; i<sizeof(tls_protocols)/sizeof(struct tls_protocol); i++){
+      if(!strcmp(protocol, tls_protocols[i].proto)) {
+         return tls_protocols[i].version;
+      }
+   }
+
+   return 0;
+}
+
+
 int load_default_config(struct config *cfg, struct _parse_rule *rules){
   int i=0;

@ -178,6 +197,9 @@ struct config read_config(char *configfile){

   cfg.hostid_len = strlen(cfg.hostid);

+   // Get the TLS protocol constant from string, ie. TLSv1.3 -> 772
+   cfg.tls_min_version_number = get_tls_protocol_number(cfg.tls_min_version);
+
   return cfg;
 }

--- a/src/cfg.h
+++ b/src/cfg.h
@ -29,6 +29,8 @@ struct config {
   int tls_enable;
   char pemfile[MAXVAL];
   char cipher_list[MAXVAL];
+   char tls_min_version[MAXVAL];
+   int tls_min_version_number;

   int use_antivirus;

--- a/src/defs.h
+++ b/src/defs.h
@ -413,4 +413,9 @@ struct smtp_session {
   struct net net;
 };

+struct tls_protocol {
+   char *proto;
+   int version;
+};
+
 #endif /* _DEFS_H */
--- a/src/smtp.c
+++ b/src/smtp.c
@ -171,6 +171,11 @@ int init_ssl(struct smtp_session *session){
      return 0;
   }

+   if(SSL_CTX_set_min_proto_version(session->net.ctx, session->cfg->tls_min_version_number) == 0){
+      syslog(LOG_PRIORITY, "failed SSL_CTX_set_min_proto_version() to %s/%d", session->cfg->tls_min_version, session->cfg->tls_min_version_number);
+      return 0;
+   }
+
   if(SSL_CTX_set_cipher_list(session->net.ctx, session->cfg->cipher_list) == 0){
      syslog(LOG_PRIORITY, "failed to set cipher list: '%s'", session->cfg->cipher_list);
      return 0;
@ -198,8 +203,6 @@ void process_command_starttls(struct smtp_session *session){
      session->net.ssl = SSL_new(session->net.ctx);
      if(session->net.ssl){

-         SSL_set_options(session->net.ssl, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
-
         if(SSL_set_fd(session->net.ssl, session->net.socket) == 1){
            session->net.starttls = 1;
            send_smtp_response(session, SMTP_RESP_220_READY_TO_START_TLS);
@ -209,9 +212,9 @@ void process_command_starttls(struct smtp_session *session){
               wait_for_ssl_accept(session);

            return;
-         } syslog(LOG_PRIORITY, "%s: SSL_set_fd() failed", session->ttmpfile);
-      } syslog(LOG_PRIORITY, "%s: SSL_new() failed", session->ttmpfile);
-   } syslog(LOG_PRIORITY, "SSL ctx is null!");
+         } syslog(LOG_PRIORITY, "ERROR: %s: SSL_set_fd() failed", session->ttmpfile);
+      } syslog(LOG_PRIORITY, "ERROR: %s: SSL_new() failed", session->ttmpfile);
+   } syslog(LOG_PRIORITY, "ERROR: init_ssl()");

   send_smtp_response(session, SMTP_RESP_454_ERR_TLS_TEMP_ERROR);
 }
 @ -1 +1 @@
 .3.11
 .3.12