imapserver: add a tls_level option

Allow the user to block usage of known-bad versions of SSL and TLS.

Signed-off-by: Ben Boeckel <mathstuf@gmail.com>
Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
This commit is contained in:
Ben Boeckel 2015-08-24 23:32:00 -04:00 committed by Nicolas Sebrecht
parent 9bb27de375
commit f03afcd224
3 changed files with 16 additions and 0 deletions

View File

@ -646,6 +646,17 @@ remotehost = examplehost
#ssl_version = ssl23 #ssl_version = ssl23
# This option stands in the [Repository RemoteExample] section.
#
# TLS support level (optional).
#
# Specify the level of support that should be allowed for this repository.
# Can be used to disallow insecure SSL versions. Supported values are:
# tls_secure, tls_no_ssl, tls_compat (the default).
#
#tls_level = tls_compat
# This option stands in the [Repository RemoteExample] section. # This option stands in the [Repository RemoteExample] section.
# #
# Specify the port. If not specified, use a default port. # Specify the port. If not specified, use a default port.

View File

@ -92,6 +92,7 @@ class IMAPServer:
self.__verifycert = None # disable cert verification self.__verifycert = None # disable cert verification
self.fingerprint = repos.get_ssl_fingerprint() self.fingerprint = repos.get_ssl_fingerprint()
self.sslversion = repos.getsslversion() self.sslversion = repos.getsslversion()
self.tlslevel = repos.gettlslevel()
self.oauth2_refresh_token = repos.getoauth2_refresh_token() self.oauth2_refresh_token = repos.getoauth2_refresh_token()
self.oauth2_client_id = repos.getoauth2_client_id() self.oauth2_client_id = repos.getoauth2_client_id()
@ -478,6 +479,7 @@ class IMAPServer:
timeout=socket.getdefaulttimeout(), timeout=socket.getdefaulttimeout(),
fingerprint=self.fingerprint, fingerprint=self.fingerprint,
use_socket=self.proxied_socket, use_socket=self.proxied_socket,
tls_level=self.tlslevel,
) )
else: else:
self.ui.connecting(self.hostname, self.port) self.ui.connecting(self.hostname, self.port)

View File

@ -246,6 +246,9 @@ class IMAPRepository(BaseRepository):
raise OfflineImapError(reason, OfflineImapError.ERROR.REPO) raise OfflineImapError(reason, OfflineImapError.ERROR.REPO)
return cacertfile return cacertfile
def gettlslevel(self):
return self.getconf('tls_level', 'tls_compat')
def getsslversion(self): def getsslversion(self):
return self.getconf('ssl_version', None) return self.getconf('ssl_version', None)