imapserver: add a tls_level option
Allow the user to block usage of known-bad versions of SSL and TLS. Signed-off-by: Ben Boeckel <mathstuf@gmail.com> Signed-off-by: Nicolas Sebrecht <nicolas.s-dev@laposte.net>
This commit is contained in:
Ben Boeckel
committed by
Nicolas Sebrecht
Nicolas Sebrecht
parent
9bb27de375
commit
f03afcd224
@@ -646,6 +646,17 @@ remotehost = examplehost
|
||||
#ssl_version = ssl23
|
||||
|
||||
|
||||
# This option stands in the [Repository RemoteExample] section.
|
||||
#
|
||||
# TLS support level (optional).
|
||||
#
|
||||
# Specify the level of support that should be allowed for this repository.
|
||||
# Can be used to disallow insecure SSL versions. Supported values are:
|
||||
# tls_secure, tls_no_ssl, tls_compat (the default).
|
||||
#
|
||||
#tls_level = tls_compat
|
||||
|
||||
|
||||
# This option stands in the [Repository RemoteExample] section.
|
||||
#
|
||||
# Specify the port. If not specified, use a default port.
|
||||
|
||||
@@ -92,6 +92,7 @@ class IMAPServer:
|
||||
self.__verifycert = None # disable cert verification
|
||||
self.fingerprint = repos.get_ssl_fingerprint()
|
||||
self.sslversion = repos.getsslversion()
|
||||
self.tlslevel = repos.gettlslevel()
|
||||
|
||||
self.oauth2_refresh_token = repos.getoauth2_refresh_token()
|
||||
self.oauth2_client_id = repos.getoauth2_client_id()
|
||||
@@ -478,6 +479,7 @@ class IMAPServer:
|
||||
timeout=socket.getdefaulttimeout(),
|
||||
fingerprint=self.fingerprint,
|
||||
use_socket=self.proxied_socket,
|
||||
tls_level=self.tlslevel,
|
||||
)
|
||||
else:
|
||||
self.ui.connecting(self.hostname, self.port)
|
||||
|
||||
@@ -246,6 +246,9 @@ class IMAPRepository(BaseRepository):
|
||||
raise OfflineImapError(reason, OfflineImapError.ERROR.REPO)
|
||||
return cacertfile
|
||||
|
||||
def gettlslevel(self):
|
||||
return self.getconf('tls_level', 'tls_compat')
|
||||
|
||||
def getsslversion(self):
|
||||
return self.getconf('ssl_version', None)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user