lib-ssl-iostream,login-common: Use SSL_CTX_set_min_proto_version

Use SSL_CTX_set_min_proto_version to set the minimum ssl protocol version where available.
dovecot · Feb 19, 2018 · 84f7a07 · 84f7a07
1 parent ad6906b
commit 84f7a07
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 0 deletions.
diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -336,8 +336,25 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx,
 				    SSL_OP_CIPHER_SERVER_PREFERENCE);
 	}
 	if (ctx->set->protocols != NULL) {
+#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
+		int min_protocol;
+		const char *error;
+		if (ssl_protocols_to_min_protocol(ctx->set->protocols,
+						  &min_protocol, &error) < 0) {
+			*error_r = t_strdup_printf(
+				"Unknown ssl_protocols setting: %s", error);
+			return -1;
+		} else if (SSL_CTX_set_min_proto_version(ctx->ssl_ctx,
+							 min_protocol) != 1) {
+			*error_r = t_strdup_printf(
+				"Failed to set SSL minimum protocol version to %d",
+				min_protocol);
+			return -1;
+		}
+#else
 		SSL_CTX_set_options(ctx->ssl_ctx,
 			    openssl_get_protocol_options(ctx->set->protocols));
+#endif
 	}
 
 	if (set->cert != NULL &&

diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
@@ -173,8 +173,25 @@ openssl_iostream_set(struct ssl_iostream *ssl_io,
 #if defined(HAVE_SSL_CLEAR_OPTIONS)
 		SSL_clear_options(ssl_io->ssl, OPENSSL_ALL_PROTOCOL_OPTIONS);
 #endif
+#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
+		int min_protocol;
+		const char *error;
+		if (ssl_protocols_to_min_protocol(set->protocols,
+						  &min_protocol, &error) < 0) {
+			*error_r = t_strdup_printf(
+				"Unknown ssl_protocols setting: %s", error);
+			return -1;
+		} else if (SSL_set_min_proto_version(ssl_io->ssl,
+						     min_protocol) != 1) {
+			*error_r = t_strdup_printf(
+				"Failed to set SSL minimum protocol version to %d",
+				min_protocol);
+			return -1;
+		}
+#else
 		SSL_set_options(ssl_io->ssl,
 				openssl_get_protocol_options(set->protocols));
+#endif
 	}
 
 	if (set->cert != NULL && strcmp(ctx_set->cert, set->cert) != 0) {

diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c
@@ -1301,7 +1301,18 @@ ssl_server_context_init(const struct login_settings *login_set,
 	}
 	if (ctx->prefer_server_ciphers)
 		SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
+	int min_protocol;
+	const char *error;
+	if (ssl_protocols_to_min_protocol(ctx->protocols, &min_protocol,
+					  &error) < 0)
+		i_fatal("Unknown ssl_protocols setting: %s", error);
+	else if (SSL_CTX_set_min_proto_version(ssl_ctx, min_protocol) != 1)
+		i_fatal("Failed to set SSL minimum protocol version to %d",
+			min_protocol);
+#else
 	SSL_CTX_set_options(ssl_ctx, openssl_get_protocol_options(ctx->protocols));
+#endif
 
 	if (ctx->pri.cert != NULL && *ctx->pri.cert != '\0' &&
 	    ssl_proxy_ctx_use_certificate_chain(ctx->ctx, ctx->pri.cert) != 1) {