Disable insecure stuff that OpenSSL leaves enabled by default, and pr…

…ovide an

insecure flag (which replaces no-tls1) to turn them on again. From gmp at
wow.st.

connect.c

@@ -571,10 +571,15 @@ makessl(struct server *srv, int fd, int verify, int timeout, char **cause)
 	int	 n, mode;
 
 	ctx = SSL_CTX_new(SSLv23_client_method());
-	if (srv->tls1)
-		SSL_CTX_set_options(ctx, SSL_OP_ALL);
-	else
-		SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_TLSv1);
+	SSL_CTX_set_options(ctx, SSL_OP_ALL);
+
+	/* Disable insecure SSL/TLS versions. */
+	if (!srv->insecure) {
+		SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+		SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
+		SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
+	}
+
 	SSL_CTX_set_default_verify_paths(ctx);
 	SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
 

fdm.conf.5

@@ -370,15 +370,16 @@ for details.
 .Op Ic no-apop
 .Op Ic no-uidl
 .Op Ic starttls
+.Op Ic insecure
 .Xc
 .It Xo Ic pop3s Ic server Ar host
 .Op Ic port Ar port
 .Op Ar userpass
 .Op Ar only
 .Op Ic no-apop
-.Op Ic no-uidl
 .Op Ic no-verify
-.Op Ic no-tls1
+.Op Ic no-uidl
+.Op Ic insecure
 .Xc
 These statements define a POP3 or POP3S account.
 The
@@ -440,19 +441,14 @@ keyword makes
 not use the UIDL command to retrieve mails.
 This is mainly useful for broken POP3 servers.
 .Pp
-The
-.Ic no-tls1
-keyword instructs
-.Xr fdm 1
-not to use the TLSv1 protocol with SSL connections.
-Some broken servers will fail in the handshake phase if the
-.Ic tls1
-flag is not unset.
-.Pp
 .Ic starttls
 attempts to use
 .Em STARTTLS
 after connection.
+.Pp
+.Ic insecure
+allows the use of insecure protocols, which currently includes SSLv2, SSLv3
+and TLS1.0.
 .It Xo Ic pop3 Ic pipe Ar command
 .Op Ar userpass
 .Op Ar only
@@ -476,6 +472,7 @@ not be read from
 .Op Ic no-cram-md5
 .Op Ic no-login
 .Op Ic starttls
+.Op Ic insecure
 .Xc
 .It Xo Ic imap Ic server Ar host
 .Op Ic port Ar port
@@ -492,9 +489,9 @@ not be read from
 .Op Ar folders
 .Op Ar only
 .Op Ic no-verify
-.Op Ic no-tls1
 .Op Ic no-cram-md5
 .Op Ic no-login
+.Op Ic insecure
 .Xc
 These define an IMAP or IMAPS account.
 The parameters are as for a POP3 or POP3S account, aside from the additional
@@ -529,6 +526,10 @@ The default is to use CRAM-MD5 if it is available, or LOGIN otherwise.
 attempts to use
 .Em STARTTLS
 after connection.
+.Pp
+.Ic insecure
+allows the use of insecure protocols, which currently includes SSLv2, SSLv3
+and TLS1.0.
 .It Xo Ic imap Ic pipe Ar command
 .Op Ar userpass
 .Op Ar folders
@@ -599,7 +600,6 @@ basename of the mbox file.
 .Op Ar userpass
 .Ic group Ar group
 .Ic cache Ar cache
-.Op Ic no-tls1
 .Xc
 .It Xo Ic nntps Ic server Ar host
 .Op Ic port Ar port
@@ -609,7 +609,6 @@ basename of the mbox file.
 .Ar group ...
 .Li }
 .Ic cache Ar cache
-.Op Ic no-tls1
 .Xc
 An NNTP account.
 Articles are fetched from the specified group or groups and delivered.

fdm.h

@@ -200,8 +200,8 @@ struct server {
 	char		*port;
 	struct addrinfo	*ai;
 	int		 ssl;
-	int		 tls1;
 	int		 verify;
+	int		 insecure;
 };
 
 /* Proxy type. */

lex.c

@@ -116,6 +116,7 @@ static const struct token tokens[] = {
 	{ "imaps", TOKIMAPS },
 	{ "in", TOKIN },
 	{ "in-cache", TOKINCACHE },
+	{ "insecure", TOKINSECURE },
 	{ "invalid", TOKINVALID },
 	{ "k", TOKKILOBYTES },
 	{ "kb", TOKKILOBYTES },
@@ -152,7 +153,6 @@ static const struct token tokens[] = {
 	{ "no-create", TOKNOCREATE },
 	{ "no-login", TOKNOLOGIN },
 	{ "no-received", TOKNORECEIVED },
-	{ "no-tls1", TOKNOTLS1 },
 	{ "no-uidl", TOKNOUIDL },
 	{ "no-verify", TOKNOVERIFY },
 	{ "none", TOKNONE },

parse.y

@@ -173,6 +173,7 @@ yyerror(const char *fmt, ...)
 %token TOKIMPLACT
 %token TOKIN
 %token TOKINCACHE
+%token TOKINSECURE
 %token TOKINVALID
 %token TOKKEEP
 %token TOKKEY
@@ -203,7 +204,6 @@ yyerror(const char *fmt, ...)
 %token TOKNONE
 %token TOKNORECEIVED
 %token TOKNOT
-%token TOKNOTLS1
 %token TOKNOUIDL
 %token TOKNOVERIFY
 %token TOKOLDONLY
@@ -305,8 +305,9 @@ yyerror(const char *fmt, ...)
 %type  <expritem> expritem
 %type  <exprop> exprop
 %type  <fetch> fetchtype
-%type  <flag> cont not disabled keep execpipe writeappend compress verify tls1
+%type  <flag> cont not disabled keep execpipe writeappend compress verify
 %type  <flag> apop poptype imaptype nntptype nocrammd5 nologin uidl starttls
+%type  <flag> insecure
 %type  <localgid> localgid
 %type  <locks> lock locklist
 %type  <number> size time numv retrc expire
@@ -1209,12 +1210,12 @@ actitem: execpipe strv
 		 data->path.str = $2;
 		 data->compress = $3;
 	 }
-       | imaptype server userpassnetrc folder1 verify nocrammd5 nologin tls1
-	 starttls
+       | imaptype server userpassnetrc folder1 verify nocrammd5 nologin
+	 starttls insecure
 	 {
 		 struct deliver_imap_data	*data;
 
-		 if ($1 && $9)
+		 if ($1 && $8)
 			 yyerror("use either imaps or set starttls");
 
 		 $$ = xcalloc(1, sizeof *$$);
@@ -1239,7 +1240,6 @@ actitem: execpipe strv
 		 data->folder.str = $4;
 		 data->server.ssl = $1;
 		 data->server.verify = $5;
-		 data->server.tls1 = $8;
 		 data->server.host = $2.host;
 		 if ($2.port != NULL)
 			 data->server.port = $2.port;
@@ -1250,7 +1250,8 @@ actitem: execpipe strv
 		 data->server.ai = NULL;
 		 data->nocrammd5 = $6;
 		 data->nologin = $7;
-		 data->starttls = $9;
+		 data->starttls = $8;
+		 data->server.insecure = $9;
 	 }
        | TOKSMTP server from to
 	 {
@@ -2022,15 +2023,6 @@ nologin: TOKNOLOGIN
 		 $$ = 0;
 	 }
 
-tls1: TOKNOTLS1
-	{
-		$$ = 0;
-	}
-      | /* empty */
-	{
-		$$ = 1;
-	}
-
 starttls: TOKSTARTTLS
 	{
 		$$ = 1;
@@ -2050,6 +2042,15 @@ uidl: TOKNOUIDL
 		$$ = 1;
 	}
 
+insecure: TOKINSECURE
+	{
+		$$ = 1;
+	}
+      | /* empty */
+	{
+		$$ = 0;
+	}
+
 verify: TOKNOVERIFY
 	{
 		$$ = 0;
@@ -2192,11 +2193,12 @@ imaponly: only
 		  $$ = FETCH_ONLY_ALL;
 	  }
 
-fetchtype: poptype server userpassnetrc poponly apop verify uidl tls1 starttls
+fetchtype: poptype server userpassnetrc poponly apop verify uidl starttls
+	   insecure
 	   {
 		   struct fetch_pop3_data	*data;
 
-		   if ($1 && $9)
+		   if ($1 && $8)
 			   yyerror("use either pop3s or set starttls");
 
 		   $$.fetch = &fetch_pop3;
@@ -2218,7 +2220,6 @@ fetchtype: poptype server userpassnetrc poponly apop verify uidl tls1 starttls
 
 		   data->server.ssl = $1;
 		   data->server.verify = $6;
-		   data->server.tls1 = $8;
 		   data->server.host = $2.host;
 		   if ($2.port != NULL)
 			   data->server.port = $2.port;
@@ -2229,7 +2230,8 @@ fetchtype: poptype server userpassnetrc poponly apop verify uidl tls1 starttls
 		   data->server.ai = NULL;
 		   data->apop = $5;
 		   data->uidl = $7;
-		   data->starttls = $9;
+		   data->starttls = $8;
+		   data->server.insecure = $9;
 
 		   data->path = $4.path;
 		   data->only = $4.only;
@@ -2251,11 +2253,11 @@ fetchtype: poptype server userpassnetrc poponly apop verify uidl tls1 starttls
 		   data->only = $5.only;
 	   }
 	 | imaptype server userpassnetrc folderlist imaponly verify nocrammd5
-	   nologin tls1 starttls
+	   nologin starttls insecure
 	   {
 		   struct fetch_imap_data	*data;
 
-		   if ($1 && $10)
+		   if ($1 && $9)
 			   yyerror("use either imaps or set starttls");
 
 		   $$.fetch = &fetch_imap;
@@ -2278,7 +2280,6 @@ fetchtype: poptype server userpassnetrc poponly apop verify uidl tls1 starttls
 		   data->folders = $4;
 		   data->server.ssl = $1;
 		   data->server.verify = $6;
-		   data->server.tls1 = $9;
 		   data->server.host = $2.host;
 		   if ($2.port != NULL)
 			   data->server.port = $2.port;
@@ -2290,7 +2291,8 @@ fetchtype: poptype server userpassnetrc poponly apop verify uidl tls1 starttls
 		   data->only = $5;
 		   data->nocrammd5 = $7;
 		   data->nologin = $8;
-		   data->starttls = $10;
+		   data->starttls = $9;
+		   data->server.insecure = $10;
 	   }
 	 | TOKIMAP TOKPIPE replstrv userpass folderlist imaponly
 	   {
@@ -2329,7 +2331,8 @@ fetchtype: poptype server userpassnetrc poponly apop verify uidl tls1 starttls
 		   $$.data = data;
 		   data->mboxes = $1;
 	   }
-	 | nntptype server userpassnetrc groups TOKCACHE replpathv verify tls1
+	 | nntptype server userpassnetrc groups TOKCACHE replpathv verify
+	   insecure
 	   {
 		   struct fetch_nntp_data	*data;
 		   char				*cause;
@@ -2368,7 +2371,7 @@ fetchtype: poptype server userpassnetrc poponly apop verify uidl tls1 starttls
 
 		   data->server.ssl = $1;
 		   data->server.verify = $7;
-		   data->server.tls1 = $8;
+		   data->server.insecure = $8;
 		   data->server.host = $2.host;
 		   if ($2.port != NULL)
 			   data->server.port = $2.port;