commit e3056b26e95e3eef7bb3034cedf68453bdce3887
parent 7e0e14a686097975aee16d5439400223a287b76c
Author: Oswald Buddenhagen <ossi@users.sf.net>
Date: Mon, 16 May 2022 15:57:03 +0200
supersede SSLVersions option with TLSVersions
the new one isn't an exhaustive set anymore, but a delta to the default
(or previous setting). this has the advantage that new versions aren't
automatically disabled anymore as soon as mbsync learns about them if
the user has a setting they fail to adjust.
Diffstat:
4 files changed, 45 insertions(+), 5 deletions(-)
diff --git a/NEWS b/NEWS
@@ -12,6 +12,8 @@ they are flagged on the source side.
Renamed the ReNew/--renew/-N options to Upgrade/--upgrade/-u
and Delete/--delete/-d to Gone/--gone/-g.
+Superseded SSLVersions option with TLSVersions.
+
Made the Channel side to expire with MaxMessages configurable.
MaxMessages and MaxSize can be used together now.
diff --git a/src/drv_imap.c b/src/drv_imap.c
@@ -3797,8 +3797,44 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
error( "%s:%d: Invalid SSL type\n", cfg->file, cfg->line );
cfg->err = 1;
}
+ } else if (!strcasecmp( "TLSVersions", cfg->cmd )) {
+ arg = cfg->val;
+ do {
+ int or_mask = 0, and_mask = 0, val;
+ if (*arg == '+') {
+ or_mask = ~0;
+ } else if (*arg == '-') {
+ and_mask = ~0;
+ } else {
+ error( "%s:%d: TLSVersions arguments must start with +/-\n", cfg->file, cfg->line );
+ cfg->err = 1;
+ continue;
+ }
+ arg++;
+ if (!strcmp( "1.0", arg )) {
+ val = TLSv1;
+ } else if (!strcmp( "1.1", arg )) {
+ val = TLSv1_1;
+ } else if (!strcmp( "1.2", arg )) {
+ val = TLSv1_2;
+ } else if (!strcmp( "1.3", arg )) {
+ val = TLSv1_3;
+ } else {
+ error( "%s:%d: Unrecognized TLS version '%s'\n", cfg->file, cfg->line, arg );
+ cfg->err = 1;
+ continue;
+ }
+ or_mask &= val;
+ and_mask &= val;
+ server->sconf.ssl_versions = (server->sconf.ssl_versions & ~and_mask) | or_mask;
+ } while ((arg = get_arg( cfg, ARG_OPTIONAL, NULL )));
} else if (!strcasecmp( "SSLVersion", cfg->cmd ) ||
!strcasecmp( "SSLVersions", cfg->cmd )) {
+ static int sslv_warned;
+ if (!sslv_warned) {
+ sslv_warned = 1;
+ warn( "Notice: SSLVersions is deprecated. Use TLSVersions instead.\n" );
+ }
server->sconf.ssl_versions = 0;
arg = cfg->val;
do {
diff --git a/src/mbsync.1 b/src/mbsync.1
@@ -414,10 +414,12 @@ so it is the default (unless a tunnel is used).
right after connecting the secure IMAP port 993.
.
.TP
-\fBSSLVersions\fR [\fBSSLv3\fR] [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR] [\fBTLSv1.3\fR]
-Select the acceptable SSL/TLS versions.
+\fBTLSVersions\fR {\fB+\fR|\fB-\fR}{\fB1.0\fR|\fB1.1\fR|\fB1.2\fR|\fB1.3\fR} ...
+Add/remove the specified TLS versions to/from the set of acceptable choices.
Use old versions only when the server has problems with newer ones.
-(Default: [\fBTLSv1\fR] [\fBTLSv1.1\fR] [\fBTLSv1.2\fR] [\fBTLSv1.3\fR]).
+Note that new versions are automatically enabled as soon as OpenSSL supports
+them, even if \fBmbsync\fR does not recognize them yet.
+(Default: All starting with 1.0).
.
.TP
\fBSystemCertificates\fR \fByes\fR|\fBno\fR
diff --git a/src/mbsyncrc.sample b/src/mbsyncrc.sample
@@ -36,7 +36,7 @@ Sync PullNew Push
IMAPStore personal
Host host.play.com
Port 6789
-SSLType None
+TLSType None
Channel personal
Far :personal:
@@ -66,7 +66,7 @@ CertificateFile ~/.st1-certificate.crt
IMAPStore st2
Host imap.another-domain.com
Path non-standard/
-SSLVersions TLSv1.3
+TLSVersions -1.2
Channel rst
Far :st1:somebox