mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-30 05:38:06 +00:00
Code Issues Releases Wiki Activity

Support disabling TLSv1.3

Browse Source
This commit is contained in:
Viktor Dukhovni 2018-08-15 01:26:54 -04:00
parent b72af0bdf1
commit 8302639a62
3 changed files with 29 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
postfix/proto/postconf.proto
View File

@ -11220,8 +11220,10 @@ matches the underlying OpenSSL interface semantics.
<p> The range of protocols advertised by an SSL/TLS client must be
contiguous. When a protocol version is enabled, disabling any
higher version implicitly disables all versions above that higher
version. Thus, for example: </p>
higher version implicitly disables all versions above that higher version.
Thus, for example (assuming the OpenSSL library supports both SSLv2
and SSLv3):
</p>
<blockquote>
<pre>
smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
@ -11238,6 +11240,9 @@ disabled except by also disabling "TLSv1" (typically leaving just
versions of Postfix &ge; 2.10 can explicitly disable support for
"TLSv1.1" or "TLSv1.2". </p>
<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix &ge; 3.4,
this can be disabled, if need be, via "!TLSv1.3". </p>
<p> At the <a href="TLS_README.html#client_tls_dane">dane</a> and
<a href="TLS_README.html#client_tls_dane">dane-only</a> security
levels, when usable TLSA records are obtained for the remote SMTP
@ -11435,6 +11440,9 @@ disabled. The latest patch levels of Postfix &ge; 2.6, and all
versions of Postfix &ge; 2.10 can disable support for "TLSv1.1" or
"TLSv1.2". </p>
<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix &ge; 3.4,
this can be disabled, if need be, via "!TLSv1.3". </p>
<p> Example: </p>
<pre>
@ -12576,11 +12584,13 @@ and "TLSv1". </p>
<p> The range of protocols advertised by an SSL/TLS client must be
contiguous. When a protocol version is enabled, disabling any
higher version implicitly disables all versions above that higher
version. Thus, for example: </p>
higher version implicitly disables all versions above that higher version.
Thus, for example (assuming the OpenSSL library supports both SSLv2
and SSLv3):
</p>
<blockquote>
<pre>
smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
smtp_tls_protocols = !SSLv2, !TLSv1
</pre>
</blockquote>
<p> also disables any protocols version higher than TLSv1 leaving
@ -12591,6 +12601,9 @@ and "TLSv1.2". The latest patch levels of Postfix &ge; 2.6, and all
versions of Postfix &ge; 2.10 can explicitly disable support for
"TLSv1.1" or "TLSv1.2"</p>
<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix &ge; 3.4,
this can be disabled, if need be, via "!TLSv1.3". </p>
<p> To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 for opportunistic TLS set
"smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
@ -12623,6 +12636,9 @@ and "TLSv1.2". The latest patch levels of Postfix &ge; 2.6, and all
versions of Postfix &ge; 2.10 can disable support for "TLSv1.1" or
"TLSv1.2". </p>
<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix &ge; 3.4,
this can be disabled, if need be, via "!TLSv1.3". </p>
<p> To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 for opportunistic TLS set
"smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set

10
postfix/src/tls/tls.h
View File

@ -377,10 +377,14 @@ extern void tls_param_init(void);
#define SSL_OP_NO_TLSv1_2 0L /* Noop */
#endif
#ifdef SSL_TXT_TLSV1_3
/*
* OpenSSL 1.1.1 does not define a TXT macro for TLS 1.3, so we roll our own.
*/
#define TLS_PROTOCOL_TXT_TLSV1_3 "TLSv1.3"
#if defined(TLS1_3_VERSION) && defined(SSL_OP_NO_TLSv1_3)
#define TLS_PROTOCOL_TLSv1_3 (1<<5) /* TLSv1_3 */
#else
#define SSL_TXT_TLSV1_3 "TLSv1.3"
#define TLS_PROTOCOL_TLSv1_3 0 /* Unknown */
#undef SSL_OP_NO_TLSv1_3
#define SSL_OP_NO_TLSv1_3 0L /* Noop */
@ -388,7 +392,7 @@ extern void tls_param_init(void);
#define TLS_KNOWN_PROTOCOLS \
( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \
| TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 )
| TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3 )
#define TLS_SSL_OP_PROTOMASK(m) \
((((m) & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L) \
| (((m) & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) \

2
postfix/src/tls/tls_misc.c
View File

@ -279,7 +279,7 @@ static const NAME_CODE protocol_table[] = {
SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1,
SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1,
SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2,
SSL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3,
TLS_PROTOCOL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3,
0, TLS_PROTOCOL_INVALID,
};