mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-09-01 14:45:32 +00:00
Code Issues Releases Wiki Activity

Support disabling TLSv1.3

Browse Source
This commit is contained in:
Viktor Dukhovni
2018-08-15 01:26:54 -04:00
parent b72af0bdf1
commit 8302639a62
3 changed files with 29 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
postfix/proto/postconf.proto
View File

@@ -11220,8 +11220,10 @@ matches the underlying OpenSSL interface semantics.
<p> The range of protocols advertised by an SSL/TLS client must be <p> The range of protocols advertised by an SSL/TLS client must be
contiguous. When a protocol version is enabled, disabling any contiguous. When a protocol version is enabled, disabling any
higher version implicitly disables all versions above that higher higher version implicitly disables all versions above that higher version.
version. Thus, for example: </p> Thus, for example (assuming the OpenSSL library supports both SSLv2
and SSLv3):
</p>
<blockquote> <blockquote>
<pre> <pre>
smtp_tls_mandatory_protocols = !SSLv2, !TLSv1 smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
@@ -11238,6 +11240,9 @@ disabled except by also disabling "TLSv1" (typically leaving just
versions of Postfix &ge; 2.10 can explicitly disable support for versions of Postfix &ge; 2.10 can explicitly disable support for
"TLSv1.1" or "TLSv1.2". </p> "TLSv1.1" or "TLSv1.2". </p>
<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix &ge; 3.4,
this can be disabled, if need be, via "!TLSv1.3". </p>
<p> At the <a href="TLS_README.html#client_tls_dane">dane</a> and <p> At the <a href="TLS_README.html#client_tls_dane">dane</a> and
<a href="TLS_README.html#client_tls_dane">dane-only</a> security <a href="TLS_README.html#client_tls_dane">dane-only</a> security
levels, when usable TLSA records are obtained for the remote SMTP levels, when usable TLSA records are obtained for the remote SMTP
@@ -11435,6 +11440,9 @@ disabled. The latest patch levels of Postfix &ge; 2.6, and all
versions of Postfix &ge; 2.10 can disable support for "TLSv1.1" or versions of Postfix &ge; 2.10 can disable support for "TLSv1.1" or
"TLSv1.2". </p> "TLSv1.2". </p>
<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix &ge; 3.4,
this can be disabled, if need be, via "!TLSv1.3". </p>
<p> Example: </p> <p> Example: </p>
<pre> <pre>
@@ -12576,11 +12584,13 @@ and "TLSv1". </p>
<p> The range of protocols advertised by an SSL/TLS client must be <p> The range of protocols advertised by an SSL/TLS client must be
contiguous. When a protocol version is enabled, disabling any contiguous. When a protocol version is enabled, disabling any
higher version implicitly disables all versions above that higher higher version implicitly disables all versions above that higher version.
version. Thus, for example: </p> Thus, for example (assuming the OpenSSL library supports both SSLv2
and SSLv3):
</p>
<blockquote> <blockquote>
<pre> <pre>
smtp_tls_mandatory_protocols = !SSLv2, !TLSv1 smtp_tls_protocols = !SSLv2, !TLSv1
</pre> </pre>
</blockquote> </blockquote>
<p> also disables any protocols version higher than TLSv1 leaving <p> also disables any protocols version higher than TLSv1 leaving
@@ -12591,6 +12601,9 @@ and "TLSv1.2". The latest patch levels of Postfix &ge; 2.6, and all
versions of Postfix &ge; 2.10 can explicitly disable support for versions of Postfix &ge; 2.10 can explicitly disable support for
"TLSv1.1" or "TLSv1.2"</p> "TLSv1.1" or "TLSv1.2"</p>
<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix &ge; 3.4,
this can be disabled, if need be, via "!TLSv1.3". </p>
<p> To include a protocol list its name, to exclude it, prefix the name <p> To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 for opportunistic TLS set with a "!" character. To exclude SSLv2 for opportunistic TLS set
"smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
@@ -12623,6 +12636,9 @@ and "TLSv1.2". The latest patch levels of Postfix &ge; 2.6, and all
versions of Postfix &ge; 2.10 can disable support for "TLSv1.1" or versions of Postfix &ge; 2.10 can disable support for "TLSv1.1" or
"TLSv1.2". </p> "TLSv1.2". </p>
<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix &ge; 3.4,
this can be disabled, if need be, via "!TLSv1.3". </p>
<p> To include a protocol list its name, to exclude it, prefix the name <p> To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 for opportunistic TLS set with a "!" character. To exclude SSLv2 for opportunistic TLS set
"smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set

10
postfix/src/tls/tls.h
View File

@@ -377,10 +377,14 @@ extern void tls_param_init(void);
#define SSL_OP_NO_TLSv1_2 0L /* Noop */ #define SSL_OP_NO_TLSv1_2 0L /* Noop */
#endif #endif
#ifdef SSL_TXT_TLSV1_3 /*
* OpenSSL 1.1.1 does not define a TXT macro for TLS 1.3, so we roll our own.
*/
#define TLS_PROTOCOL_TXT_TLSV1_3 "TLSv1.3"
#if defined(TLS1_3_VERSION) && defined(SSL_OP_NO_TLSv1_3)
#define TLS_PROTOCOL_TLSv1_3 (1<<5) /* TLSv1_3 */ #define TLS_PROTOCOL_TLSv1_3 (1<<5) /* TLSv1_3 */
#else #else
#define SSL_TXT_TLSV1_3 "TLSv1.3"
#define TLS_PROTOCOL_TLSv1_3 0 /* Unknown */ #define TLS_PROTOCOL_TLSv1_3 0 /* Unknown */
#undef SSL_OP_NO_TLSv1_3 #undef SSL_OP_NO_TLSv1_3
#define SSL_OP_NO_TLSv1_3 0L /* Noop */ #define SSL_OP_NO_TLSv1_3 0L /* Noop */
@@ -388,7 +392,7 @@ extern void tls_param_init(void);
#define TLS_KNOWN_PROTOCOLS \ #define TLS_KNOWN_PROTOCOLS \
( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \ ( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \
| TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 ) | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3 )
#define TLS_SSL_OP_PROTOMASK(m) \ #define TLS_SSL_OP_PROTOMASK(m) \
((((m) & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L) \ ((((m) & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L) \
| (((m) & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) \ | (((m) & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) \

2
postfix/src/tls/tls_misc.c
View File

@@ -279,7 +279,7 @@ static const NAME_CODE protocol_table[] = {
SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1, SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1,
SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1, SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1,
SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2, SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2,
SSL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3, TLS_PROTOCOL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3,
0, TLS_PROTOCOL_INVALID, 0, TLS_PROTOCOL_INVALID,
}; };