diff options
author | Eduardo Chappa <chappa@washington.edu> | 2018-09-29 22:59:37 -0600 |
---|---|---|
committer | Eduardo Chappa <chappa@washington.edu> | 2018-09-29 22:59:37 -0600 |
commit | 924c47dd50a7b74136b8a60e9ea8d347ff65425b (patch) | |
tree | bcbaaeb98807a7cb12bf16188c66a5ea938d0255 | |
parent | 879f42fa445aa684ffbab7d404941a9d24a4863a (diff) | |
download | alpine-924c47dd50a7b74136b8a60e9ea8d347ff65425b.tar.xz |
* Add the /tls1_3 modifier to establish connections use the TLS protocol
version 1.3.
-rwxr-xr-x | configure | 188 | ||||
-rw-r--r-- | configure.ac | 16 | ||||
-rw-r--r-- | imap/src/c-client/mail.c | 24 | ||||
-rw-r--r-- | imap/src/c-client/mail.h | 12 | ||||
-rw-r--r-- | imap/src/osdep/nt/ssl_nt.c | 73 | ||||
-rw-r--r-- | imap/src/osdep/unix/ssl_unix.c | 67 | ||||
-rw-r--r-- | include/config.h.in | 3 | ||||
-rw-r--r-- | pith/conf.c | 35 | ||||
-rw-r--r-- | pith/pine.hlp | 65 |
9 files changed, 224 insertions, 259 deletions
@@ -19355,194 +19355,6 @@ fi fi if test "x$alpine_SSLTYPE" != "xnone" ; then - if test "x$alpine_SSLVERSION" = "xold" -o "x$alpine_SSLPROVIDER" = "xlibressl" ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing TLSv1_2_client_method" >&5 -$as_echo_n "checking for library containing TLSv1_2_client_method... " >&6; } -if ${ac_cv_search_TLSv1_2_client_method+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_func_search_save_LIBS=$LIBS -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char TLSv1_2_client_method (); -int -main () -{ -return TLSv1_2_client_method (); - ; - return 0; -} -_ACEOF -for ac_lib in '' ssl; do - if test -z "$ac_lib"; then - ac_res="none required" - else - ac_res=-l$ac_lib - LIBS="-l$ac_lib $ac_func_search_save_LIBS" - fi - if ac_fn_c_try_link "$LINENO"; then : - ac_cv_search_TLSv1_2_client_method=$ac_res -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext - if ${ac_cv_search_TLSv1_2_client_method+:} false; then : - break -fi -done -if ${ac_cv_search_TLSv1_2_client_method+:} false; then : - -else - ac_cv_search_TLSv1_2_client_method=no -fi -rm conftest.$ac_ext -LIBS=$ac_func_search_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_TLSv1_2_client_method" >&5 -$as_echo "$ac_cv_search_TLSv1_2_client_method" >&6; } -ac_res=$ac_cv_search_TLSv1_2_client_method -if test "$ac_res" != no; then : - test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" - alpine_c_client_cflags="$alpine_c_client_cflags -DTLSV1_2" - -$as_echo "#define SSL_SUPPORTS_TLSV1_2 1" >>confdefs.h - - -fi - - else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing TLS_client_method" >&5 -$as_echo_n "checking for library containing TLS_client_method... " >&6; } -if ${ac_cv_search_TLS_client_method+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_func_search_save_LIBS=$LIBS -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char TLS_client_method (); -int -main () -{ -return TLS_client_method (); - ; - return 0; -} -_ACEOF -for ac_lib in '' ssl; do - if test -z "$ac_lib"; then - ac_res="none required" - else - ac_res=-l$ac_lib - LIBS="-l$ac_lib $ac_func_search_save_LIBS" - fi - if ac_fn_c_try_link "$LINENO"; then : - ac_cv_search_TLS_client_method=$ac_res -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext - if ${ac_cv_search_TLS_client_method+:} false; then : - break -fi -done -if ${ac_cv_search_TLS_client_method+:} false; then : - -else - ac_cv_search_TLS_client_method=no -fi -rm conftest.$ac_ext -LIBS=$ac_func_search_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_TLS_client_method" >&5 -$as_echo "$ac_cv_search_TLS_client_method" >&6; } -ac_res=$ac_cv_search_TLS_client_method -if test "$ac_res" != no; then : - test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" - -else - alpine_SSLTYPE="none" -fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing DTLS_client_method" >&5 -$as_echo_n "checking for library containing DTLS_client_method... " >&6; } -if ${ac_cv_search_DTLS_client_method+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_func_search_save_LIBS=$LIBS -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char DTLS_client_method (); -int -main () -{ -return DTLS_client_method (); - ; - return 0; -} -_ACEOF -for ac_lib in '' ssl; do - if test -z "$ac_lib"; then - ac_res="none required" - else - ac_res=-l$ac_lib - LIBS="-l$ac_lib $ac_func_search_save_LIBS" - fi - if ac_fn_c_try_link "$LINENO"; then : - ac_cv_search_DTLS_client_method=$ac_res -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext - if ${ac_cv_search_DTLS_client_method+:} false; then : - break -fi -done -if ${ac_cv_search_DTLS_client_method+:} false; then : - -else - ac_cv_search_DTLS_client_method=no -fi -rm conftest.$ac_ext -LIBS=$ac_func_search_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_DTLS_client_method" >&5 -$as_echo "$ac_cv_search_DTLS_client_method" >&6; } -ac_res=$ac_cv_search_DTLS_client_method -if test "$ac_res" != no; then : - test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" - -else - alpine_SSLTYPE="none" -fi - - if test "x$alpine_SSLTYPE" != "xnone" ; then - alpine_c_client_cflags="$alpine_c_client_cflags -DTLSV1_2" - -$as_echo "#define SSL_SUPPORTS_TLSV1_2 1" >>confdefs.h - - fi - fi -fi - -if test "x$alpine_SSLTYPE" != "xnone" ; then if test "x$alpine_SSLVERSION" = "xold" -o "x$alpine_SSLPROVIDER" = "xlibressl" ; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing SSL_library_init" >&5 $as_echo_n "checking for library containing SSL_library_init... " >&6; } diff --git a/configure.ac b/configure.ac index 92a584d3..e9f1e855 100644 --- a/configure.ac +++ b/configure.ac @@ -1497,22 +1497,6 @@ if test "x$alpine_SSLTYPE" != "xnone" ; then esac fi -if test "x$alpine_SSLTYPE" != "xnone" ; then - if test "x$alpine_SSLVERSION" = "xold" -o "x$alpine_SSLPROVIDER" = "xlibressl" ; then - AC_SEARCH_LIBS(TLSv1_2_client_method,ssl, - [ alpine_c_client_cflags="$alpine_c_client_cflags -DTLSV1_2" - AC_DEFINE([SSL_SUPPORTS_TLSV1_2], [1], [SSL Supports TLSV1.2]) - ]) - else - AC_SEARCH_LIBS(TLS_client_method,ssl,, [ alpine_SSLTYPE="none"]) - AC_SEARCH_LIBS(DTLS_client_method,ssl,,[ alpine_SSLTYPE="none"]) - if test "x$alpine_SSLTYPE" != "xnone" ; then - alpine_c_client_cflags="$alpine_c_client_cflags -DTLSV1_2" - AC_DEFINE([SSL_SUPPORTS_TLSV1_2], [1], [SSL Supports TLSV1.2]) - fi - fi -fi - dnl provide SSL support? if test "x$alpine_SSLTYPE" != "xnone" ; then if test "x$alpine_SSLVERSION" = "xold" -o "x$alpine_SSLPROVIDER" = "xlibressl" ; then diff --git a/imap/src/c-client/mail.c b/imap/src/c-client/mail.c index 43db47aa..8ac8ba63 100644 --- a/imap/src/c-client/mail.c +++ b/imap/src/c-client/mail.c @@ -827,19 +827,29 @@ long mail_valid_net_parse_work (char *name,NETMBX *mb,char *service) else if (mailssldriver && !compare_cstring (s,"ssl") && !mb->tlsflag) mb->sslflag = mb->notlsflag = T; else if (!compare_cstring(s, "tls1") - && !mb->tls1_1 && !mb->tls1_2 && !mb->dtls1) + && !mb->tls1_1 && !mb->tls1_2 && !mb->tls1_3 + && !mb->dtls1 && !mb->dtls1_2) mb->sslflag = mb->notlsflag = mb->tls1 = T; -#ifdef TLSV1_2 else if (!compare_cstring(s, "tls1_1") - && !mb->tls1 && !mb->tls1_2 && !mb->dtls1) + && !mb->tls1 && !mb->tls1_2 && !mb->tls1_3 + && !mb->dtls1 && !mb->dtls1_2) mb->sslflag = mb->notlsflag = mb->tls1_1 = T; else if (!compare_cstring(s, "tls1_2") - && !mb->tls1 && !mb->tls1_1 && !mb->dtls1) + && !mb->tls1 && !mb->tls1_1 && !mb->tls1_3 + && !mb->dtls1 && !mb->dtls1_2) mb->sslflag = mb->notlsflag = mb->tls1_2 = T; -#endif + else if (!compare_cstring(s, "tls1_3") + && !mb->tls1 && !mb->tls1_1 && !mb->tls1_2 + && !mb->dtls1 && !mb->dtls1_2) + mb->sslflag = mb->notlsflag = mb->tls1_3 = T; else if (!compare_cstring(s, "dtls1") - && !mb->tls1 && !mb->tls1_1 && !mb->tls1_2) + && !mb->tls1 && !mb->tls1_1 && !mb->tls1_2 + && !mb->tls1_3 && !mb->dtls1_2) mb->sslflag = mb->notlsflag = mb->dtls1 = T; + else if (!compare_cstring(s, "dtls1_2") + && !mb->tls1 && !mb->tls1_1 && !mb->tls1_2 + && !mb->tls1_3 && !mb->dtls1) + mb->sslflag = mb->notlsflag = mb->dtls1_2 = T; else if (mailssldriver && !compare_cstring (s,"novalidate-cert")) mb->novalidate = T; /* hack for compatibility with the past */ @@ -6220,7 +6230,9 @@ NETSTREAM *net_open (NETMBX *mb,NETDRIVER *dv,unsigned long port, flags |= mb->tls1 || mb->tlsflag ? NET_TRYTLS1 : 0; flags |= mb->tls1_1 ? NET_TRYTLS1_1 : 0; flags |= mb->tls1_2 ? NET_TRYTLS1_2 : 0; + flags |= mb->tls1_3 ? NET_TRYTLS1_3 : 0; flags |= mb->dtls1 ? NET_TRYDTLS1 : 0; + flags |= mb->dtls1_2 ? NET_TRYDTLS1_2 : 0; if (strlen (mb->host) >= NETMAXHOST) { sprintf (tmp,"Invalid host name: %.80s",mb->host); MM_LOG (tmp,ERROR); diff --git a/imap/src/c-client/mail.h b/imap/src/c-client/mail.h index fc3f3862..e5755e54 100644 --- a/imap/src/c-client/mail.h +++ b/imap/src/c-client/mail.h @@ -442,13 +442,17 @@ /* try SSL mode */ #define NET_TRYSSL ((unsigned long) 0x8000000) /* try TLS1 mode */ -#define NET_TRYTLS1 ((unsigned long) 0x1000000) +#define NET_TRYTLS1 ((unsigned long) 0x4000000) /* try TLS1_1 mode */ #define NET_TRYTLS1_1 ((unsigned long) 0x2000000) /* try TLS1_2 mode */ -#define NET_TRYTLS1_2 ((unsigned long) 0x4000000) +#define NET_TRYTLS1_2 ((unsigned long) 0x1000000) + /* try TLS1_3 mode */ +#define NET_TRYTLS1_3 ((unsigned long) 0x800000) /* try DTLS1 mode */ -#define NET_TRYDTLS1 ((unsigned long) 0x8000000) +#define NET_TRYDTLS1 ((unsigned long) 0x400000) + /* try DTLS1_2 mode */ +#define NET_TRYDTLS1_2 ((unsigned long) 0x200000) /* Close options */ @@ -691,7 +695,9 @@ typedef struct net_mailbox { unsigned int tls1 : 1; /* Use TLSv1 */ unsigned int tls1_1 : 1; /* Use TLSv1.1 */ unsigned int tls1_2 : 1; /* Use TLSV1.2 */ + unsigned int tls1_3 : 1; /* Use TLSV1.3 */ unsigned int dtls1 : 1; /* Use DTLSv1 */ + unsigned int dtls1_2 : 1; /* Use DTLSv1.2 */ unsigned int trysslflag : 1; /* try SSL driver first flag */ unsigned int novalidate : 1; /* don't validate certificates */ unsigned int tlsflag : 1; /* TLS flag */ diff --git a/imap/src/osdep/nt/ssl_nt.c b/imap/src/osdep/nt/ssl_nt.c index d352980e..b4d7e1d2 100644 --- a/imap/src/osdep/nt/ssl_nt.c +++ b/imap/src/osdep/nt/ssl_nt.c @@ -37,15 +37,30 @@ #ifdef OPENSSL_1_1_0 #include <rsa.h> #include <bn.h> +#ifdef TLSv1_client_method +#undef TLSv1_client_method +#endif /* TLSv1_client_method */ #ifdef TLSv1_1_client_method -#undef TLSv1_1_client_method +#undef TLSv1_1_client_method #endif /* TLSv1_1_client_method */ #ifdef TLSv1_2_client_method #undef TLSv1_2_client_method #endif /* TLSv1_2_client_method */ +#ifdef DTLSv1_client_method +#undef DTLSv1_client_method +#endif /* DTLSv1_client_method */ +#ifdef DTLSv1_2_client_method +#undef DTLSv1_2_client_method +#endif /* DTLSv1_2_client_method */ +#define TLSv1_client_method TLS_client_method #define TLSv1_1_client_method TLS_client_method #define TLSv1_2_client_method TLS_client_method -#endif /* OPENSSL_1_1_0 */ +#define DTLSv1_client_method DTLS_client_method +#define DTLSv1_2_client_method DTLS_client_method +#endif /* OPENSSL_1_1_0 */ +#ifndef DTLSv1_2_client_method +#define DTLSv1_2_client_method DTLSv1_client_method +#endif /* DTLSv1_2_client_method */ #undef STRING #undef crypt @@ -187,26 +202,44 @@ SSLSTREAM *ssl_aopen (NETMBX *mb,char *service,char *usrbuf) */ const SSL_METHOD *ssl_connect_mthd(int flag) { -#ifdef OPENSSL_1_1_0 - if(flag & NET_TRYTLS1) - return TLS_client_method(); + if (flag & NET_TRYTLS1) +#ifndef OPENSSL_NO_TLS1_METHOD + return TLSv1_client_method(); #else - if(flag & NET_TRYTLS1) - return TLSv1_client_method(); -#endif /* OPENSSL_1_1_0 */ -#ifdef TLSV1_2 - else if(flag & NET_TRYTLS1_1) - return TLSv1_1_client_method(); - else if(flag & NET_TRYTLS1_2) - return TLSv1_2_client_method(); -#endif /* TLSV1_2 */ -#ifdef OPENSSL_1_1_0 - else if(flag & NET_TRYDTLS1) - return DTLS_client_method(); + return TLS_client_method(); +#endif /* OPENSSL_NO_TLS1_METHOD */ + + else if(flag & NET_TRYTLS1_1) +#ifndef OPENSSL_NO_TLS1_1_METHOD + return TLSv1_1_client_method(); #else - else if(flag & NET_TRYDTLS1) - return DTLSv1_client_method(); -#endif /* OPENSSL_1_1_0 */ + return TLS_client_method(); +#endif /* OPENSSL_NO_TLS1_1_METHOD */ + + else if(flag & NET_TRYTLS1_2) +#ifndef OPENSSL_NO_TLS1_2_METHOD + return TLSv1_2_client_method(); +#else + return TLS_client_method(); +#endif /* OPENSSL_NO_TLS1_2_METHOD */ + + else if(flag & NET_TRYTLS1_3) + return TLS_client_method(); + + else if(flag & NET_TRYDTLS1) +#ifndef OPENSSL_NO_DTLS1_METHOD + return DTLSv1_client_method(); +#else + return DTLS_client_method(); +#endif /* OPENSSL_NO_DTLS1_METHOD */ + + else if(flag & NET_TRYDTLS1_2) +#ifndef OPENSSL_NO_DTLS1_METHOD + return DTLSv1_2_client_method(); +#else + return DTLS_client_method(); +#endif /* OPENSSL_NO_DTLS1_METHOD */ + else return SSLv23_client_method(); } diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c index 4c4d6ef8..ffd37775 100644 --- a/imap/src/osdep/unix/ssl_unix.c +++ b/imap/src/osdep/unix/ssl_unix.c @@ -36,15 +36,30 @@ #ifdef OPENSSL_1_1_0 #include <rsa.h> #include <bn.h> +#ifdef TLSv1_client_method +#undef TLSv1_client_method +#endif /* TLSv1_client_method */ #ifdef TLSv1_1_client_method #undef TLSv1_1_client_method #endif /* TLSv1_1_client_method */ #ifdef TLSv1_2_client_method #undef TLSv1_2_client_method #endif /* TLSv1_2_client_method */ +#ifdef DTLSv1_client_method +#undef DTLSv1_client_method +#endif /* DTLSv1_client_method */ +#ifdef DTLSv1_2_client_method +#undef DTLSv1_2_client_method +#endif /* DTLSv1_2_client_method */ +#define TLSv1_client_method TLS_client_method #define TLSv1_1_client_method TLS_client_method #define TLSv1_2_client_method TLS_client_method +#define DTLSv1_client_method DTLS_client_method +#define DTLSv1_2_client_method DTLS_client_method #endif /* OPENSSL_1_1_0 */ +#ifndef DTLSv1_2_client_method +#define DTLSv1_2_client_method DTLSv1_client_method +#endif /* DTLSv1_2_client_method */ #undef STRING #undef crypt @@ -186,26 +201,44 @@ SSLSTREAM *ssl_aopen (NETMBX *mb,char *service,char *usrbuf) */ const SSL_METHOD *ssl_connect_mthd(int flag) { -#ifdef OPENSSL_1_1_0 - if(flag & NET_TRYTLS1) - return TLS_client_method(); + if (flag & NET_TRYTLS1) +#ifndef OPENSSL_NO_TLS1_METHOD + return TLSv1_client_method(); #else - if(flag & NET_TRYTLS1) - return TLSv1_client_method(); -#endif /* OPENSSL_1_1_0 */ -#ifdef TLSV1_2 - else if(flag & NET_TRYTLS1_1) - return TLSv1_1_client_method(); - else if(flag & NET_TRYTLS1_2) - return TLSv1_2_client_method(); -#endif /* TLSV1_2 */ -#ifdef OPENSSL_1_1_0 - else if(flag & NET_TRYDTLS1) - return DTLS_client_method(); + return TLS_client_method(); +#endif /* OPENSSL_NO_TLS1_METHOD */ + + else if(flag & NET_TRYTLS1_1) +#ifndef OPENSSL_NO_TLS1_1_METHOD + return TLSv1_1_client_method(); +#else + return TLS_client_method(); +#endif /* OPENSSL_NO_TLS1_1_METHOD */ + + else if(flag & NET_TRYTLS1_2) +#ifndef OPENSSL_NO_TLS1_2_METHOD + return TLSv1_2_client_method(); #else + return TLS_client_method(); +#endif /* OPENSSL_NO_TLS1_2_METHOD */ + + else if(flag & NET_TRYTLS1_3) + return TLS_client_method(); + else if(flag & NET_TRYDTLS1) - return DTLSv1_client_method(); -#endif /* OPENSSL_1_1_0 */ +#ifndef OPENSSL_NO_DTLS1_METHOD + return DTLSv1_client_method(); +#else + return DTLS_client_method(); +#endif /* OPENSSL_NO_DTLS1_METHOD */ + + else if(flag & NET_TRYDTLS1_2) +#ifndef OPENSSL_NO_DTLS1_METHOD + return DTLSv1_2_client_method(); +#else + return DTLS_client_method(); +#endif /* OPENSSL_NO_DTLS1_METHOD */ + else return SSLv23_client_method(); } diff --git a/include/config.h.in b/include/config.h.in index 56c9160f..0779f336 100644 --- a/include/config.h.in +++ b/include/config.h.in @@ -590,9 +590,6 @@ /* Simple spell checker: reads stdin, emits misspellings on stdout */ #undef SPELLER -/* SSL Supports TLSV1.2 */ -#undef SSL_SUPPORTS_TLSV1_2 - /* Define to 1 if the `S_IS*' macros in <sys/stat.h> do not work properly. */ #undef STAT_MACROS_BROKEN diff --git a/pith/conf.c b/pith/conf.c index 0085e955..607c9f82 100644 --- a/pith/conf.c +++ b/pith/conf.c @@ -52,6 +52,7 @@ static char rcsid[] = "$Id: conf.c 1266 2009-07-14 18:39:12Z hubert@u.washington #include "../pico/osdep/mswin.h" #endif +#include <openssl/ssl.h> #define TO_BAIL_THRESHOLD 60 @@ -8147,8 +8148,8 @@ get_supported_options(void) DRIVER *d; AUTHENTICATOR *a; char *title = _("Supported features in this Alpine"); - char sbuf[MAX_SCREEN_COLS+1]; - int cnt, alcnt, len, cols, disabled, any_disabled = 0;; + char sbuf[MAX_SCREEN_COLS+1], tmp[128]; + int cnt, alcnt, len, cols, disabled, any_disabled = 0, i; /* * Line count: @@ -8190,10 +8191,32 @@ get_supported_options(void) config[cnt] = cpystr(_(" TLS and SSL")); else config[cnt] = cpystr(_(" None (no TLS or SSL)")); -#ifdef SSL_SUPPORTS_TLSV1_2 - if(++cnt < alcnt) - config[cnt] = cpystr(" TLSv1.1, TLSv1.2, and DTLSv1"); -#endif + + tmp[0] = tmp[1] = ' '; + tmp[2] = '\0'; +#ifndef OPENSSL_NO_TLS1_METHOD + strcat(tmp, "TLSv1, "); +#endif /* OPENSSL_NO_TLS1_METHOD */ +#ifdef TLS1_1_VERSION + strcat(tmp, "TLSv1.1, "); +#endif /* TLS1_1_VERSION */ +#ifdef TLS1_2_VERSION + strcat(tmp, "TLSv1.2. "); +#endif /* TLS1_2_VERSION */ +#ifdef TLS1_3_VERSION + strcat(tmp, "TLSv1.3, "); +#endif /* TLS1_3_VERSION */ +#ifdef DTLS1_VERSION + strcat(tmp, "DTLSv1, "); +#endif /* DTLS1_VERSION */ +#ifdef DTLS1_2_VERSION + strcat(tmp, "DTLSv1.2, "); +#endif /* DTLS1_2_VERSION */ + if(tmp[2] != '\0'){ + tmp[strlen(tmp)-2] = '\0'; + if(++cnt < alcnt) + config[cnt] = cpystr(tmp); + } #ifdef SMIME if(++cnt < alcnt) config[cnt] = cpystr(" S/MIME"); diff --git a/pith/pine.hlp b/pith/pine.hlp index 074558fe..4f6ce153 100644 --- a/pith/pine.hlp +++ b/pith/pine.hlp @@ -185,6 +185,9 @@ Additions include: <LI> NTLM authentication support with the ntlm library, in Unix systems. Based on code provided by Maciej W. Rozycki. +<LI> Add /tls1_3 flag for servers that support it. Read more information +in the secure protocols <A HREF="h_network_encryption_security">help</A>. + <LI> Add -dict option to PC-Pico, which allows users to choose a dictionary when spelling. Sample usage: -dict "en_US, de_DE, fr_FR". @@ -1373,6 +1376,42 @@ a new key. <End of help> </BODY> </HTML> +====== h_network_encryption_security ====== +<HTML> +<HEAD> +<TITLE>Network Encryption Security Explained</TITLE> +</HEAD> +<BODY> +<H1>Network Encryption Security Explained</H1> + +You can specify which encryption protocol you would like to try when +creating a secure connection to a server. Alpine will attempt to use +that encryption protocol, but in practice the protocol being used will +default to the most secure protocol that both Alpine and the server +support. + +<P> If you use the latest version of OpenSSL, the /ssl modifier to the +server definition will use the most secure version of the TLS encryption +protocol. The same will be true if you try /tls1_1 or /tls1_2, but in an +old version of OpenSSL (pre 1.1.0 series) /tls1_1 might mean to use +version 1.1 of the TLS protocol. + +<P> You will never go wrong by using the /ssl modifier. At the time of +this writing OpenSSL had released version 1.1.1, with support for +TLS version 1.3. If your version of OpenSSL does not support this version +of the TLS protocol, then the /tls1_3 modifier will only mean to use +the most secure version of the TLS protocol that OpenSSL and the +server can negotiate. In future versions of OpenSSL, /tls1_3 might mean +to try to negotiate a higher version of the TLS protocol. + +<P> In order to avoid confusion, the /ssl flag is the best way to guarantee +the highest encryption protocol available, and it is the recommended +modifier to the server definition to create a secure encrypted connection. + +<P> +<End of help> +</BODY> +</HTML> ====== h_tls_failure_details ====== <HTML> <HEAD> @@ -20671,6 +20710,19 @@ Alpine must be linked with an SSL library for this option to be operational. </DD> +<DT>DTLS1_2</DT> +<DD> +This parameter indicates that the connection to the server will be made +over the SSL port, but using the DTLSv1.2 protocol, instead of the usual +SSLv3 or SSLv2 protocols. +Alpine must be linked with an SSL library for this option to be operational. + +<P> +<CENTER><SAMP>/dtls1_2</SAMP></CENTER> +<P> + +</DD> + <DT>TLS1_1</DT> <DD> This parameter indicates that the connection to the server will be made @@ -20697,6 +20749,19 @@ Alpine must be linked with an SSL library for this option to be operational. </DD> +<DT>TLS1_3</DT> +<DD> +This parameter indicates that the connection to the server will be made +over the SSL port, but using the TLSv1.3 protocol, instead of the usual +SSLv3 or SSLv2 protocols. +Alpine must be linked with an SSL library for this option to be operational. + +<P> +<CENTER><SAMP>/tls1_2</SAMP></CENTER> +<P> + +</DD> + <DT>NoValidate-Cert</DT> <DD>Do not validate certificates (for TLS or SSL connections) from the server. |