summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEduardo Chappa <chappa@washington.edu>2018-09-29 22:59:37 -0600
committerEduardo Chappa <chappa@washington.edu>2018-09-29 22:59:37 -0600
commit924c47dd50a7b74136b8a60e9ea8d347ff65425b (patch)
treebcbaaeb98807a7cb12bf16188c66a5ea938d0255
parent879f42fa445aa684ffbab7d404941a9d24a4863a (diff)
downloadalpine-924c47dd50a7b74136b8a60e9ea8d347ff65425b.tar.xz
* Add the /tls1_3 modifier to establish connections use the TLS protocol
version 1.3.
-rwxr-xr-xconfigure188
-rw-r--r--configure.ac16
-rw-r--r--imap/src/c-client/mail.c24
-rw-r--r--imap/src/c-client/mail.h12
-rw-r--r--imap/src/osdep/nt/ssl_nt.c73
-rw-r--r--imap/src/osdep/unix/ssl_unix.c67
-rw-r--r--include/config.h.in3
-rw-r--r--pith/conf.c35
-rw-r--r--pith/pine.hlp65
9 files changed, 224 insertions, 259 deletions
diff --git a/configure b/configure
index c32f559f..45c34714 100755
--- a/configure
+++ b/configure
@@ -19355,194 +19355,6 @@ fi
fi
if test "x$alpine_SSLTYPE" != "xnone" ; then
- if test "x$alpine_SSLVERSION" = "xold" -o "x$alpine_SSLPROVIDER" = "xlibressl" ; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing TLSv1_2_client_method" >&5
-$as_echo_n "checking for library containing TLSv1_2_client_method... " >&6; }
-if ${ac_cv_search_TLSv1_2_client_method+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char TLSv1_2_client_method ();
-int
-main ()
-{
-return TLSv1_2_client_method ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' ssl; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_TLSv1_2_client_method=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_TLSv1_2_client_method+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_TLSv1_2_client_method+:} false; then :
-
-else
- ac_cv_search_TLSv1_2_client_method=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_TLSv1_2_client_method" >&5
-$as_echo "$ac_cv_search_TLSv1_2_client_method" >&6; }
-ac_res=$ac_cv_search_TLSv1_2_client_method
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
- alpine_c_client_cflags="$alpine_c_client_cflags -DTLSV1_2"
-
-$as_echo "#define SSL_SUPPORTS_TLSV1_2 1" >>confdefs.h
-
-
-fi
-
- else
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing TLS_client_method" >&5
-$as_echo_n "checking for library containing TLS_client_method... " >&6; }
-if ${ac_cv_search_TLS_client_method+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char TLS_client_method ();
-int
-main ()
-{
-return TLS_client_method ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' ssl; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_TLS_client_method=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_TLS_client_method+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_TLS_client_method+:} false; then :
-
-else
- ac_cv_search_TLS_client_method=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_TLS_client_method" >&5
-$as_echo "$ac_cv_search_TLS_client_method" >&6; }
-ac_res=$ac_cv_search_TLS_client_method
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-else
- alpine_SSLTYPE="none"
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing DTLS_client_method" >&5
-$as_echo_n "checking for library containing DTLS_client_method... " >&6; }
-if ${ac_cv_search_DTLS_client_method+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char DTLS_client_method ();
-int
-main ()
-{
-return DTLS_client_method ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' ssl; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_DTLS_client_method=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_DTLS_client_method+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_DTLS_client_method+:} false; then :
-
-else
- ac_cv_search_DTLS_client_method=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_DTLS_client_method" >&5
-$as_echo "$ac_cv_search_DTLS_client_method" >&6; }
-ac_res=$ac_cv_search_DTLS_client_method
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-else
- alpine_SSLTYPE="none"
-fi
-
- if test "x$alpine_SSLTYPE" != "xnone" ; then
- alpine_c_client_cflags="$alpine_c_client_cflags -DTLSV1_2"
-
-$as_echo "#define SSL_SUPPORTS_TLSV1_2 1" >>confdefs.h
-
- fi
- fi
-fi
-
-if test "x$alpine_SSLTYPE" != "xnone" ; then
if test "x$alpine_SSLVERSION" = "xold" -o "x$alpine_SSLPROVIDER" = "xlibressl" ; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing SSL_library_init" >&5
$as_echo_n "checking for library containing SSL_library_init... " >&6; }
diff --git a/configure.ac b/configure.ac
index 92a584d3..e9f1e855 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1497,22 +1497,6 @@ if test "x$alpine_SSLTYPE" != "xnone" ; then
esac
fi
-if test "x$alpine_SSLTYPE" != "xnone" ; then
- if test "x$alpine_SSLVERSION" = "xold" -o "x$alpine_SSLPROVIDER" = "xlibressl" ; then
- AC_SEARCH_LIBS(TLSv1_2_client_method,ssl,
- [ alpine_c_client_cflags="$alpine_c_client_cflags -DTLSV1_2"
- AC_DEFINE([SSL_SUPPORTS_TLSV1_2], [1], [SSL Supports TLSV1.2])
- ])
- else
- AC_SEARCH_LIBS(TLS_client_method,ssl,, [ alpine_SSLTYPE="none"])
- AC_SEARCH_LIBS(DTLS_client_method,ssl,,[ alpine_SSLTYPE="none"])
- if test "x$alpine_SSLTYPE" != "xnone" ; then
- alpine_c_client_cflags="$alpine_c_client_cflags -DTLSV1_2"
- AC_DEFINE([SSL_SUPPORTS_TLSV1_2], [1], [SSL Supports TLSV1.2])
- fi
- fi
-fi
-
dnl provide SSL support?
if test "x$alpine_SSLTYPE" != "xnone" ; then
if test "x$alpine_SSLVERSION" = "xold" -o "x$alpine_SSLPROVIDER" = "xlibressl" ; then
diff --git a/imap/src/c-client/mail.c b/imap/src/c-client/mail.c
index 43db47aa..8ac8ba63 100644
--- a/imap/src/c-client/mail.c
+++ b/imap/src/c-client/mail.c
@@ -827,19 +827,29 @@ long mail_valid_net_parse_work (char *name,NETMBX *mb,char *service)
else if (mailssldriver && !compare_cstring (s,"ssl") && !mb->tlsflag)
mb->sslflag = mb->notlsflag = T;
else if (!compare_cstring(s, "tls1")
- && !mb->tls1_1 && !mb->tls1_2 && !mb->dtls1)
+ && !mb->tls1_1 && !mb->tls1_2 && !mb->tls1_3
+ && !mb->dtls1 && !mb->dtls1_2)
mb->sslflag = mb->notlsflag = mb->tls1 = T;
-#ifdef TLSV1_2
else if (!compare_cstring(s, "tls1_1")
- && !mb->tls1 && !mb->tls1_2 && !mb->dtls1)
+ && !mb->tls1 && !mb->tls1_2 && !mb->tls1_3
+ && !mb->dtls1 && !mb->dtls1_2)
mb->sslflag = mb->notlsflag = mb->tls1_1 = T;
else if (!compare_cstring(s, "tls1_2")
- && !mb->tls1 && !mb->tls1_1 && !mb->dtls1)
+ && !mb->tls1 && !mb->tls1_1 && !mb->tls1_3
+ && !mb->dtls1 && !mb->dtls1_2)
mb->sslflag = mb->notlsflag = mb->tls1_2 = T;
-#endif
+ else if (!compare_cstring(s, "tls1_3")
+ && !mb->tls1 && !mb->tls1_1 && !mb->tls1_2
+ && !mb->dtls1 && !mb->dtls1_2)
+ mb->sslflag = mb->notlsflag = mb->tls1_3 = T;
else if (!compare_cstring(s, "dtls1")
- && !mb->tls1 && !mb->tls1_1 && !mb->tls1_2)
+ && !mb->tls1 && !mb->tls1_1 && !mb->tls1_2
+ && !mb->tls1_3 && !mb->dtls1_2)
mb->sslflag = mb->notlsflag = mb->dtls1 = T;
+ else if (!compare_cstring(s, "dtls1_2")
+ && !mb->tls1 && !mb->tls1_1 && !mb->tls1_2
+ && !mb->tls1_3 && !mb->dtls1)
+ mb->sslflag = mb->notlsflag = mb->dtls1_2 = T;
else if (mailssldriver && !compare_cstring (s,"novalidate-cert"))
mb->novalidate = T;
/* hack for compatibility with the past */
@@ -6220,7 +6230,9 @@ NETSTREAM *net_open (NETMBX *mb,NETDRIVER *dv,unsigned long port,
flags |= mb->tls1 || mb->tlsflag ? NET_TRYTLS1 : 0;
flags |= mb->tls1_1 ? NET_TRYTLS1_1 : 0;
flags |= mb->tls1_2 ? NET_TRYTLS1_2 : 0;
+ flags |= mb->tls1_3 ? NET_TRYTLS1_3 : 0;
flags |= mb->dtls1 ? NET_TRYDTLS1 : 0;
+ flags |= mb->dtls1_2 ? NET_TRYDTLS1_2 : 0;
if (strlen (mb->host) >= NETMAXHOST) {
sprintf (tmp,"Invalid host name: %.80s",mb->host);
MM_LOG (tmp,ERROR);
diff --git a/imap/src/c-client/mail.h b/imap/src/c-client/mail.h
index fc3f3862..e5755e54 100644
--- a/imap/src/c-client/mail.h
+++ b/imap/src/c-client/mail.h
@@ -442,13 +442,17 @@
/* try SSL mode */
#define NET_TRYSSL ((unsigned long) 0x8000000)
/* try TLS1 mode */
-#define NET_TRYTLS1 ((unsigned long) 0x1000000)
+#define NET_TRYTLS1 ((unsigned long) 0x4000000)
/* try TLS1_1 mode */
#define NET_TRYTLS1_1 ((unsigned long) 0x2000000)
/* try TLS1_2 mode */
-#define NET_TRYTLS1_2 ((unsigned long) 0x4000000)
+#define NET_TRYTLS1_2 ((unsigned long) 0x1000000)
+ /* try TLS1_3 mode */
+#define NET_TRYTLS1_3 ((unsigned long) 0x800000)
/* try DTLS1 mode */
-#define NET_TRYDTLS1 ((unsigned long) 0x8000000)
+#define NET_TRYDTLS1 ((unsigned long) 0x400000)
+ /* try DTLS1_2 mode */
+#define NET_TRYDTLS1_2 ((unsigned long) 0x200000)
/* Close options */
@@ -691,7 +695,9 @@ typedef struct net_mailbox {
unsigned int tls1 : 1; /* Use TLSv1 */
unsigned int tls1_1 : 1; /* Use TLSv1.1 */
unsigned int tls1_2 : 1; /* Use TLSV1.2 */
+ unsigned int tls1_3 : 1; /* Use TLSV1.3 */
unsigned int dtls1 : 1; /* Use DTLSv1 */
+ unsigned int dtls1_2 : 1; /* Use DTLSv1.2 */
unsigned int trysslflag : 1; /* try SSL driver first flag */
unsigned int novalidate : 1; /* don't validate certificates */
unsigned int tlsflag : 1; /* TLS flag */
diff --git a/imap/src/osdep/nt/ssl_nt.c b/imap/src/osdep/nt/ssl_nt.c
index d352980e..b4d7e1d2 100644
--- a/imap/src/osdep/nt/ssl_nt.c
+++ b/imap/src/osdep/nt/ssl_nt.c
@@ -37,15 +37,30 @@
#ifdef OPENSSL_1_1_0
#include <rsa.h>
#include <bn.h>
+#ifdef TLSv1_client_method
+#undef TLSv1_client_method
+#endif /* TLSv1_client_method */
#ifdef TLSv1_1_client_method
-#undef TLSv1_1_client_method
+#undef TLSv1_1_client_method
#endif /* TLSv1_1_client_method */
#ifdef TLSv1_2_client_method
#undef TLSv1_2_client_method
#endif /* TLSv1_2_client_method */
+#ifdef DTLSv1_client_method
+#undef DTLSv1_client_method
+#endif /* DTLSv1_client_method */
+#ifdef DTLSv1_2_client_method
+#undef DTLSv1_2_client_method
+#endif /* DTLSv1_2_client_method */
+#define TLSv1_client_method TLS_client_method
#define TLSv1_1_client_method TLS_client_method
#define TLSv1_2_client_method TLS_client_method
-#endif /* OPENSSL_1_1_0 */
+#define DTLSv1_client_method DTLS_client_method
+#define DTLSv1_2_client_method DTLS_client_method
+#endif /* OPENSSL_1_1_0 */
+#ifndef DTLSv1_2_client_method
+#define DTLSv1_2_client_method DTLSv1_client_method
+#endif /* DTLSv1_2_client_method */
#undef STRING
#undef crypt
@@ -187,26 +202,44 @@ SSLSTREAM *ssl_aopen (NETMBX *mb,char *service,char *usrbuf)
*/
const SSL_METHOD *ssl_connect_mthd(int flag)
{
-#ifdef OPENSSL_1_1_0
- if(flag & NET_TRYTLS1)
- return TLS_client_method();
+ if (flag & NET_TRYTLS1)
+#ifndef OPENSSL_NO_TLS1_METHOD
+ return TLSv1_client_method();
#else
- if(flag & NET_TRYTLS1)
- return TLSv1_client_method();
-#endif /* OPENSSL_1_1_0 */
-#ifdef TLSV1_2
- else if(flag & NET_TRYTLS1_1)
- return TLSv1_1_client_method();
- else if(flag & NET_TRYTLS1_2)
- return TLSv1_2_client_method();
-#endif /* TLSV1_2 */
-#ifdef OPENSSL_1_1_0
- else if(flag & NET_TRYDTLS1)
- return DTLS_client_method();
+ return TLS_client_method();
+#endif /* OPENSSL_NO_TLS1_METHOD */
+
+ else if(flag & NET_TRYTLS1_1)
+#ifndef OPENSSL_NO_TLS1_1_METHOD
+ return TLSv1_1_client_method();
#else
- else if(flag & NET_TRYDTLS1)
- return DTLSv1_client_method();
-#endif /* OPENSSL_1_1_0 */
+ return TLS_client_method();
+#endif /* OPENSSL_NO_TLS1_1_METHOD */
+
+ else if(flag & NET_TRYTLS1_2)
+#ifndef OPENSSL_NO_TLS1_2_METHOD
+ return TLSv1_2_client_method();
+#else
+ return TLS_client_method();
+#endif /* OPENSSL_NO_TLS1_2_METHOD */
+
+ else if(flag & NET_TRYTLS1_3)
+ return TLS_client_method();
+
+ else if(flag & NET_TRYDTLS1)
+#ifndef OPENSSL_NO_DTLS1_METHOD
+ return DTLSv1_client_method();
+#else
+ return DTLS_client_method();
+#endif /* OPENSSL_NO_DTLS1_METHOD */
+
+ else if(flag & NET_TRYDTLS1_2)
+#ifndef OPENSSL_NO_DTLS1_METHOD
+ return DTLSv1_2_client_method();
+#else
+ return DTLS_client_method();
+#endif /* OPENSSL_NO_DTLS1_METHOD */
+
else return SSLv23_client_method();
}
diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c
index 4c4d6ef8..ffd37775 100644
--- a/imap/src/osdep/unix/ssl_unix.c
+++ b/imap/src/osdep/unix/ssl_unix.c
@@ -36,15 +36,30 @@
#ifdef OPENSSL_1_1_0
#include <rsa.h>
#include <bn.h>
+#ifdef TLSv1_client_method
+#undef TLSv1_client_method
+#endif /* TLSv1_client_method */
#ifdef TLSv1_1_client_method
#undef TLSv1_1_client_method
#endif /* TLSv1_1_client_method */
#ifdef TLSv1_2_client_method
#undef TLSv1_2_client_method
#endif /* TLSv1_2_client_method */
+#ifdef DTLSv1_client_method
+#undef DTLSv1_client_method
+#endif /* DTLSv1_client_method */
+#ifdef DTLSv1_2_client_method
+#undef DTLSv1_2_client_method
+#endif /* DTLSv1_2_client_method */
+#define TLSv1_client_method TLS_client_method
#define TLSv1_1_client_method TLS_client_method
#define TLSv1_2_client_method TLS_client_method
+#define DTLSv1_client_method DTLS_client_method
+#define DTLSv1_2_client_method DTLS_client_method
#endif /* OPENSSL_1_1_0 */
+#ifndef DTLSv1_2_client_method
+#define DTLSv1_2_client_method DTLSv1_client_method
+#endif /* DTLSv1_2_client_method */
#undef STRING
#undef crypt
@@ -186,26 +201,44 @@ SSLSTREAM *ssl_aopen (NETMBX *mb,char *service,char *usrbuf)
*/
const SSL_METHOD *ssl_connect_mthd(int flag)
{
-#ifdef OPENSSL_1_1_0
- if(flag & NET_TRYTLS1)
- return TLS_client_method();
+ if (flag & NET_TRYTLS1)
+#ifndef OPENSSL_NO_TLS1_METHOD
+ return TLSv1_client_method();
#else
- if(flag & NET_TRYTLS1)
- return TLSv1_client_method();
-#endif /* OPENSSL_1_1_0 */
-#ifdef TLSV1_2
- else if(flag & NET_TRYTLS1_1)
- return TLSv1_1_client_method();
- else if(flag & NET_TRYTLS1_2)
- return TLSv1_2_client_method();
-#endif /* TLSV1_2 */
-#ifdef OPENSSL_1_1_0
- else if(flag & NET_TRYDTLS1)
- return DTLS_client_method();
+ return TLS_client_method();
+#endif /* OPENSSL_NO_TLS1_METHOD */
+
+ else if(flag & NET_TRYTLS1_1)
+#ifndef OPENSSL_NO_TLS1_1_METHOD
+ return TLSv1_1_client_method();
+#else
+ return TLS_client_method();
+#endif /* OPENSSL_NO_TLS1_1_METHOD */
+
+ else if(flag & NET_TRYTLS1_2)
+#ifndef OPENSSL_NO_TLS1_2_METHOD
+ return TLSv1_2_client_method();
#else
+ return TLS_client_method();
+#endif /* OPENSSL_NO_TLS1_2_METHOD */
+
+ else if(flag & NET_TRYTLS1_3)
+ return TLS_client_method();
+
else if(flag & NET_TRYDTLS1)
- return DTLSv1_client_method();
-#endif /* OPENSSL_1_1_0 */
+#ifndef OPENSSL_NO_DTLS1_METHOD
+ return DTLSv1_client_method();
+#else
+ return DTLS_client_method();
+#endif /* OPENSSL_NO_DTLS1_METHOD */
+
+ else if(flag & NET_TRYDTLS1_2)
+#ifndef OPENSSL_NO_DTLS1_METHOD
+ return DTLSv1_2_client_method();
+#else
+ return DTLS_client_method();
+#endif /* OPENSSL_NO_DTLS1_METHOD */
+
else return SSLv23_client_method();
}
diff --git a/include/config.h.in b/include/config.h.in
index 56c9160f..0779f336 100644
--- a/include/config.h.in
+++ b/include/config.h.in
@@ -590,9 +590,6 @@
/* Simple spell checker: reads stdin, emits misspellings on stdout */
#undef SPELLER
-/* SSL Supports TLSV1.2 */
-#undef SSL_SUPPORTS_TLSV1_2
-
/* Define to 1 if the `S_IS*' macros in <sys/stat.h> do not work properly. */
#undef STAT_MACROS_BROKEN
diff --git a/pith/conf.c b/pith/conf.c
index 0085e955..607c9f82 100644
--- a/pith/conf.c
+++ b/pith/conf.c
@@ -52,6 +52,7 @@ static char rcsid[] = "$Id: conf.c 1266 2009-07-14 18:39:12Z hubert@u.washington
#include "../pico/osdep/mswin.h"
#endif
+#include <openssl/ssl.h>
#define TO_BAIL_THRESHOLD 60
@@ -8147,8 +8148,8 @@ get_supported_options(void)
DRIVER *d;
AUTHENTICATOR *a;
char *title = _("Supported features in this Alpine");
- char sbuf[MAX_SCREEN_COLS+1];
- int cnt, alcnt, len, cols, disabled, any_disabled = 0;;
+ char sbuf[MAX_SCREEN_COLS+1], tmp[128];
+ int cnt, alcnt, len, cols, disabled, any_disabled = 0, i;
/*
* Line count:
@@ -8190,10 +8191,32 @@ get_supported_options(void)
config[cnt] = cpystr(_(" TLS and SSL"));
else
config[cnt] = cpystr(_(" None (no TLS or SSL)"));
-#ifdef SSL_SUPPORTS_TLSV1_2
- if(++cnt < alcnt)
- config[cnt] = cpystr(" TLSv1.1, TLSv1.2, and DTLSv1");
-#endif
+
+ tmp[0] = tmp[1] = ' ';
+ tmp[2] = '\0';
+#ifndef OPENSSL_NO_TLS1_METHOD
+ strcat(tmp, "TLSv1, ");
+#endif /* OPENSSL_NO_TLS1_METHOD */
+#ifdef TLS1_1_VERSION
+ strcat(tmp, "TLSv1.1, ");
+#endif /* TLS1_1_VERSION */
+#ifdef TLS1_2_VERSION
+ strcat(tmp, "TLSv1.2. ");
+#endif /* TLS1_2_VERSION */
+#ifdef TLS1_3_VERSION
+ strcat(tmp, "TLSv1.3, ");
+#endif /* TLS1_3_VERSION */
+#ifdef DTLS1_VERSION
+ strcat(tmp, "DTLSv1, ");
+#endif /* DTLS1_VERSION */
+#ifdef DTLS1_2_VERSION
+ strcat(tmp, "DTLSv1.2, ");
+#endif /* DTLS1_2_VERSION */
+ if(tmp[2] != '\0'){
+ tmp[strlen(tmp)-2] = '\0';
+ if(++cnt < alcnt)
+ config[cnt] = cpystr(tmp);
+ }
#ifdef SMIME
if(++cnt < alcnt)
config[cnt] = cpystr(" S/MIME");
diff --git a/pith/pine.hlp b/pith/pine.hlp
index 074558fe..4f6ce153 100644
--- a/pith/pine.hlp
+++ b/pith/pine.hlp
@@ -185,6 +185,9 @@ Additions include:
<LI> NTLM authentication support with the ntlm library, in Unix systems.
Based on code provided by Maciej W. Rozycki.
+<LI> Add /tls1_3 flag for servers that support it. Read more information
+in the secure protocols <A HREF="h_network_encryption_security">help</A>.
+
<LI> Add -dict option to PC-Pico, which allows users to choose a dictionary
when spelling. Sample usage: -dict "en_US, de_DE, fr_FR".
@@ -1373,6 +1376,42 @@ a new key.
&lt;End of help&gt;
</BODY>
</HTML>
+====== h_network_encryption_security ======
+<HTML>
+<HEAD>
+<TITLE>Network Encryption Security Explained</TITLE>
+</HEAD>
+<BODY>
+<H1>Network Encryption Security Explained</H1>
+
+You can specify which encryption protocol you would like to try when
+creating a secure connection to a server. Alpine will attempt to use
+that encryption protocol, but in practice the protocol being used will
+default to the most secure protocol that both Alpine and the server
+support.
+
+<P> If you use the latest version of OpenSSL, the /ssl modifier to the
+server definition will use the most secure version of the TLS encryption
+protocol. The same will be true if you try /tls1_1 or /tls1_2, but in an
+old version of OpenSSL (pre 1.1.0 series) /tls1_1 might mean to use
+version 1.1 of the TLS protocol.
+
+<P> You will never go wrong by using the /ssl modifier. At the time of
+this writing OpenSSL had released version 1.1.1, with support for
+TLS version 1.3. If your version of OpenSSL does not support this version
+of the TLS protocol, then the /tls1_3 modifier will only mean to use
+the most secure version of the TLS protocol that OpenSSL and the
+server can negotiate. In future versions of OpenSSL, /tls1_3 might mean
+to try to negotiate a higher version of the TLS protocol.
+
+<P> In order to avoid confusion, the /ssl flag is the best way to guarantee
+the highest encryption protocol available, and it is the recommended
+modifier to the server definition to create a secure encrypted connection.
+
+<P>
+&lt;End of help&gt;
+</BODY>
+</HTML>
====== h_tls_failure_details ======
<HTML>
<HEAD>
@@ -20671,6 +20710,19 @@ Alpine must be linked with an SSL library for this option to be operational.
</DD>
+<DT>DTLS1_2</DT>
+<DD>
+This parameter indicates that the connection to the server will be made
+over the SSL port, but using the DTLSv1.2 protocol, instead of the usual
+SSLv3 or SSLv2 protocols.
+Alpine must be linked with an SSL library for this option to be operational.
+
+<P>
+<CENTER><SAMP>/dtls1_2</SAMP></CENTER>
+<P>
+
+</DD>
+
<DT>TLS1_1</DT>
<DD>
This parameter indicates that the connection to the server will be made
@@ -20697,6 +20749,19 @@ Alpine must be linked with an SSL library for this option to be operational.
</DD>
+<DT>TLS1_3</DT>
+<DD>
+This parameter indicates that the connection to the server will be made
+over the SSL port, but using the TLSv1.3 protocol, instead of the usual
+SSLv3 or SSLv2 protocols.
+Alpine must be linked with an SSL library for this option to be operational.
+
+<P>
+<CENTER><SAMP>/tls1_2</SAMP></CENTER>
+<P>
+
+</DD>
+
<DT>NoValidate-Cert</DT>
<DD>Do not validate certificates (for TLS or SSL connections) from the server.