summaryrefslogtreecommitdiff
path: root/pith
diff options
context:
space:
mode:
authorEduardo Chappa <chappa@washington.edu>2019-02-17 19:17:46 -0700
committerEduardo Chappa <chappa@washington.edu>2019-02-17 19:17:46 -0700
commit08fcd1b86979b422eb586e56459d6fe15333e500 (patch)
tree27247d07d9c1063e2a2fc376155d675f54a4d4e4 /pith
parent35f3426203172af028df5a6e39bc6dea2514020d (diff)
downloadalpine-08fcd1b86979b422eb586e56459d6fe15333e500.tar.xz
* Rewrite support for specific SSL encryption protocols, including
a. Add a new variable: encryption-protocol-range, which can be used to specify the minimum and maximum versions of the TLS protocol that Alpine will attempt to use to encrypt its communication with the server. b. Add support for the Server Name Identification (SNI) extension needed for TLSv1.3. c. Remove the DTLS code. It was not being used.
Diffstat (limited to 'pith')
-rw-r--r--pith/conf.c84
-rw-r--r--pith/conf.h3
-rw-r--r--pith/conftype.h1
-rw-r--r--pith/pine.hlp135
4 files changed, 153 insertions, 70 deletions
diff --git a/pith/conf.c b/pith/conf.c
index 607c9f82..c7c24dbe 100644
--- a/pith/conf.c
+++ b/pith/conf.c
@@ -281,6 +281,8 @@ CONF_TXT_T cf_text_disable_drivers[] = "List of mail drivers to disable.";
CONF_TXT_T cf_text_disable_auths[] = "List of SASL authenticators to disable.";
+CONF_TXT_T cf_text_encryption_range[] = "A range in the form min,max that sets the minimum amd maximum versions of the\n# SSL protocol that Alpine will use when connecting to a secure server.";
+
CONF_TXT_T cf_text_remote_abook_metafile[] = "Set by Alpine; contains data for caching remote address books.";
CONF_TXT_T cf_text_old_patterns[] = "Patterns is obsolete, use patterns-xxx";
@@ -744,6 +746,8 @@ static struct variable variables[] = {
NULL, cf_text_disable_drivers},
{"disable-these-authenticators", 0, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0,
NULL, cf_text_disable_auths},
+{"encryption-protocol-range", 0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0,
+ NULL, cf_text_encryption_range},
{"remote-abook-metafile", 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0,
NULL, cf_text_remote_abook_metafile},
{"remote-abook-history", 0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0,
@@ -1601,6 +1605,7 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **))
GLO_PRINTER = cpystr(DF_DEFAULT_PRINTER);
GLO_ELM_STYLE_SAVE = cpystr(DF_ELM_STYLE_SAVE);
+ GLO_ENCRYPTION_RANGE = cpystr(DF_ENCRYPTION_RANGE);
GLO_SAVE_BY_SENDER = cpystr(DF_SAVE_BY_SENDER);
GLO_HEADER_IN_REPLY = cpystr(DF_HEADER_IN_REPLY);
GLO_INBOX_PATH = cpystr("inbox");
@@ -2328,6 +2333,7 @@ init_vars(struct pine *ps, void (*cmds_f) (struct pine *, char **))
set_current_val(&vars[V_FORCED_ABOOK_ENTRY], TRUE, TRUE);
set_current_val(&vars[V_DISABLE_DRIVERS], TRUE, TRUE);
set_current_val(&vars[V_DISABLE_AUTHS], TRUE, TRUE);
+ set_current_val(&vars[V_ENCRYPTION_RANGE], TRUE, TRUE);
set_current_val(&vars[V_VIEW_HEADERS], TRUE, TRUE);
/* strip spaces and colons */
@@ -7825,6 +7831,8 @@ config_help(int var, int feature)
return(h_config_disable_drivers);
case V_DISABLE_AUTHS :
return(h_config_disable_auths);
+ case V_ENCRYPTION_RANGE :
+ return(h_config_encryption_range);
case V_REMOTE_ABOOK_METADATA :
return(h_config_abook_metafile);
case V_REPLY_STRING :
@@ -8187,36 +8195,26 @@ get_supported_options(void)
/* TRANSLATORS: headings */
config[cnt] = cpystr(_("Encryption:"));
- if(++cnt < alcnt && mail_parameters(NIL, GET_SSLDRIVER, NIL))
+ if(++cnt < alcnt && mail_parameters(NIL, GET_SSLDRIVER, NIL)){
config[cnt] = cpystr(_(" TLS and SSL"));
- else
- config[cnt] = cpystr(_(" None (no TLS or SSL)"));
-
- tmp[0] = tmp[1] = ' ';
- tmp[2] = '\0';
-#ifndef OPENSSL_NO_TLS1_METHOD
- strcat(tmp, "TLSv1, ");
-#endif /* OPENSSL_NO_TLS1_METHOD */
-#ifdef TLS1_1_VERSION
- strcat(tmp, "TLSv1.1, ");
-#endif /* TLS1_1_VERSION */
-#ifdef TLS1_2_VERSION
- strcat(tmp, "TLSv1.2. ");
-#endif /* TLS1_2_VERSION */
+ tmp[0] = tmp[1] = ' ';
+ tmp[2] = '\0';
+ strcat(tmp, "TLSv1, ");
+ strcat(tmp, "TLSv1.1, ");
+ strcat(tmp, "TLSv1.2, ");
#ifdef TLS1_3_VERSION
- strcat(tmp, "TLSv1.3, ");
+ strcat(tmp, "TLSv1.3, ");
#endif /* TLS1_3_VERSION */
-#ifdef DTLS1_VERSION
- strcat(tmp, "DTLSv1, ");
-#endif /* DTLS1_VERSION */
-#ifdef DTLS1_2_VERSION
- strcat(tmp, "DTLSv1.2, ");
-#endif /* DTLS1_2_VERSION */
- if(tmp[2] != '\0'){
- tmp[strlen(tmp)-2] = '\0';
- if(++cnt < alcnt)
- config[cnt] = cpystr(tmp);
+ strcat(tmp, "DTLSv1, ");
+ strcat(tmp, "DTLSv1.2, ");
+ tmp[strlen(tmp)-2] = '.';
+ tmp[strlen(tmp)-1] = '\0';
}
+ else
+ config[cnt] = cpystr(_(" None (no TLS or SSL)"));
+
+ if(++cnt < alcnt)
+ config[cnt] = cpystr(tmp);
#ifdef SMIME
if(++cnt < alcnt)
config[cnt] = cpystr(" S/MIME");
@@ -8452,3 +8450,37 @@ pcpine_general_help(titlebuf)
#endif /* _WINDOWS */
+typedef struct ssl_versions_s {
+ char *name;
+ int version;
+} SSL_VERSIONS_S;
+
+int
+pith_ssl_encryption_version(char *s)
+{
+ SSL_VERSIONS_S ssl_versions[] = {
+ {"no_min", 0},
+ {"ssl3", SSL3_VERSION},
+ {"tls1", TLS1_VERSION},
+ {"tls1_1", TLS1_1_VERSION },
+ {"tls1_2", TLS1_2_VERSION},
+#ifdef TLS1_3_VERSION
+ {"tls1_3", TLS1_3_VERSION},
+#endif /* TLS1_3_VERSION */
+ {"no_max", 0}, /* set this last in the list */
+ { NULL, 0},
+ };
+ int i;
+
+ if(s == NULL || *s == '\0')
+ return -1;
+
+ for(i = 0; ssl_versions[i].name != NULL; i++)
+ if(strcmp(ssl_versions[i].name, s) == 0)
+ break;
+
+ if(strcmp(s, "no_max") == 0) i--;
+
+ return ssl_versions[i].name != NULL ? ssl_versions[i].version : -1;
+}
+
diff --git a/pith/conf.h b/pith/conf.h
index 7648e355..474e9d5f 100644
--- a/pith/conf.h
+++ b/pith/conf.h
@@ -263,6 +263,8 @@
#define GLO_REMOTE_ABOOK_HISTORY vars[V_REMOTE_ABOOK_HISTORY].global_val.p
#define VAR_REMOTE_ABOOK_VALIDITY vars[V_REMOTE_ABOOK_VALIDITY].current_val.p
#define GLO_REMOTE_ABOOK_VALIDITY vars[V_REMOTE_ABOOK_VALIDITY].global_val.p
+#define GLO_ENCRYPTION_RANGE vars[V_ENCRYPTION_RANGE].global_val.p
+#define VAR_ENCRYPTION_RANGE vars[V_ENCRYPTION_RANGE].current_val.p
/* Elm style save is obsolete in Pine 3.81 (see saved msg name rule) */
#define VAR_ELM_STYLE_SAVE vars[V_ELM_STYLE_SAVE].current_val.p
#define GLO_ELM_STYLE_SAVE vars[V_ELM_STYLE_SAVE].global_val.p
@@ -912,6 +914,7 @@ char **get_supported_options(void);
unsigned reset_startup_rule(MAILSTREAM *);
void free_pinerc_lines(PINERC_LINE **);
void panic1(char *, char *);
+int pith_ssl_encryption_version(char *);
/* mandatory to implement prototypes */
int set_input_timeout(int);
diff --git a/pith/conftype.h b/pith/conftype.h
index e70c5276..bfb337c9 100644
--- a/pith/conftype.h
+++ b/pith/conftype.h
@@ -171,6 +171,7 @@ typedef enum { V_PERSONAL_NAME = 0
, V_NEW_VER_QUELL
, V_DISABLE_DRIVERS
, V_DISABLE_AUTHS
+ , V_ENCRYPTION_RANGE
, V_REMOTE_ABOOK_METADATA
, V_REMOTE_ABOOK_HISTORY
, V_REMOTE_ABOOK_VALIDITY
diff --git a/pith/pine.hlp b/pith/pine.hlp
index 03aa9363..99670197 100644
--- a/pith/pine.hlp
+++ b/pith/pine.hlp
@@ -188,6 +188,12 @@ Based on code provided by Maciej W. Rozycki.
<LI> Add /tls1_3 flag for servers that support it. Read more information
in the secure protocols <A HREF="h_network_encryption_security">help</A>.
+<LI> New variable
+<A HREF="h_config_encryption_range"><!--#echo var="VAR_encryption-protocol-range"--></A>
+that allows users to configure versions of the SSL/TLS protocol that Alpine is
+restricted to try when establishing a secure connection SSL/TLS to a remote
+server. The default can be set at compilation time.
+
<LI> Add -dict option to PC-Pico, which allows users to choose a dictionary
when spelling. Sample usage: -dict "en_US, de_DE, fr_FR".
@@ -218,6 +224,10 @@ Suggested by Barry Landy.
<LI> S/MIME: Some clients do not transform messages to canonical form when
signing first and encrypting second, which makes Alpine fail to parse the
signed data after encryption. Reported by Holger Trapp.
+
+<LI> Add /auth=XYZ to the way to define a server. This allows users to
+select the method to authenticate to an IMAP, SMTP or POP3 server.
+Examples are /auth=plain, or /auth=gssapi, etc.
</UL>
<P>
@@ -304,9 +314,13 @@ Bugs that have been addressed include:
by David Woodhouse to the RedHat bugzilla system.
<LI> When there are time changes in the clock, Alpine might go to sleep
- for big amounts of time while displaying messages in the screen.
- Reset sleep time to 5 seconds in case it finds it needs to sleep
+ for big amounts of time while displaying messages in the screen.
+ Reset sleep time to 5 seconds in case it finds it needs to sleep
more than 5 seconds or a negative amount of time.
+
+ <LI> Restore recognition of empty directories. It was deleted by mistake
+ when added support for internationalization in folders. Based on a
+ report by Michael Rutter.
</UL>
<P>
@@ -3356,6 +3370,7 @@ if the connection is encrypted.
<LI> <A HREF="h_config_disable_password_file_saving"><!--#echo var="FEAT_disable-password-file-saving"--></A> Disable password file saving</LI>
<LI> <A HREF="h_config_mailcap_params"><!--#echo var="FEAT_enable-mailcap-param-substitution"--></A> feature </LI>
<LI> <A HREF="h_config_disable_auths"><!--#echo var="VAR_disable-these-authenticators"--></A> option </LI>
+<LI> <A HREF="h_config_encryption_range"><!--#echo var="VAR_encryption-protocol-range"--></A> option </LI>
</UL>
<P>
&lt;End of help on this topic&gt;
@@ -4324,6 +4339,7 @@ There are also additional details on
<li><a href="h_config_default_fcc">OPTION: <!--#echo var="VAR_default-fcc"--></a>
<li><a href="h_config_def_save_folder">OPTION: <!--#echo var="VAR_default-saved-msg-folder"--></a>
<li><a href="h_config_disable_auths">OPTION: <!--#echo var="VAR_disable-these-authenticators"--></a>
+<li><a href="h_config_encryption_range">OPTION: <!--#echo var="VAR_encryption-protocol-range"--></a>
<li><a href="h_config_disable_drivers">OPTION: <!--#echo var="VAR_disable-these-drivers"--></a>
<li><a href="h_config_char_set">OPTION: Display Character Set</a>
<li><a href="h_config_display_filters">OPTION: <!--#echo var="VAR_display-filters"--></a>
@@ -20710,6 +20726,9 @@ take place over a Secure Socket Layer connection. The server must support
this method, and be prepared to accept connections on the appropriate
port (993 by default).
Alpine must be linked with an SSL library for this option to be operational.
+Using this option will make Alpine try to connect to the server using the
+most secure encrypted SSL connection that both your version of Alpine and the
+server support.
<P>
<CENTER><SAMP>/ssl</SAMP></CENTER>
@@ -20727,79 +20746,50 @@ Alpine must be linked with an SSL library for this option to be operational.
<P>
<CENTER><SAMP>/tls1</SAMP></CENTER>
<P>
-
-</DD>
-
-<DT>DTLS1</DT>
-<DD>
-This parameter indicates that the connection to the server will be made
-over the SSL port, but using the DTLSv1 protocol, instead of the usual
-SSLv3 or SSLv2 protocols.
-Alpine must be linked with an SSL library for this option to be operational.
-
-<P>
-<CENTER><SAMP>/dtls1</SAMP></CENTER>
-<P>
-
-</DD>
-
-<DT>DTLS1_2</DT>
-<DD>
-This parameter indicates that the connection to the server will be made
-over the SSL port, but using the DTLSv1.2 protocol, instead of the usual
-SSLv3 or SSLv2 protocols.
-Alpine must be linked with an SSL library for this option to be operational.
-
-<P>
-<CENTER><SAMP>/dtls1_2</SAMP></CENTER>
-<P>
-
</DD>
<DT>TLS1_1</DT>
<DD>
This parameter indicates that the connection to the server will be made
-over the SSL port, but using the TLSv1.1 protocol, instead of the usual
-SSLv3 or SSLv2 protocols.
-Alpine must be linked with an SSL library for this option to be operational.
+over the SSL port, but using the TLSv1.1 protocol.
+Alpine must be linked with an SSL library that supports this encryption
+protocol for this option to be operational.
<P>
<CENTER><SAMP>/tls1_1</SAMP></CENTER>
<P>
-
</DD>
<DT>TLS1_2</DT>
<DD>
This parameter indicates that the connection to the server will be made
-over the SSL port, but using the TLSv1.2 protocol, instead of the usual
-SSLv3 or SSLv2 protocols.
-Alpine must be linked with an SSL library for this option to be operational.
+over the SSL port, but using the TLSv1.2 protocol.
+Alpine must be linked with an SSL library that supports this encryption
+protocol for this option to be operational.
<P>
<CENTER><SAMP>/tls1_2</SAMP></CENTER>
<P>
-
</DD>
<DT>TLS1_3</DT>
<DD>
This parameter indicates that the connection to the server will be made
-over the SSL port, but using the TLSv1.3 protocol, instead of the usual
-SSLv3 or SSLv2 protocols.
-Alpine must be linked with an SSL library for this option to be operational.
+over the SSL port, but using the TLSv1.3 protocol.
+Alpine must be linked with an SSL library that supports this encryption
+protocol for this option to be operational.
<P>
-<CENTER><SAMP>/tls1_2</SAMP></CENTER>
+<CENTER><SAMP>/tls1_3</SAMP></CENTER>
<P>
-
</DD>
-
<DT>NoValidate-Cert</DT>
<DD>Do not validate certificates (for TLS or SSL connections) from the server.
This is needed if the server uses self-signed certificates or if Alpine
-cannot validate the certificate for some other known reason.
+cannot validate the certificate for some other known reason. You should avoid
+using this option, and instead install the certificate of the server, so you
+are not a victim of a cracker-in-the-middle attack.
<P>
</DD>
@@ -25704,6 +25694,63 @@ However, disabling the relevant authenticator avoids annoying error messages.
&lt;End of help on this topic&gt;
</BODY>
</HTML>
+====== h_config_encryption_range =====
+<HTML>
+<HEAD>
+<TITLE>OPTION: <!--#echo var="VAR_encryption-protocol-range"--></TITLE>
+</HEAD>
+<BODY>
+<H1>OPTION: <!--#echo var="VAR_encryption-protocol-range"--></H1>
+
+This option sets a range of encryption protocols that can be attempted when
+Alpine will try to establish a secure connection using the SSL or TLS
+protocols.
+
+<P>
+Before a secure connection to an external server is established, Alpine and the
+server will attempt to negotiate a secure connection. This part is known as the
+&quot;ClientHello&quot;. At that time Alpine will announce the version of
+encryption that it would like to establish. The server can reject that, and announce
+a different version of encryption. Once both the server and Alpine have found
+a version of encryption that they both agree on, they will both use it to start
+a secure connection.
+
+<P>
+The use of the /ssl parameter in the definition of the server will make Alpine
+attempt the highest encryption protocol that it can use, in agreement with the
+server. However, using this option, you will set limits to the versions of
+the protocols that are used. This would, for example, allow you to disable the use
+of ssl3, in favor of more modern protocols.
+
+<P>
+For purposes of this option, the protocols are sorted
+as follows
+
+<P>
+<CENTER>
+no_min < ssl3 < tls1 < tls1_1 < tls1_2 < tls1_3 < no_max
+</CENTER>
+
+<P>
+For example, if you want to disable ssl3, all you have to do is to set the minimum
+version to tls1, or any higher protocol.
+
+<P>The name of the parameters used to configure this option is the same as the
+parameters that are added to the definition of a server to make it a secure
+connection, and they are listed above for your reference.
+
+<P>
+The special values &quot;no_min&quot; and &quot;no_max&quot; do not set values
+for the minimum and maximum protocol versions, and Alpine will use the maximum
+and minimum values of encryption protocols built into your SSL library.
+
+<P>
+<UL>
+<LI><A HREF="h_finding_help">Finding more information and requesting help</A>
+</UL><P>
+&lt;End of help on this topic&gt;
+</BODY>
+</HTML>
====== h_config_abook_metafile =====
<HTML>
<HEAD>