diff options
author | Eduardo Chappa <chappa@washington.edu> | 2018-09-29 22:59:37 -0600 |
---|---|---|
committer | Eduardo Chappa <chappa@washington.edu> | 2018-09-29 22:59:37 -0600 |
commit | 924c47dd50a7b74136b8a60e9ea8d347ff65425b (patch) | |
tree | bcbaaeb98807a7cb12bf16188c66a5ea938d0255 /pith | |
parent | 879f42fa445aa684ffbab7d404941a9d24a4863a (diff) | |
download | alpine-924c47dd50a7b74136b8a60e9ea8d347ff65425b.tar.xz |
* Add the /tls1_3 modifier to establish connections use the TLS protocol
version 1.3.
Diffstat (limited to 'pith')
-rw-r--r-- | pith/conf.c | 35 | ||||
-rw-r--r-- | pith/pine.hlp | 65 |
2 files changed, 94 insertions, 6 deletions
diff --git a/pith/conf.c b/pith/conf.c index 0085e955..607c9f82 100644 --- a/pith/conf.c +++ b/pith/conf.c @@ -52,6 +52,7 @@ static char rcsid[] = "$Id: conf.c 1266 2009-07-14 18:39:12Z hubert@u.washington #include "../pico/osdep/mswin.h" #endif +#include <openssl/ssl.h> #define TO_BAIL_THRESHOLD 60 @@ -8147,8 +8148,8 @@ get_supported_options(void) DRIVER *d; AUTHENTICATOR *a; char *title = _("Supported features in this Alpine"); - char sbuf[MAX_SCREEN_COLS+1]; - int cnt, alcnt, len, cols, disabled, any_disabled = 0;; + char sbuf[MAX_SCREEN_COLS+1], tmp[128]; + int cnt, alcnt, len, cols, disabled, any_disabled = 0, i; /* * Line count: @@ -8190,10 +8191,32 @@ get_supported_options(void) config[cnt] = cpystr(_(" TLS and SSL")); else config[cnt] = cpystr(_(" None (no TLS or SSL)")); -#ifdef SSL_SUPPORTS_TLSV1_2 - if(++cnt < alcnt) - config[cnt] = cpystr(" TLSv1.1, TLSv1.2, and DTLSv1"); -#endif + + tmp[0] = tmp[1] = ' '; + tmp[2] = '\0'; +#ifndef OPENSSL_NO_TLS1_METHOD + strcat(tmp, "TLSv1, "); +#endif /* OPENSSL_NO_TLS1_METHOD */ +#ifdef TLS1_1_VERSION + strcat(tmp, "TLSv1.1, "); +#endif /* TLS1_1_VERSION */ +#ifdef TLS1_2_VERSION + strcat(tmp, "TLSv1.2. "); +#endif /* TLS1_2_VERSION */ +#ifdef TLS1_3_VERSION + strcat(tmp, "TLSv1.3, "); +#endif /* TLS1_3_VERSION */ +#ifdef DTLS1_VERSION + strcat(tmp, "DTLSv1, "); +#endif /* DTLS1_VERSION */ +#ifdef DTLS1_2_VERSION + strcat(tmp, "DTLSv1.2, "); +#endif /* DTLS1_2_VERSION */ + if(tmp[2] != '\0'){ + tmp[strlen(tmp)-2] = '\0'; + if(++cnt < alcnt) + config[cnt] = cpystr(tmp); + } #ifdef SMIME if(++cnt < alcnt) config[cnt] = cpystr(" S/MIME"); diff --git a/pith/pine.hlp b/pith/pine.hlp index 074558fe..4f6ce153 100644 --- a/pith/pine.hlp +++ b/pith/pine.hlp @@ -185,6 +185,9 @@ Additions include: <LI> NTLM authentication support with the ntlm library, in Unix systems. Based on code provided by Maciej W. Rozycki. +<LI> Add /tls1_3 flag for servers that support it. Read more information +in the secure protocols <A HREF="h_network_encryption_security">help</A>. + <LI> Add -dict option to PC-Pico, which allows users to choose a dictionary when spelling. Sample usage: -dict "en_US, de_DE, fr_FR". @@ -1373,6 +1376,42 @@ a new key. <End of help> </BODY> </HTML> +====== h_network_encryption_security ====== +<HTML> +<HEAD> +<TITLE>Network Encryption Security Explained</TITLE> +</HEAD> +<BODY> +<H1>Network Encryption Security Explained</H1> + +You can specify which encryption protocol you would like to try when +creating a secure connection to a server. Alpine will attempt to use +that encryption protocol, but in practice the protocol being used will +default to the most secure protocol that both Alpine and the server +support. + +<P> If you use the latest version of OpenSSL, the /ssl modifier to the +server definition will use the most secure version of the TLS encryption +protocol. The same will be true if you try /tls1_1 or /tls1_2, but in an +old version of OpenSSL (pre 1.1.0 series) /tls1_1 might mean to use +version 1.1 of the TLS protocol. + +<P> You will never go wrong by using the /ssl modifier. At the time of +this writing OpenSSL had released version 1.1.1, with support for +TLS version 1.3. If your version of OpenSSL does not support this version +of the TLS protocol, then the /tls1_3 modifier will only mean to use +the most secure version of the TLS protocol that OpenSSL and the +server can negotiate. In future versions of OpenSSL, /tls1_3 might mean +to try to negotiate a higher version of the TLS protocol. + +<P> In order to avoid confusion, the /ssl flag is the best way to guarantee +the highest encryption protocol available, and it is the recommended +modifier to the server definition to create a secure encrypted connection. + +<P> +<End of help> +</BODY> +</HTML> ====== h_tls_failure_details ====== <HTML> <HEAD> @@ -20671,6 +20710,19 @@ Alpine must be linked with an SSL library for this option to be operational. </DD> +<DT>DTLS1_2</DT> +<DD> +This parameter indicates that the connection to the server will be made +over the SSL port, but using the DTLSv1.2 protocol, instead of the usual +SSLv3 or SSLv2 protocols. +Alpine must be linked with an SSL library for this option to be operational. + +<P> +<CENTER><SAMP>/dtls1_2</SAMP></CENTER> +<P> + +</DD> + <DT>TLS1_1</DT> <DD> This parameter indicates that the connection to the server will be made @@ -20697,6 +20749,19 @@ Alpine must be linked with an SSL library for this option to be operational. </DD> +<DT>TLS1_3</DT> +<DD> +This parameter indicates that the connection to the server will be made +over the SSL port, but using the TLSv1.3 protocol, instead of the usual +SSLv3 or SSLv2 protocols. +Alpine must be linked with an SSL library for this option to be operational. + +<P> +<CENTER><SAMP>/tls1_2</SAMP></CENTER> +<P> + +</DD> + <DT>NoValidate-Cert</DT> <DD>Do not validate certificates (for TLS or SSL connections) from the server. |