From bdbf74de24041c8fb4defc1b63b414e4267114af Mon Sep 17 00:00:00 2001
From: Eduardo Chappa <chappa@washington.edu>
Date: Mon, 13 Sep 2021 00:36:29 -0600
Subject:    * Enabled encryption protocols in PC-Alpine are based on those
 enabled      in the system, unless one is specified directly.

---
 imap/src/osdep/nt/ssl_win.c | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

(limited to 'imap/src/osdep/nt/ssl_win.c')

diff --git a/imap/src/osdep/nt/ssl_win.c b/imap/src/osdep/nt/ssl_win.c
index a6af01e3..cd8aaf83 100644
--- a/imap/src/osdep/nt/ssl_win.c
+++ b/imap/src/osdep/nt/ssl_win.c
@@ -280,7 +280,7 @@ static SSLSTREAM *ssl_start (TCPSTREAM *tstream,char *host,unsigned long flags)
   unsigned long size = 0;
   int minv = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MIN, NULL);
   int maxv = *(int *) mail_parameters(NULL, GET_ENCRYPTION_RANGE_MAX, NULL);
-  int i, client_request, range;
+  int i, client_request;
   sslcertificatequery_t scq =
     (sslcertificatequery_t) mail_parameters (NIL,GET_SSLCERTIFICATEQUERY,NIL);
   sslfailure_t sf = (sslfailure_t) mail_parameters (NIL,GET_SSLFAILURE,NIL);
@@ -304,16 +304,10 @@ static SSLSTREAM *ssl_start (TCPSTREAM *tstream,char *host,unsigned long flags)
   if(client_request < minv || client_request > maxv)
     return NIL;         /* out of range? bail out */
 
-  if (flags & NET_TRYTLS1) range = SP_PROT_TLS1;
-  else if (flags & NET_TRYTLS1_1) range = SP_PROT_TLS1_1;
-  else if (flags & NET_TRYTLS1_2) range = SP_PROT_TLS1_2;
-  else {
-     for(i = 0, range; ssl_versions[i].name != NULL; i++)
-      range |= (ssl_versions[i].version >= minv 
-		&& ssl_versions[i].version <= maxv)
-	      ? ssl_versions[i].version : 0;
-  }
-  tlscred.grbitEnabledProtocols = range;
+  if (flags & NET_TRYTLS1) tlscred.grbitEnabledProtocols = SP_PROT_TLS1;
+  else if (flags & NET_TRYTLS1_1) tlscred.grbitEnabledProtocols = SP_PROT_TLS1_1;
+  else if (flags & NET_TRYTLS1_2) tlscred.grbitEnabledProtocols = SP_PROT_TLS1_2;
+  else tlscred.grbitEnabledProtocols = 0; /* use default TLS, see https://docs.microsoft.com/en-us/security/engineering/solving-tls1-problem */
 
 				/* acquire credentials */
   if (sft->AcquireCredentialsHandle
-- 
cgit v1.2.3-70-g09d2