[ProFTPD-committers] proftpd/contrib mod_tls.c,1.266,1.267

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Update of /cvsroot/proftp/proftpd/contrib
In directory vz-cvs-3.sog:/tmp/cvs-serv32370/contrib

Modified Files:
	mod_tls.c 
Log Message:

Support TLSv1.1 and TLSv1.2 protocol versions in the TLSProtocol directive,
assuming the version of OpenSSL used is new enough (1.0.1 and later).


Index: mod_tls.c
===================================================================
RCS file: /cvsroot/proftp/proftpd/contrib/mod_tls.c,v
retrieving revision 1.266
retrieving revision 1.267
diff -u -d -r1.266 -r1.267

--- mod_tls.c	6 Dec 2011 03:34:44 -0000	1.266
+++ mod_tls.c	10 Dec 2011 21:37:04 -0000	1.267
@@ -376,6 +376,8 @@
 
 #define TLS_PROTO_SSL_V3		0x0001
 #define TLS_PROTO_TLS_V1		0x0002
+#define TLS_PROTO_TLS_V1_1		0x0004
+#define TLS_PROTO_TLS_V1_2		0x0008
 static unsigned int tls_protocol = TLS_PROTO_SSL_V3|TLS_PROTO_TLS_V1;
 
 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
@@ -2334,7 +2336,11 @@
   if ((tls_protocol & TLS_PROTO_SSL_V3) &&
       (tls_protocol & TLS_PROTO_TLS_V1)) {
     /* This is the default, so there is no need to do anything. */
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L
+    pr_log_debug(DEBUG8, MOD_TLS_VERSION ": supporting SSLv3, TLSv1, TLSv1.1, TLSv1.2 protocols");
+#else
     pr_log_debug(DEBUG8, MOD_TLS_VERSION ": supporting SSLv3, TLSv1 protocols");
+#endif /* OpenSSL-1.0.1 or later */
 
   } else if (tls_protocol & TLS_PROTO_SSL_V3) {
     SSL_CTX_set_ssl_version(ssl_ctx, SSLv3_server_method());
@@ -2343,6 +2349,17 @@
   } else if (tls_protocol & TLS_PROTO_TLS_V1) {
     SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_server_method());
     pr_log_debug(DEBUG8, MOD_TLS_VERSION ": supporting TLSv1 protocol only");
+
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L
+  } else if (tls_protocol & TLS_PROTO_TLS_V1_1) {
+    SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_1_server_method());
+    pr_log_debug(DEBUG8, MOD_TLS_VERSION ": supporting TLSv1.1 protocol only");
+
+  } else if (tls_protocol & TLS_PROTO_TLS_V1_2) {
+    SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_2_server_method());
+    pr_log_debug(DEBUG8, MOD_TLS_VERSION ": supporting TLSv1.2 protocol only");
+
+#endif /* OpenSSL-1.0.1 or later */
   }
 
   tls_ca_cert = get_param_ptr(main_server->conf, "TLSCACertificateFile", FALSE);
@@ -7079,6 +7096,20 @@
     } else if (strncasecmp(cmd->argv[i], "TLSv1", 6) == 0) {
       tls_protocol |= TLS_PROTO_TLS_V1;
 
+    } else if (strncasecmp(cmd->argv[i], "TLSv1.1", 8) == 0) {
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L
+      tls_protocol |= TLS_PROTO_TLS_V1_1;
+#else
+      CONF_ERROR(cmd, "Your OpenSSL installation does not support TLSv1.1");
+#endif /* OpenSSL 1.0.1 or later */
+
+    } else if (strncasecmp(cmd->argv[i], "TLSv1.2", 8) == 0) {
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L
+      tls_protocol |= TLS_PROTO_TLS_V1_2;
+#else
+      CONF_ERROR(cmd, "Your OpenSSL installation does not support TLSv1.2");
+#endif /* OpenSSL 1.0.1 or later */
+
     } else {
       CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, "unknown protocol: '",
         cmd->argv[i], "'", NULL));



