From: <ma...@ne...> - 2013-11-23 06:10:27
|
Emmanuel Dreyfus <ma...@ne...> wrote: > This short patch adds a few improvement to imapproxy SSL client > - TLSv1.2 support if OpenSSL supports it I realize that part is broken for the general case: TLSv1_2_client_method() only negociate TLSv1.2 and will fail if server does not support it. The right way seems to use SSLv23_client_method(), which negociate the highest available version, which includes TLSv1.2, despite what the method name suggest. That page makes it clear (even if it does not talk about 1.2): http://www.openssl.org/docs/ssl/SSL_CTX_new.html II will post a new patch that uses SSLv23_client_method(). TLS version can still be controlled by SSL_CTX_set_options() with SSL_OP_NO_(SSLv2|SSLv3|TLSv1|TLSv1_1|TLSv1_2). Do we want an option to control the protocol version, or just picking the best is just good enough? If we do not provide an option, I think we want to disable SSLv2, which is well known to be insecure, and SSLv3, which was not supported by imapproxy before. Feedback is welcome. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz ma...@ne... |