qpsmtpd/sme10/qpsmtpd-0.84-allow_tls_proto_from_config.patch

diff -Nur qpsmtpd-0.84/plugins/tls qpsmtpd-0.84_bz9162/plugins/tls
--- qpsmtpd-0.84/plugins/tls    2016-01-07 18:52:04.588735630 +0100
+++ qpsmtpd-0.84_bz9162/plugins/tls     2016-01-07 18:56:14.294727154 +0100
@@ -57,6 +57,14 @@
 and put a suitable string in config/tls_ciphers (e.g. "DEFAULT" or
 "HIGH:MEDIUM")
 
+=head1 SSL/TLS protocols versions
+
+By default, SSLv2 and SSLv3 are not accepted, leaving only TLSv1,
+TLSv1.1 or TLSv1.2 enabled. You can customize this in config/tls_protocols
+For example, this will also disabled TLSv1, leaving only TLSv1.1 and TLSv1.2
+
+SSLv23:!SSLv2:!SSLv3:!TLSv1
+
 =cut
 
 use IO::Socket::SSL 0.98; # qw(debug1 debug2 debug3 debug4);
@@ -74,6 +82,7 @@
     $self->tls_key($key);
     $self->tls_ca($ca);
     $self->tls_ciphers($self->qp->config('tls_ciphers') || 'HIGH');
+    $self->tls_protocols($self->qp->config('tls_protocols') || 'SSLv23:!SSLv2:!SSLv3');
     
     Qpsmtpd->varlog(LOGINFO, "init", "tls", "ciphers: ".$self->tls_ciphers);
 
@@ -84,7 +93,7 @@
         SSL_key_file => $self->tls_key,
         SSL_ca_file => $self->tls_ca,
         SSL_cipher_list => $self->tls_ciphers,
-        SSL_version => 'SSLv23:!SSLv2:!SSLv3:!TLSv1',
+        SSL_version => $self->tls_protocols,
         SSL_server => 1
     ) or die "Could not create SSL context: $!";
     # now extract the password...
@@ -203,7 +212,7 @@
             SSL_key_file => $self->tls_key,
             SSL_ca_file => $self->tls_ca,
             SSL_cipher_list => $self->tls_ciphers,
-            SSL_version => 'SSLv23:!SSLv2:!SSLv3:!TLSv1',
+            SSL_version => $self->tls_protocols,
             SSL_server => 1,
             SSL_reuse_ctx => $self->ssl_context,
         ) or die "Could not create SSL socket: $!";
@@ -260,6 +269,12 @@
     $self->{_tls_ciphers};
 }
 
+sub tls_protocols {
+    my $self = shift;
+    @_ and $self->{_tls_protocols} = shift;
+    $self->{_tls_protocols};
+}
+
 sub ssl_context {
     my $self = shift;
     @_ and $self->{_ssl_ctx} = shift;
1	diff -Nur qpsmtpd-0.84/plugins/tls qpsmtpd-0.84_bz9162/plugins/tls
2	--- qpsmtpd-0.84/plugins/tls 2016-01-07 18:52:04.588735630 +0100
3	+++ qpsmtpd-0.84_bz9162/plugins/tls 2016-01-07 18:56:14.294727154 +0100
4	@@ -57,6 +57,14 @@
5	and put a suitable string in config/tls_ciphers (e.g. "DEFAULT" or
6	"HIGH:MEDIUM")
7
8	+=head1 SSL/TLS protocols versions
9	+
10	+By default, SSLv2 and SSLv3 are not accepted, leaving only TLSv1,
11	+TLSv1.1 or TLSv1.2 enabled. You can customize this in config/tls_protocols
12	+For example, this will also disabled TLSv1, leaving only TLSv1.1 and TLSv1.2
13	+
14	+SSLv23:!SSLv2:!SSLv3:!TLSv1
15	+
16	=cut
17
18	use IO::Socket::SSL 0.98; # qw(debug1 debug2 debug3 debug4);
19	@@ -74,6 +82,7 @@
20	$self->tls_key($key);
21	$self->tls_ca($ca);
22	$self->tls_ciphers($self->qp->config('tls_ciphers') \|\| 'HIGH');
23	+ $self->tls_protocols($self->qp->config('tls_protocols') \|\| 'SSLv23:!SSLv2:!SSLv3');
24
25	Qpsmtpd->varlog(LOGINFO, "init", "tls", "ciphers: ".$self->tls_ciphers);
26
27	@@ -84,7 +93,7 @@
28	SSL_key_file => $self->tls_key,
29	SSL_ca_file => $self->tls_ca,
30	SSL_cipher_list => $self->tls_ciphers,
31	- SSL_version => 'SSLv23:!SSLv2:!SSLv3:!TLSv1',
32	+ SSL_version => $self->tls_protocols,
33	SSL_server => 1
34	) or die "Could not create SSL context: $!";
35	# now extract the password...
36	@@ -203,7 +212,7 @@
37	SSL_key_file => $self->tls_key,
38	SSL_ca_file => $self->tls_ca,
39	SSL_cipher_list => $self->tls_ciphers,
40	- SSL_version => 'SSLv23:!SSLv2:!SSLv3:!TLSv1',
41	+ SSL_version => $self->tls_protocols,
42	SSL_server => 1,
43	SSL_reuse_ctx => $self->ssl_context,
44	) or die "Could not create SSL socket: $!";
45	@@ -260,6 +269,12 @@
46	$self->{_tls_ciphers};
47	}
48
49	+sub tls_protocols {
50	+ my $self = shift;
51	+ @_ and $self->{_tls_protocols} = shift;
52	+ $self->{_tls_protocols};
53	+}
54	+
55	sub ssl_context {
56	my $self = shift;
57	@_ and $self->{_ssl_ctx} = shift;