diff -Nur -x '*.orig' -x '*.rej' qpsmtpd-0.95/plugins/tls mezzanine_patched_qpsmtpd-0.95/plugins/tls --- qpsmtpd-0.95/plugins/tls 2016-01-07 19:14:45.099736554 +0100 +++ mezzanine_patched_qpsmtpd-0.95/plugins/tls 2016-01-07 19:14:30.152736181 +0100 @@ -62,6 +62,14 @@ and put a suitable string in config/tls_ciphers (e.g. "DEFAULT" or "HIGH:MEDIUM") +=head1 SSL/TLS protocols versions + +By default, SSLv2 and SSLv3 are not accepted, leaving only TLSv1, +TLSv1.1 or TLSv1.2 enabled. You can customize this in config/tls_protocols +For example, this will also disabled TLSv1, leaving only TLSv1.1 and TLSv1.2 + +SSLv23:!SSLv2:!SSLv3:!TLSv1 + =cut use strict; @@ -94,6 +102,7 @@ $self->tls_ca($ca); $self->tls_dhparam($dhparam); $self->tls_ciphers($self->qp->config('tls_ciphers') || 'HIGH'); + $self->tls_protocols($self->qp->config('tls_protocols') || 'SSLv23:!SSLv2:!SSLv3'); $self->log(LOGDEBUG, "ciphers: " . $self->tls_ciphers); @@ -102,7 +111,7 @@ IO::Socket::SSL::SSL_Context->new( # Disable SSLv2 and SSLv3 to avoid POODLE attacks. This is already # the default in sufficiently recent versions of IO::Socket::SSL - SSL_version => 'SSLv23:!SSLv3:!SSLv2', + SSL_version => $self->tls_protocols, SSL_use_cert => 1, SSL_cert_file => $self->tls_cert, SSL_key_file => $self->tls_key, @@ -226,6 +235,7 @@ my $tlssocket = IO::Socket::SSL->new_from_fd( fileno(STDIN), '+>', + SSL_version => $self->tls_protocols, SSL_use_cert => 1, SSL_cert_file => $self->tls_cert, SSL_key_file => $self->tls_key, @@ -286,6 +296,12 @@ $self->{_tls_ciphers}; } +sub tls_protocols { + my $self = shift; + @_ and $self->{_tls_protocols} = shift; + $self->{_tls_protocols}; +} + sub ssl_context { my $self = shift; @_ and $self->{_ssl_ctx} = shift;