adjusting tls ciphers (patch)

Wed, 04 Oct 2006 01:21:41 -0700

plugins/tls uses only ciphers that openssl considers to be "high security". While this is a Good Thing, I found that one client I need (versamail 3.x) needs ciphers not classified by openssl as "high security" (specifically, it needs either RC4-SHA or RC5-MD5). I wouldn't be surprised if other folks run into this problem, so I wrote a little patch that allows for a config/tls_ciphers that takes strings of the format described in http://www.openssl.org/docs/apps/ ciphers.html#CIPHER_STRINGS, and passes it straight to IO::Socket::SSL. 

Cheers,
Brian

--- qpsmtpd-0.3x/plugins/tls    2006-10-02 22:51:34.000000000 -0400
+++ qpsmtpd/plugins/tls 2006-10-02 22:54:06.000000000 -0400
@@ -46,6 +46,15 @@
give absolute pathnames to the certificate, key, and the CA root cert
used to sign that certificate.
+=head1 CIPHERS and COMPATIBILITY
+
+By default, we use only the plugins that openssl considers to be
+"high security". If you need to tweak the available ciphers for some
+broken client (such as Versamail 3.x), have a look at the available
+ciphers at http://www.openssl.org/docs/apps/ ciphers.html#CIPHER_STRINGS, 
+and put a suitable string in config/tls_ciphers (e.g. "DEFAULT" or
+"HIGH:MEDIUM")
+
=cut
use IO::Socket::SSL;# qw(debug1 debug2 debug3 debug4);
@@ -63,13 +72,15 @@
     $self->tls_key($key);
     $self->tls_ca($ca);
+ $self->log(LOGINFO, "ciphers: ".$self->qp->config('tls_ciphers') || 'HIGH'); 
+
     local $^W; # this bit is very noisy...
     my $ssl_ctx = IO::Socket::SSL::SSL_Context->new(
         SSL_use_cert => 1,
         SSL_cert_file => $self->tls_cert,
         SSL_key_file => $self->tls_key,
         SSL_ca_file => $self->tls_ca,
-        SSL_cipher_list => 'HIGH',
+        SSL_cipher_list => $self->qp->config('tls_ciphers') || 'HIGH',
         SSL_server => 1
     ) or die "Could not create SSL context: $!";
     # now extract the password...
@@ -149,7 +160,7 @@
             SSL_cert_file => $self->tls_cert,
             SSL_key_file => $self->tls_key,
             SSL_ca_file => $self->tls_ca,
-            SSL_cipher_list => 'HIGH',
+ SSL_cipher_list => $self->qp->config('tls_ciphers') || 'HIGH', 
             SSL_server => 1,
             SSL_reuse_ctx => $self->ssl_context,
         ) or die "Could not create SSL socket: $!";

Reply via email to