bcb4e51a409d94ae670de96afb8483a4f7855294Stephan Bosch/* Copyright (c) 2013-2018 Dovecot authors, see the included COPYING file */
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainen { type, #name, offsetof(struct master_service_ssl_settings, name), NULL }
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainenmaster_service_ssl_settings_check(void *_set, pool_t pool, const char **error_r);
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainenstatic const struct setting_define master_service_ssl_setting_defines[] = {
9864489d143fafe6f08f6a6d98a478d36458aa98Phil Carmody DEF(SET_STR, ssl_options), /* parsed as a string to set bools */
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainenstatic const struct master_service_ssl_settings master_service_ssl_default_settings = {
0c83dfe6a877d636b1562da6be54674e3238dee3Martti Rannanjärvi .ssl_cipher_list = "ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH",
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainenconst struct setting_parser_info master_service_ssl_setting_parser_info = {
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainen .defines = master_service_ssl_setting_defines,
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainen .defaults = &master_service_ssl_default_settings,
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainen .struct_size = sizeof(struct master_service_ssl_settings),
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainen .check_func = master_service_ssl_settings_check
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainen/* <settings checks> */
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainenmaster_service_ssl_settings_check(void *_set, pool_t pool ATTR_UNUSED,
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainen const char **error_r)
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainen struct master_service_ssl_settings *set = _set;
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainen /* disabled */
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainen *error_r = t_strdup_printf("SSL support not compiled in but ssl=%s",
b244040178025c901c47be4fef3fa3bbc4c1e75aTimo Sirainen /* we get called from many different tools, possibly with -O parameter,
b244040178025c901c47be4fef3fa3bbc4c1e75aTimo Sirainen and few of those tools care about SSL settings. so don't check
b244040178025c901c47be4fef3fa3bbc4c1e75aTimo Sirainen ssl_cert/ssl_key/etc validity here except in doveconf, because it
b244040178025c901c47be4fef3fa3bbc4c1e75aTimo Sirainen usually is just an extra annoyance. */
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainen *error_r = "ssl enabled, but ssl_cert not set";
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainen *error_r = "ssl enabled, but ssl_key not set";
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainen if (set->ssl_verify_client_cert && *set->ssl_ca == '\0') {
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainen *error_r = "ssl_verify_client_cert set, but ssl_ca not";
9864489d143fafe6f08f6a6d98a478d36458aa98Phil Carmody /* Now explode the ssl_options string into individual flags */
9864489d143fafe6f08f6a6d98a478d36458aa98Phil Carmody /* First set them all to defaults */
9864489d143fafe6f08f6a6d98a478d36458aa98Phil Carmody /* Then modify anything specified in the string */
9864489d143fafe6f08f6a6d98a478d36458aa98Phil Carmody const char **opts = t_strsplit_spaces(set->ssl_options, ", ");
9864489d143fafe6f08f6a6d98a478d36458aa98Phil Carmody const char *opt;
7dd7e8ed41c2da4d76cc80597c253b9f0e75603bMartti Rannanjärvi if (strcasecmp(opt, "compression") == 0) {
7dd7e8ed41c2da4d76cc80597c253b9f0e75603bMartti Rannanjärvi } else if (strcasecmp(opt, "no_compression") == 0) {
7dd7e8ed41c2da4d76cc80597c253b9f0e75603bMartti Rannanjärvi i_warning("DEPRECATED: no_compression is default, "
7dd7e8ed41c2da4d76cc80597c253b9f0e75603bMartti Rannanjärvi "so it is redundant in ssl_options");
ea6bcfde34e4cced9b42f1b4f5140a47752cb0abTimo Sirainen } else if (strcasecmp(opt, "no_ticket") == 0) {
9864489d143fafe6f08f6a6d98a478d36458aa98Phil Carmody *error_r = t_strdup_printf("ssl_options: unknown flag: '%s'",
c4d66e8ccbb8440622f1a70791ed2a8f99659af1Juha Koho *error_r = "ssl_curve_list is set, but the linked openssl "
c4d66e8ccbb8440622f1a70791ed2a8f99659af1Juha Koho "version does not support it";
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainen/* </settings checks> */
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainenmaster_service_ssl_settings_get(struct master_service *service)
f29756821a4c6b12b73e4a2a3e1c230117a43773Timo Sirainen sets = settings_parser_get_list(service->set_parser);
b5af146eccd777e3429aef6c4da7825d53774ffeTimo Sirainenvoid master_service_ssl_settings_to_iostream_set(
b5af146eccd777e3429aef6c4da7825d53774ffeTimo Sirainen const struct master_service_ssl_settings *ssl_set, pool_t pool,
976dee5384c4827dc648c9bc53825390521c388eMartti Rannanjärvi set_r->min_protocol = p_strdup(pool, ssl_set->ssl_min_protocol);
30dca95419d100d0736cc927738966ceb33ed1d0Aki Tuomi set_r->cipher_list = p_strdup(pool, ssl_set->ssl_cipher_list);
b5af146eccd777e3429aef6c4da7825d53774ffeTimo Sirainen /* NOTE: It's a bit questionable whether ssl_ca should be used for
b5af146eccd777e3429aef6c4da7825d53774ffeTimo Sirainen clients. But at least for now it's needed for login-proxy. */
b5af146eccd777e3429aef6c4da7825d53774ffeTimo Sirainen set_r->cert.cert = p_strdup(pool, ssl_set->ssl_cert);
b5af146eccd777e3429aef6c4da7825d53774ffeTimo Sirainen set_r->cert.key = p_strdup(pool, ssl_set->ssl_key);
b5af146eccd777e3429aef6c4da7825d53774ffeTimo Sirainen set_r->cert.key_password = p_strdup(pool, ssl_set->ssl_key_password);
b5af146eccd777e3429aef6c4da7825d53774ffeTimo Sirainen if (ssl_set->ssl_alt_cert != NULL && *ssl_set->ssl_alt_cert != '\0') {
b5af146eccd777e3429aef6c4da7825d53774ffeTimo Sirainen set_r->alt_cert.cert = p_strdup(pool, ssl_set->ssl_alt_cert);
b5af146eccd777e3429aef6c4da7825d53774ffeTimo Sirainen set_r->alt_cert.key = p_strdup(pool, ssl_set->ssl_alt_key);
b5af146eccd777e3429aef6c4da7825d53774ffeTimo Sirainen set_r->alt_cert.key_password = p_strdup(pool, ssl_set->ssl_key_password);
21f7563c2b9893bfdc72cba3daaddc76b01f8d33Timo Sirainen set_r->verify_remote_cert = ssl_set->ssl_verify_client_cert;
21f7563c2b9893bfdc72cba3daaddc76b01f8d33Timo Sirainen set_r->allow_invalid_cert = !set_r->verify_remote_cert;
b5af146eccd777e3429aef6c4da7825d53774ffeTimo Sirainen set_r->ca_file = p_strdup(pool, ssl_set->ssl_client_ca_file);
b5af146eccd777e3429aef6c4da7825d53774ffeTimo Sirainen set_r->ca_dir = p_strdup(pool, ssl_set->ssl_client_ca_dir);
30dca95419d100d0736cc927738966ceb33ed1d0Aki Tuomi set_r->crypto_device = p_strdup(pool, ssl_set->ssl_crypto_device);
8ca7d305e0fd5b2282172ee9cc7a9fb3ff38b7fcTimo Sirainen set_r->cert_username_field = p_strdup(pool, ssl_set->ssl_cert_username_field);
30dca95419d100d0736cc927738966ceb33ed1d0Aki Tuomi set_r->verbose_invalid_cert = ssl_set->verbose_ssl;
30c5c1fc3608ae575f11960281d3e338b6bf7bc8Timo Sirainen set_r->skip_crl_check = !ssl_set->ssl_require_crl;
30dca95419d100d0736cc927738966ceb33ed1d0Aki Tuomi set_r->prefer_server_ciphers = ssl_set->ssl_prefer_server_ciphers;