master-service-ssl-settings.c revision 976dee5384c4827dc648c9bc53825390521c388e
/* Copyright (c) 2013-2017 Dovecot authors, see the included COPYING file */
#include "lib.h"
#include "settings-parser.h"
#include "master-service-private.h"
#include "master-service-ssl-settings.h"
#include "iostream-ssl.h"
#include <stddef.h>
static bool
static const struct setting_define master_service_ssl_setting_defines[] = {
};
static const struct master_service_ssl_settings master_service_ssl_default_settings = {
#ifdef HAVE_SSL
.ssl = "yes:no:required",
#else
.ssl = "no:yes:required",
#endif
.ssl_ca = "",
.ssl_cert = "",
.ssl_key = "",
.ssl_alt_cert = "",
.ssl_alt_key = "",
.ssl_key_password = "",
.ssl_client_ca_file = "",
.ssl_client_ca_dir = "",
.ssl_dh = "",
.ssl_cipher_list = "ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH",
.ssl_curve_list = "",
.ssl_min_protocol = "TLSv1",
.ssl_cert_username_field = "commonName",
.ssl_crypto_device = "",
.ssl_require_crl = TRUE,
.verbose_ssl = FALSE,
.ssl_options = "",
};
const struct setting_parser_info master_service_ssl_setting_parser_info = {
.module_name = "ssl",
.struct_size = sizeof(struct master_service_ssl_settings),
};
/* <settings checks> */
static bool
const char **error_r)
{
/* disabled */
return TRUE;
}
#ifndef HAVE_SSL
return FALSE;
#else
/* we get called from many different tools, possibly with -O parameter,
and few of those tools care about SSL settings. so don't check
usually is just an extra annoyance. */
#ifdef CONFIG_BINARY
*error_r = "ssl enabled, but ssl_cert not set";
return FALSE;
}
*error_r = "ssl enabled, but ssl_key not set";
return FALSE;
}
*error_r = "ssl enabled, but ssl_dh not set";
return FALSE;
}
#endif
*error_r = "ssl_verify_client_cert set, but ssl_ca not";
return FALSE;
}
/* Now explode the ssl_options string into individual flags */
/* First set them all to defaults */
/* Then modify anything specified in the string */
const char *opt;
#ifdef CONFIG_BINARY
i_warning("DEPRECATED: no_compression is default, "
"so it is redundant in ssl_options");
#endif
} else {
opt);
return FALSE;
}
}
#ifndef HAVE_SSL_CTX_SET1_CURVES_LIST
*error_r = "ssl_curve_list is set, but the linked openssl "
"version does not support it";
return FALSE;
}
#endif
return TRUE;
#endif
}
/* </settings checks> */
const struct master_service_ssl_settings *
{
void **sets;
return sets[1];
}
struct ssl_iostream_settings *set_r)
{
/* NOTE: It's a bit questionable whether ssl_ca should be used for
clients. But at least for now it's needed for login-proxy. */
switch (type) {
}
break;
break;
}
}