PRFileDesc *fd)
{
PRFileDesc *ssl_fd;
+ static gchar v2_enabled = -1;
g_assert (fd != NULL);
SSL_OptionSet (ssl_fd, SSL_SECURITY, PR_TRUE);
- if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_SSL2) {
+ /* check camel.c for the same "CAMEL_SSL_V2_ENABLE" */
+ if (v2_enabled == -1)
+ v2_enabled = g_strcmp0 (g_getenv ("CAMEL_SSL_V2_ENABLE"), "1") == 0 ? 1 : 0;
+
+ if (v2_enabled && (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_SSL2) != 0) {
static gchar v2_hello = -1;
/* Zarafa server with disabled SSL v2 rejects connection when
#include <prthread.h>
#include "nss.h" /* Don't use <> here or it will include the system nss.h instead */
#include <ssl.h>
+#include <sslproto.h>
#include <errno.h>
#include <glib/gi18n-lib.h>
camel_debug_init ();
if (nss_init) {
+ static gchar v2_enabled = -1, weak_ciphers = -1;
gchar *nss_configdir = NULL;
gchar *nss_sql_configdir = NULL;
SECStatus status = SECFailure;
- PRUint16 indx;
+
+#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 14)
+ /* NSS pre-3.14 has most of the ciphers disabled, thus enable
+ * weak ciphers, if it's compiled against such */
+ weak_ciphers = 1;
+#endif
+
+ /* check camel-tcp-stream-ssl.c for the same "CAMEL_SSL_V2_ENABLE" */
+ if (v2_enabled == -1)
+ v2_enabled = g_strcmp0 (g_getenv ("CAMEL_SSL_V2_ENABLE"), "1") == 0 ? 1 : 0;
+ if (weak_ciphers == -1)
+ weak_ciphers = g_strcmp0 (g_getenv ("CAMEL_SSL_WEAK_CIPHERS"), "1") == 0 ? 1 : 0;
if (nss_initlock == NULL) {
PR_Init (PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 10);
NSS_SetDomesticPolicy ();
- PR_Unlock (nss_initlock);
+ if (weak_ciphers) {
+ PRUint16 indx;
- /* we must enable all ciphersuites */
- for (indx = 0; indx < SSL_NumImplementedCiphers; indx++) {
- if (!SSL_IS_SSL2_CIPHER (SSL_ImplementedCiphers[indx]))
- SSL_CipherPrefSetDefault (SSL_ImplementedCiphers[indx], PR_TRUE);
+ /* enable SSL3/TLS cipher-suites */
+ for (indx = 0; indx < SSL_NumImplementedCiphers; indx++) {
+ if (!SSL_IS_SSL2_CIPHER (SSL_ImplementedCiphers[indx]) &&
+ SSL_ImplementedCiphers[indx] != SSL_RSA_WITH_NULL_SHA &&
+ SSL_ImplementedCiphers[indx] != SSL_RSA_WITH_NULL_MD5)
+ SSL_CipherPrefSetDefault (SSL_ImplementedCiphers[indx], PR_TRUE);
+ }
}
- SSL_OptionSetDefault (SSL_ENABLE_SSL2, PR_TRUE);
+ SSL_OptionSetDefault (SSL_ENABLE_SSL2, v2_enabled ? PR_TRUE : PR_FALSE);
+ SSL_OptionSetDefault (SSL_V2_COMPATIBLE_HELLO, PR_FALSE);
SSL_OptionSetDefault (SSL_ENABLE_SSL3, PR_TRUE);
SSL_OptionSetDefault (SSL_ENABLE_TLS, PR_TRUE);
- SSL_OptionSetDefault (SSL_V2_COMPATIBLE_HELLO, PR_TRUE /* maybe? */);
+
+ PR_Unlock (nss_initlock);
g_free (nss_configdir);
g_free (nss_sql_configdir);