diff options
author | Sergey Poznyakoff <gray@gnu.org> | 2017-03-18 10:07:30 +0200 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org> | 2017-03-18 14:44:55 +0200 |
commit | afda9ba46c7eb2c061f3907dc7e80ae1ba38157b (patch) | |
tree | 84da1baef0e14dc0e70419913d4e1a5d84e9e16e /NEWS | |
parent | 0c8e598549a7cb99b9665f37814b006765344c43 (diff) | |
download | mailutils-afda9ba46c7eb2c061f3907dc7e80ae1ba38157b.tar.gz mailutils-afda9ba46c7eb2c061f3907dc7e80ae1ba38157b.tar.bz2 |
Rewrite TLS support
The new implementation allows for per-server certificates.
* libmu_auth/Makefile.am: Build tls support depending on the value of
MU_COND_GNUTLS.
* libmu_auth/notls.c: New file.
* libmu_auth/tls.c: Rewrite.
* libmu_auth/tlsiostr.c: New file.
* libmu_auth/tlsvar.c: New file.
* libmu_auth/tlsconf.c: New file.
* include/mailutils/sys/tls-stream.h (_mu_tls_stream): New members:
session_type, conf, cred.
(mu_tls_io_stream_create): New proto.
* include/mailutils/tls.h (mu_tls_module_config): Remove definition.
(mu_tls_config): New structure.
(mu_tls_server_stream_create): Remove proto.
(mu_tls_cert_file_checks)
(mu_tls_key_file_checksr)
(mu_tls_ca_file_checks): New globals
(MU_TLS_CERT_FILE_CHECKS)
(MU_TLS_KEY_FILE_CHECKS)
(MU_TLS_CA_FILE_CHECKS): New defines.
(mu_tls_stream_create): New proto.
(mu_tls_config_status): New constants.
(mu_tls_check_config): Remove.
(mu_tls_config_check): New function.
* include/mailutils/server.h (mu_m_server_preflight_fp): New typedef.
(mu_m_server_set_preflight): New proto.
* libmailutils/diag/debcat (tls): New category.
* libmailutils/server/ipsrv.c (mu_ip_server_get_data): New function.
* libmailutils/server/msrv.c (_mu_m_server) <preflight>: New method.
(mu_m_server_set_preflight): New function.
(mu_m_server_destroy): Destroy the srvlist.
(open_connection): New function.
(mu_m_server_run): Remove from srvlist only those servers that failed
to open. Run preflight check, if registered.
* include/mailutils/cfg.h (mu_cfg_section): New member: data.
* libmailutils/cfg/driver.c (dup_container): Copy the "data" pointer.
(mu_cfg_section_add_params): Preserve original pointer and offset when
necessary.
* libmailutils/cfg/parser.y (_scan_tree_helper): Use the section data
pointer (if set) as data target.
* configure.ac (MU_COND_GNUTLS): New conditional.
* imap4d/commands.c: Remove #ifdef WITH_TLS preprocessor conditional.
* imap4d/imap4d.c (tls_mode): Remove variable.
(imap4d_srv_config): Move definition to the header file.
Remove #ifdef WITH_TLS preprocessor conditionals.
Rename the tls configuration statement to tls-mode.
Add new subsection .server.tls;
Remove the legacy tls-required configuration statement.
(imap4d_mainloop): Change signature: take a pointer to the
struct imap4d_srv_config as the 3rd argument,
Use the cfg->tls_mode member to decide on TLS state.
(main): Call mu_tls_cfg_init.
Install server preflight checker.
* imap4d/imap4d.h: Remove #ifdef WITH_TLS preprocessor conditionals.
(imap4d_srv_config): Moved from imap4d.c
New member: tls_conf
(imap4d_session): New member: tls_conf
(global_tls_conf): New global.
(io_setio, imap4d_init_tls_server): Change prototypes.
* imap4d/io.c (io_setio): Change signature: take a pointer to the
struct mu_tls_config as the 3rd argument.
Rewrite TLS support.
(imap4d_init_tls_server): Take a pointer to the
struct mu_tls_config.
* imap4d/starttls.c (tls_available, tls_done): Remove globals.
(global_tls_conf): New global.
(imap4d_starttls): Keep TLS state in the session.
(tls_encryption_on): Likewise.
(starttls_init): Rewrite as a mserver preflight check function.
* pop3d/capa.c: Remove #ifdef WITH_TLS preprocessor conditional.
(capa_stls): Rewrite.
* pop3d/cmd.c (global_tls_conf): New global.
(stls_preflight): New function.
(pop3d_error_string): Rewrite using char ** array.
* pop3d/extra.c (pop3d_setio): Take a pointer to struct mu_tls_config
as the 3rd argument. Decide on TLS using it.
(pop3d_init_tls_server): Take a pointer to struct mu_tls_config.
* pop3d/pop3d.c: Rename the tls configuration statement to tls-mode.
Add new subsection .server.tls;
Remove the legacy tls-required configuration statement.
(pop3d_mainloop) Take a pointer to struct mu_tls_config
as the 3rd argument. Decide on TLS using it.
(main): Call mu_tls_cfg_init. Install server preflight check.
* pop3d/pop3d.h (pop3d_session): New member tls_conf.
(pop3d_srv_config): New definition.
(global_tls_conf): New extern.
* pop3d/stls.c: Rewrite TLS support.
* NEWS: Document new features.
* configure.ac: Version 3.2.90.
* doc/texinfo/programs.texi: Update.
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 73 |
1 files changed, 72 insertions, 1 deletions
@@ -1,10 +1,81 @@ -GNU mailutils NEWS -- history of user-visible changes. 2017-03-11 +GNU mailutils NEWS -- history of user-visible changes. 2017-03-18 Copyright (C) 2002-2017 Free Software Foundation, Inc. See the end of file for copying conditions. Please send mailutils bug reports to <bug-mailutils@gnu.org>. +Version 3.2.90 (Git) + +* TLS configuration + +Note the following changes to the TLS configuration: + +** global tls section + +The following statements have been renamed: + + ssl-cafile renamed to ssl-ca-file + ssl-cert renamed to ssl-certificate-file + ssl-key renamed to ssl-key-file + +The following statements have been removed: + + enable + key-file-safety-checks + cert-file-safety-checks + ca-file-safety-checks + +The functionality of the latter three is now moved to the +tls-file-checks section. + +Example of a valid global tls section: + + tls { + ssl-certificate-file /etc/ssl/cert/imap.pem; + ssl-key-file /etc/ssl/private/imap.key; + } + +** global tls-file-checks statement + +The tls-file-checks statement configures safety checks for SSL +certificate and key files. It is a global section. Its syntax is +as follows: + + tls-file-checks { + key-file <arg: list>; + cert-file <arg: list>; + ca-file <arg: list>; + } + +The <arg> list is a list or sequence of check names optionally +prefixed with '+' to enable or '-' to disable the corresponding check. +Valid check names are the same as in previous versions. + +Use this statement instead of the deprecated cert-file-safety-checks, +key-file-safety-checks, and ca-file-safety-checks. + +* Per-server TLS support + +It is now possible to configure per-server SSL certificates in POP3 +and IMAP4 servers. To do so, place a "tls" subsection within the +corresponding "server" section. The syntax of the "tls" subsection +is the same as for the global section described above, e.g.: + + server imap.example.com:143 { + tls-mode required; + tls { + ssl-certificate-file /etc/ssl/cert/imap.pem; + ssl-key-file /etc/ssl/private/imap.key; + } + } + +If the "tls" section is absent, but "tls-mode" is specified and it's +value is anything but "no", the settings from the global "tls" section +will be used. Im this case, it is an error if the global "tls" +section is not defined. + + Version 3.2 - 2017-03-11 * configuration syntax |