[Users] TLS hardening patch
Jeffrey Walton
noloader at gmail.com
Mon Dec 12 15:49:08 UTC 2022
Hi Everyone,
Is the project interested in a patch to harden the use of TLS? Maybe
something like the following? (The patch will cover all uses of TLS,
and not just vCal).
$ git diff src/plugins/vcalendar/vcal_folder.c
diff --git a/src/plugins/vcalendar/vcal_folder.c
b/src/plugins/vcalendar/vcal_folder.c
index 3c37a6464..e94323e54 100644
--- a/src/plugins/vcalendar/vcal_folder.c
+++ b/src/plugins/vcalendar/vcal_folder.c
@@ -140,6 +140,14 @@ FolderClass vcal_class;
static GSList *created_files = NULL;
static GHashTable *hash_uids = NULL;
+/* This list performs several functions. First, it selects High strength */
+/* TLS ciphers. Second, it removes RSA key transport (!kRSA), but keeps */
+/* RSA authentication (auRSA). Third, it removes unneeded cipher suites, */
+/* like PSK and SRP. Finally, the list removes some weak and wounded */
+/* ciphers, like MD5 and RC4. The list will make for a very small */
+/* ClientHello. See https://wiki.openssl.org/index.php/SSL/TLS_Client. */
+static const char PREFERRED_CIPHERS[] =
"HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4";
+
struct _VCalFolder
{
Folder folder;
@@ -1597,11 +1605,23 @@ void *url_read_thread(void *data)
#ifdef G_OS_WIN32
curl_easy_setopt(curl_ctx, CURLOPT_CAINFO, claws_ssl_get_cert_file());
#endif
+#if LIBCURL_VERSION_NUM >= 0x070900
+ /* https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html */
+ /* https://wiki.openssl.org/index.php/SSL/TLS_Client */
+ curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, PREFERRED_CIPHERS);
+#endif
#if LIBCURL_VERSION_NUM >= 0x070a00
if(vcalprefs.ssl_verify_peer == FALSE) {
curl_easy_setopt(curl_ctx, CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(curl_ctx, CURLOPT_SSL_VERIFYHOST, 0);
}
+#endif
+#if LIBCURL_VERSION_NUM >= 0x072200
+ /* cURL 7.34.0 and above. Set TLS v1.2 or above for the connection. */
+ /* TLS v1.2 and above provide AEAD ciphers. Otherwise, cURL uses */
+ /* TLS v1.0 as a default. TLS v1.0 lacks AEAD and ECC cipher suites. */
+ /* https://curl.se/libcurl/c/CURLOPT_SSLVERSION.html. */
+ curl_easy_setopt(curl_ctx, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
#endif
curl_easy_setopt(curl_ctx, CURLOPT_USERAGENT,
"Claws Mail vCalendar plugin "
@@ -1723,11 +1743,23 @@ gboolean vcal_curl_put(gchar *url, FILE *fp,
gint filesize, const gchar *user, c
#ifdef G_OS_WIN32
curl_easy_setopt(curl_ctx, CURLOPT_CAINFO, claws_ssl_get_cert_file());
#endif
+#if LIBCURL_VERSION_NUM >= 0x070900
+ /* https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html */
+ /* https://wiki.openssl.org/index.php/SSL/TLS_Client */
+ curl_easy_setopt(curl, CURLOPT_SSL_CIPHER_LIST, PREFERRED_CIPHERS);
+#endif
#if LIBCURL_VERSION_NUM >= 0x070a00
if(vcalprefs.ssl_verify_peer == FALSE) {
curl_easy_setopt(curl_ctx, CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(curl_ctx, CURLOPT_SSL_VERIFYHOST, 0);
}
+#endif
+#if LIBCURL_VERSION_NUM >= 0x072200
+ /* cURL 7.34.0 and above. Set TLS v1.2 or above for the connection. */
+ /* TLS v1.2 and above provide AEAD ciphers. Otherwise, cURL uses */
+ /* TLS v1.0 as a default. TLS v1.0 lacks AEAD and ECC cipher suites. */
+ /* https://curl.se/libcurl/c/CURLOPT_SSLVERSION.html. */
+ curl_easy_setopt(curl_ctx, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
#endif
curl_easy_setopt(curl_ctx, CURLOPT_USERAGENT,
"Claws Mail vCalendar plugin "
Jeff
More information about the Users
mailing list