#include "mutt.h"
#include "mutt_socket.h"
+@import "../lib-lua/base.cpkg"
+
+@package mod_ssl {
+ bool force_tls = 0;
+ /*
+ ** .pp
+ ** If this variable is \fIset\fP, Madmutt will require that all connections
+ ** to remote servers be encrypted. Furthermore it will attempt to
+ ** negotiate TLS even if the server does not advertise the capability,
+ ** since it would otherwise have to abort the connection anyway. This
+ ** option supersedes ``$$ssl_starttls''.
+ */
+ bool starttls = 1;
+ /*
+ ** .pp
+ ** If \fIset\fP (the default), Madmutt will attempt to use STARTTLS on servers
+ ** advertising the capability. When \fIunset\fP, Madmutt will not attempt to
+ ** use STARTTLS regardless of the server's capabilities.
+ */
+ bool use_sslv3 = 1;
+ /*
+ ** .pp
+ ** This variables specifies whether to attempt to use SSLv3 in the
+ ** SSL authentication process.
+ */
+ bool use_tlsv1 = 1;
+ /*
+ ** .pp
+ ** This variables specifies whether to attempt to use TLSv1 in the
+ ** SSL authentication process.
+ */
+
+ int min_dh_prime_bits = 0;
+ /*
+ ** .pp
+ ** This variable specifies the minimum acceptable prime size (in bits)
+ ** for use in any Diffie-Hellman key exchange. A value of 0 will use
+ ** the default from the GNUTLS library.
+ */
+
+ path_t cert_file = m_strdup("~/.cache/madmutt/certificates");
+ /*
+ ** .pp
+ ** This variable specifies the file where the certificates you trust
+ ** are saved. When an unknown certificate is encountered, you are asked
+ ** if you accept it or not. If you accept it, the certificate can also
+ ** be saved in this file and further connections are automatically
+ ** accepted.
+ ** .pp
+ ** You can also manually add CA certificates in this file. Any server
+ ** certificate that is signed with one of these CA certificates are
+ ** also automatically accepted.
+ ** .pp
+ ** Example: \fTset certificate_file=~/.madmutt/certificates\fP
+ */
+
+ path_t ca_certificates_file = NULL;
+ /*
+ ** .pp
+ ** This variable specifies a file containing trusted CA certificates.
+ ** Any server certificate that is signed with one of these CA
+ ** certificates are also automatically accepted.
+ ** .pp
+ ** Example: \fTset ssl_ca_certificates_file=/etc/ssl/certs/ca-certificates.crt\fP
+ */
+};
+
typedef struct _tlssockdata {
gnutls_session state;
gnutls_certificate_credentials xcred;
return -1;
}
- gnutls_certificate_set_x509_trust_file (data->xcred, SslCertFile,
+ gnutls_certificate_set_x509_trust_file (data->xcred, mod_ssl.cert_file,
GNUTLS_X509_FMT_PEM);
/* ignore errors, maybe file doesn't exist yet */
- if (SslCACertFile) {
- gnutls_certificate_set_x509_trust_file (data->xcred, SslCACertFile,
+ if (mod_ssl.ca_certificates_file) {
+ gnutls_certificate_set_x509_trust_file (data->xcred,
+ mod_ssl.ca_certificates_file,
GNUTLS_X509_FMT_PEM);
}
gnutls_transport_set_ptr (data->state, (gnutls_transport_ptr)(intptr_t)conn->fd);
/* disable TLS/SSL protocols as needed */
- if (!option (OPTTLSV1) && !option (OPTSSLV3)) {
+ if (!mod_ssl.use_tlsv1 && !mod_ssl.use_sslv3) {
mutt_error (_("All available protocols for TLS/SSL connection disabled"));
goto fail;
}
- else if (!option (OPTTLSV1)) {
+ else if (!mod_ssl.use_tlsv1) {
protocol_priority[0] = GNUTLS_SSL3;
protocol_priority[1] = 0;
}
- else if (!option (OPTSSLV3)) {
+ else if (!mod_ssl.use_sslv3) {
protocol_priority[0] = GNUTLS_TLS1;
protocol_priority[1] = 0;
}
gnutls_set_default_priority (data->state);
gnutls_protocol_set_priority (data->state, protocol_priority);
- if (SslDHPrimeBits > 0) {
- gnutls_dh_set_prime_bits (data->state, SslDHPrimeBits);
+ if (mod_ssl.min_dh_prime_bits > 0) {
+ gnutls_dh_set_prime_bits(data->state, mod_ssl.min_dh_prime_bits);
}
/*
unsigned char *b64_data_data;
struct stat filestat;
- if (stat (SslCertFile, &filestat) == -1)
+ if (stat(mod_ssl.cert_file, &filestat) == -1)
return 0;
b64_data.size = filestat.st_size + 1;
b64_data_data[b64_data.size - 1] = '\0';
b64_data.data = b64_data_data;
- fd1 = fopen (SslCertFile, "r");
+ fd1 = fopen(mod_ssl.cert_file, "r");
if (fd1 == NULL) {
return 0;
}
regmatch_t pmatch[3];
/* try checking against names stored in stored certs file */
- if ((fp = fopen (SslCertFile, "r"))) {
+ if ((fp = fopen(mod_ssl.cert_file, "r"))) {
if (regcomp
(&preg,
"^#H ([a-zA-Z0-9_\\.-]+) ([0-9A-F]{4}( [0-9A-F]{4}){7})[ \t]*$",
menu->title = _("TLS/SSL Certificate check");
/* certificates with bad dates, or that are revoked, must be
accepted manually each and every time */
- if (SslCertFile && !certerr_expired && !certerr_notyetvalid
+ if (mod_ssl.cert_file && !certerr_expired && !certerr_notyetvalid
&& !certerr_revoked) {
menu->prompt = _("(r)eject, accept (o)nce, (a)ccept always");
menu->keys = _("roa");
break;
case OP_MAX + 3: /* accept always */
done = 0;
- if ((fp = fopen (SslCertFile, "a"))) {
+ if ((fp = fopen(mod_ssl.cert_file, "a"))) {
/* save hostname if necessary */
if (certerr_hostname) {
fprintf (fp, "#H %s %s\n", conn->account.host, fpbuf);
gnutls_x509_crt_deinit (cert);
return (done == 2);
}
+
+/* vim:set ft=c: */
projects / apps / madmutt.git / blobdiff