From adbdd017d532b5548190a815041bed5e5a60ed2f Mon Sep 17 00:00:00 2001
From: hiro <hiro@ee746299-78ed-0310-b773-934348b2243d>
Date: Mon, 21 Dec 2015 06:50:35 +0000
Subject: enabled TLSv1.1 and TLSv1.2 for STARTTLS.

git-svn-id: svn://sylpheed.sraoss.jp/sylpheed/trunk@3502 ee746299-78ed-0310-b773-934348b2243d
---
 ChangeLog      | 5 +++++
 NEWS           | 4 ++++
 libsylph/ssl.c | 8 +++++++-
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 848e5366..d7800bb6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2015-12-21
+
+	* libsylph/ssl.c: ssl_init(): enabled TLSv1.1 and TLSv1.2 for
+	  STARTTLS when OpenSSL 1.0.1 or later was used.
+
 2015-12-08
 
 	* src/subscribedialog.c
diff --git a/NEWS b/NEWS
index 9371cb88..f49d9f72 100644
--- a/NEWS
+++ b/NEWS
@@ -3,10 +3,14 @@ Changes of Sylpheed
 * 3.5.0 (stable)
 
     * A fix for ARM architecture was made.
+    * TLSv1.1 and TLSv1.2 will be enabled for STARTTLS when OpenSSL 1.0.1 or
+      above is used.
     * Some bugfixes and stability improvements were made.
     * Win32: more fix for the crash when linked with newer MSVCRT was made.
     * Win32: irresponsibe text entries on the first display of the filter
       edit dialog were fixed.
+    * Win32: libpng was updated to 1.4.18.
+    * Win32: OpenSSL was updated to v0.9.8zh.
 
 * 3.5.0beta3 (development)
 
diff --git a/libsylph/ssl.c b/libsylph/ssl.c
index 4763a741..6ab2fba2 100644
--- a/libsylph/ssl.c
+++ b/libsylph/ssl.c
@@ -137,11 +137,15 @@ void ssl_init(void)
 			g_warning("SSLv23 SSL_CTX_load_verify_locations failed.\n");
 	}
 
-	ssl_ctx_TLSv1 = SSL_CTX_new(TLSv1_client_method());
+	/* ssl_ctx_TLSv1 = SSL_CTX_new(TLSv1_client_method()); */
+	ssl_ctx_TLSv1 = SSL_CTX_new(SSLv23_client_method());
 	if (ssl_ctx_TLSv1 == NULL) {
 		debug_print(_("TLSv1 not available\n"));
 	} else {
 		debug_print(_("TLSv1 available\n"));
+		/* disable SSLv2/SSLv3 */
+		SSL_CTX_set_options(ssl_ctx_TLSv1,
+				    SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
 		if ((certs_file || certs_dir) &&
 		    !SSL_CTX_load_verify_locations(ssl_ctx_TLSv1, certs_file,
 						   certs_dir))
@@ -270,6 +274,8 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method)
 
 	debug_print(_("SSL connection using %s\n"),
 		    SSL_get_cipher(sockinfo->ssl));
+	debug_print("SSL protocol version: %s\n",
+		    SSL_get_version(sockinfo->ssl));
 
 	/* Get server's certificate (note: beware of dynamic allocation) */
 
-- 
cgit v1.2.3