#Defaults
SMTPPORTS="|||5,smtps||465|3,smtp||587|2"
#------------------------------------------------
+#SSL Security level default value
+#CIPHER_LIST="DEFAULT"
+#SSL_SECURITY=2
+#------------------------------------------------
#Defining SERVER mode Certificate data
CA_ROOT_SRV="/etc/pki/mailleur/root-safe_CA.pem"
CA_CERT_SRV="/etc/pki/mailleur/mailleur-cert.pem"
#------------------------------------------------
#The list of public blacklist serveur
BLACKLISTER=/etc/mailleur/blacklister.conf
-#the list of IP from which we accept to releay email
+#the list of IP from which we accept to relay email
RELAYABLE=/etc/mailleur/relayed.conf
#------------------------------------------------
#SMTPPORTS="|127.127.10.25|1025|"
#SMTPPORTS="smtps|127.127.10.25|1065|1"
#------------------------------------------------
+#SSL Security level
+#CIPHER_LIST="ECDHE-ECDSA-AES256-GCM-SHA384"
+#SSL_SECURITY=3
+#------------------------------------------------
#Defining SERVER mode Certificate data
CA_ROOT_SRV="./certs/root-safe_CA.pem"
CA_CERT_SRV="./certs/mailleur_server-chain-cert_x509.pem"
#------------------------------------------------
#The list of public blacklist serveur
BLACKLISTER=/etc/mailleur/blacklister.conf
-#the list of IP from which we accept to releay email
-RELAYABLE=/etc/mailleur/relayed.conf
+#the list of IP from which we accept to relay email
+RELAYABLE=/etc/mailleur/relayed.conf.dvl
#------------------------------------------------
{
#define OPEP "devsoc.c:soc_starttls,"
+
_Bool ok;
SOCTYP *soc;
}
}
return ok;
+
#undef OPEP
}
/*
*/
/********************************************************/
/* */
+/* Procedure to return the security level used by */
+/* a crypted channel. */
+/* */
+/********************************************************/
+PUBLIC int soc_get_sec_level(SOCPTR *socptr)
+
+{
+int level;
+
+level=-1;
+if (socptr!=(SOCPTR *)0) {
+ register SOCTYP *soc;
+
+ soc=(SOCTYP *)socptr;
+ level=tls_get_sec_level(soc->tls);
+ }
+return level;
+}
+/*
+^L
+*/
+/********************************************************/
+/* */
/* Procedure to return true if sthe socket is */
/* in crypted mode. */
/* */
//procedure to initiate crypted mode on plain channel
extern _Bool soc_starttls(SOCPTR *socptr,_Bool server);
+//procedure to return the security level within a TLS link
+extern int soc_get_sec_level(SOCPTR *socptr);
+
//return flag true if socket is in crypted mode
extern _Bool soc_iscrypted(SOCPTR *socptr);
#include "lvleml.h"
#define RELAYS "RELAYABLE"
+
+static const char *cry="(crypted link is now set in '%s' mode, security level='%d')";
+
/*
^L
*/
case SIGNON : //link is now encrypted
done=soc_starttls(rmt->socptr,false);
switch (done) {
- case true :
- (void) log_fprintlog(rmt->logptr,false,"crypted link is now set");
+ case true : {
+ int level;
+
+ level=soc_get_sec_level(rmt->socptr);
+ (void) log_fprintlog(rmt->logptr,false,cry,"client",level);
(void) usleep(10000); //10 ms delay
rspcode=simple_smtp_command(rmt,"EHLO %s",rmt->orgdomain);
switch (rspcode) {
done=false;
break;
}
+ }
break;
case false :
(void) log_fprintlog(rmt->logptr,false,"Unable to set crypted link");
(void) usleep(100000);
(void) transmit(contact,true,"%d 2.0.0 Ready to start TLS",SIGNON);
switch (soc_starttls(contact->socptr,true)) {
- case true : //link now in TLS crypted mode
+ case true : { //link now in TLS crypted mode (server mode)
+ int level;
+
+ level=soc_get_sec_level(contact->socptr);
+ (void) log_fprintlog(contact->logptr,false,cry,"server",level);
+ }
break;
case false : //unable to establish link
(void) transmit(contact,true,"%d 5.3.3 command starttls not successful",
#define OPEP "unitls.c:set_crypting"
static const char *cenv[]={"CA_KEY","CA_CERT","CA_ROOT","CA_VERIFY"};
+static const char *envsec="SSL_SECURITY";
int done;
const char *certs[sizeof(cenv)/sizeof(char *)];
const SSL_METHOD *(*tls_methode)();
+const char *cipher_list;
+int seclevel;
const char *certext;
int mode;
int phase;
done=false;
tls_methode=TLS_client_method;
+if ((cipher_list=getenv("CIPHER_LIST"))==(char *)0)
+ cipher_list=SSL_CIPHER_LIST;
+if (getenv(envsec)!=(char *)0)
+ seclevel=atoi(getenv(envsec));
+else
+ seclevel=2;
certext="CLT";
if (tls->server==true) {
tls_methode=TLS_server_method;
(void) SSL_CTX_set_purpose(tls->ctx,X509_PURPOSE_ANY);
(void) SSL_CTX_set_verify_depth(tls->ctx,7);
(void) SSL_CTX_set_options(tls->ctx,SSL_OP_ALL);
- if (SSL_CTX_set_cipher_list(tls->ctx,SSL_CIPHER_LIST)==0) {
+ (void) SSL_CTX_set_security_level(tls->ctx,seclevel);
+ if (SSL_CTX_set_cipher_list(tls->ctx,cipher_list)==0) {
(void) showtlserror(tls,0,"No cipher list");
phase=999;
}
*/
/********************************************************/
/* */
+/* Procedure to return the current sercurity level */
+/* */
+/********************************************************/
+PUBLIC int tls_get_sec_level(TLSTYP *tls)
+
+{
+int level;
+
+level=-1;
+if (tls!=(TLSTYP *)0) {
+ level=SSL_get_security_level(tls->ssl);
+ }
+return level;
+}
+/*
+^L
+*/
+/********************************************************/
+/* */
/* Procedure to open an SSL channel */
/* */
/********************************************************/
//procedure to verify certificate linked to TLS channel
extern _Bool tls_verify(TLSTYP *tls);
+//procedure to get the security level
+extern int tls_get_sec_level(TLSTYP *tls);
+
//procedure to open an tls channel
extern TLSTYP *tls_opentls(int handle,_Bool server);
//set socket as an tls socket
extern SSL *tls_setsocket(int handle,SSL_CTX *ctx);
-//getting binding information
-//extern const LISTYP **tls_get_bind_data();
-
//getting binding information as AFN structure
extern AFNTYP **tls_get_bind_afn();
vps2: / jmp / mailleur / commitdiff