From 162a9d5dabfa102b8946cfd4897e90922e53cb39 Mon Sep 17 00:00:00 2001 From: "Jean-Marc Pigeon (Delson)" Date: Fri, 18 Jul 2025 09:01:43 -0400 Subject: [PATCH] Set SSL parameters within unitls and mailleur.conf --- conf/mailleur.conf | 6 +++++- conf/mailleur.conf.dvl | 8 ++++++-- lib/devsoc.c | 25 +++++++++++++++++++++++++ lib/devsoc.h | 3 +++ lib/lvleml.c | 18 +++++++++++++++--- lib/unitls.c | 31 ++++++++++++++++++++++++++++++- lib/unitls.h | 6 +++--- 7 files changed, 87 insertions(+), 10 deletions(-) diff --git a/conf/mailleur.conf b/conf/mailleur.conf index 9af1829..35ee34e 100644 --- a/conf/mailleur.conf +++ b/conf/mailleur.conf @@ -28,6 +28,10 @@ REALM="mailleur-email" #Defaults SMTPPORTS="|||5,smtps||465|3,smtp||587|2" #------------------------------------------------ +#SSL Security level default value +#CIPHER_LIST="DEFAULT" +#SSL_SECURITY=2 +#------------------------------------------------ #Defining SERVER mode Certificate data CA_ROOT_SRV="/etc/pki/mailleur/root-safe_CA.pem" CA_CERT_SRV="/etc/pki/mailleur/mailleur-cert.pem" @@ -53,6 +57,6 @@ DOV_MAILDIR="/var/spool/mailleur/mails" #------------------------------------------------ #The list of public blacklist serveur BLACKLISTER=/etc/mailleur/blacklister.conf -#the list of IP from which we accept to releay email +#the list of IP from which we accept to relay email RELAYABLE=/etc/mailleur/relayed.conf #------------------------------------------------ diff --git a/conf/mailleur.conf.dvl b/conf/mailleur.conf.dvl index 5badbb3..65b0be2 100644 --- a/conf/mailleur.conf.dvl +++ b/conf/mailleur.conf.dvl @@ -27,6 +27,10 @@ REALM="mailleur-email" #SMTPPORTS="|127.127.10.25|1025|" #SMTPPORTS="smtps|127.127.10.25|1065|1" #------------------------------------------------ +#SSL Security level +#CIPHER_LIST="ECDHE-ECDSA-AES256-GCM-SHA384" +#SSL_SECURITY=3 +#------------------------------------------------ #Defining SERVER mode Certificate data CA_ROOT_SRV="./certs/root-safe_CA.pem" CA_CERT_SRV="./certs/mailleur_server-chain-cert_x509.pem" @@ -57,6 +61,6 @@ SMTPPORTS="|127.127.10.25|1025|5,smtps|127.127.10.26|1465|3,smtp|127.127.10.26|1 #------------------------------------------------ #The list of public blacklist serveur BLACKLISTER=/etc/mailleur/blacklister.conf -#the list of IP from which we accept to releay email -RELAYABLE=/etc/mailleur/relayed.conf +#the list of IP from which we accept to relay email +RELAYABLE=/etc/mailleur/relayed.conf.dvl #------------------------------------------------ diff --git a/lib/devsoc.c b/lib/devsoc.c index 2664005..105ba11 100644 --- a/lib/devsoc.c +++ b/lib/devsoc.c @@ -1517,6 +1517,7 @@ PUBLIC _Bool soc_starttls(SOCPTR *socptr,_Bool server) { #define OPEP "devsoc.c:soc_starttls," + _Bool ok; SOCTYP *soc; @@ -1545,6 +1546,7 @@ if ((soc!=(SOCTYP *)0)&&(soc->modtls==false)) { } } return ok; + #undef OPEP } /* @@ -1552,6 +1554,29 @@ return ok; */ /********************************************************/ /* */ +/* Procedure to return the security level used by */ +/* a crypted channel. */ +/* */ +/********************************************************/ +PUBLIC int soc_get_sec_level(SOCPTR *socptr) + +{ +int level; + +level=-1; +if (socptr!=(SOCPTR *)0) { + register SOCTYP *soc; + + soc=(SOCTYP *)socptr; + level=tls_get_sec_level(soc->tls); + } +return level; +} +/* +^L +*/ +/********************************************************/ +/* */ /* Procedure to return true if sthe socket is */ /* in crypted mode. */ /* */ diff --git a/lib/devsoc.h b/lib/devsoc.h index 6efd35d..db44609 100644 --- a/lib/devsoc.h +++ b/lib/devsoc.h @@ -72,6 +72,9 @@ extern SOCPTR *soc_release(SOCPTR *socptr); //procedure to initiate crypted mode on plain channel extern _Bool soc_starttls(SOCPTR *socptr,_Bool server); +//procedure to return the security level within a TLS link +extern int soc_get_sec_level(SOCPTR *socptr); + //return flag true if socket is in crypted mode extern _Bool soc_iscrypted(SOCPTR *socptr); diff --git a/lib/lvleml.c b/lib/lvleml.c index 78c00a2..b146d03 100644 --- a/lib/lvleml.c +++ b/lib/lvleml.c @@ -30,6 +30,9 @@ #include "lvleml.h" #define RELAYS "RELAYABLE" + +static const char *cry="(crypted link is now set in '%s' mode, security level='%d')"; + /* ^L */ @@ -1699,8 +1702,11 @@ while (proceed==true) { case SIGNON : //link is now encrypted done=soc_starttls(rmt->socptr,false); switch (done) { - case true : - (void) log_fprintlog(rmt->logptr,false,"crypted link is now set"); + case true : { + int level; + + level=soc_get_sec_level(rmt->socptr); + (void) log_fprintlog(rmt->logptr,false,cry,"client",level); (void) usleep(10000); //10 ms delay rspcode=simple_smtp_command(rmt,"EHLO %s",rmt->orgdomain); switch (rspcode) { @@ -1711,6 +1717,7 @@ while (proceed==true) { done=false; break; } + } break; case false : (void) log_fprintlog(rmt->logptr,false,"Unable to set crypted link"); @@ -2330,7 +2337,12 @@ while (proceed==true) { (void) usleep(100000); (void) transmit(contact,true,"%d 2.0.0 Ready to start TLS",SIGNON); switch (soc_starttls(contact->socptr,true)) { - case true : //link now in TLS crypted mode + case true : { //link now in TLS crypted mode (server mode) + int level; + + level=soc_get_sec_level(contact->socptr); + (void) log_fprintlog(contact->logptr,false,cry,"server",level); + } break; case false : //unable to establish link (void) transmit(contact,true,"%d 5.3.3 command starttls not successful", diff --git a/lib/unitls.c b/lib/unitls.c index 0cb1c93..c647f1d 100644 --- a/lib/unitls.c +++ b/lib/unitls.c @@ -164,10 +164,13 @@ static int set_crypting(TLSTYP *tls,_Bool server) #define OPEP "unitls.c:set_crypting" static const char *cenv[]={"CA_KEY","CA_CERT","CA_ROOT","CA_VERIFY"}; +static const char *envsec="SSL_SECURITY"; int done; const char *certs[sizeof(cenv)/sizeof(char *)]; const SSL_METHOD *(*tls_methode)(); +const char *cipher_list; +int seclevel; const char *certext; int mode; int phase; @@ -175,6 +178,12 @@ _Bool proceed; done=false; tls_methode=TLS_client_method; +if ((cipher_list=getenv("CIPHER_LIST"))==(char *)0) + cipher_list=SSL_CIPHER_LIST; +if (getenv(envsec)!=(char *)0) + seclevel=atoi(getenv(envsec)); +else + seclevel=2; certext="CLT"; if (tls->server==true) { tls_methode=TLS_server_method; @@ -254,7 +263,8 @@ while (proceed==true) { (void) SSL_CTX_set_purpose(tls->ctx,X509_PURPOSE_ANY); (void) SSL_CTX_set_verify_depth(tls->ctx,7); (void) SSL_CTX_set_options(tls->ctx,SSL_OP_ALL); - if (SSL_CTX_set_cipher_list(tls->ctx,SSL_CIPHER_LIST)==0) { + (void) SSL_CTX_set_security_level(tls->ctx,seclevel); + if (SSL_CTX_set_cipher_list(tls->ctx,cipher_list)==0) { (void) showtlserror(tls,0,"No cipher list"); phase=999; } @@ -662,6 +672,25 @@ return ok; */ /********************************************************/ /* */ +/* Procedure to return the current sercurity level */ +/* */ +/********************************************************/ +PUBLIC int tls_get_sec_level(TLSTYP *tls) + +{ +int level; + +level=-1; +if (tls!=(TLSTYP *)0) { + level=SSL_get_security_level(tls->ssl); + } +return level; +} +/* +^L +*/ +/********************************************************/ +/* */ /* Procedure to open an SSL channel */ /* */ /********************************************************/ diff --git a/lib/unitls.h b/lib/unitls.h index 44d0539..83a0460 100644 --- a/lib/unitls.h +++ b/lib/unitls.h @@ -50,6 +50,9 @@ extern char *tls_getcipherid(TLSTYP *tls); //procedure to verify certificate linked to TLS channel extern _Bool tls_verify(TLSTYP *tls); +//procedure to get the security level +extern int tls_get_sec_level(TLSTYP *tls); + //procedure to open an tls channel extern TLSTYP *tls_opentls(int handle,_Bool server); @@ -77,9 +80,6 @@ extern int tls_check_peer(TLSTYP *tls); //set socket as an tls socket extern SSL *tls_setsocket(int handle,SSL_CTX *ctx); -//getting binding information -//extern const LISTYP **tls_get_bind_data(); - //getting binding information as AFN structure extern AFNTYP **tls_get_bind_afn(); -- 2.47.3