File xmail-1.27_ssloptions.patch of Package XMail

diff -Naru xmail-1.27_orig/Errors.cpp xmail-1.27/Errors.cpp
--- xmail-1.27_orig/Errors.cpp	2010-02-26 12:33:44.000000000 +0900
+++ xmail-1.27/Errors.cpp	2015-07-14 21:03:02.518913031 +0900
@@ -271,6 +271,7 @@
 	{ ERR_INVALID_PARAMETER, "Invalid parameter" },
 	{ ERR_ALREADY_EXIST, "Already exist" },
 	{ ERR_SSLCTX_CREATE, "Error creating SSL context" },
+	{ ERR_SSLCTX_SETCIPHERLIST, "Error setting SSL cipher list" },
 	{ ERR_SSL_CREATE, "Error creating SSL session" },
 	{ ERR_SSL_CONNECT, "Error establishing SSL connection (connect)" },
 	{ ERR_SSL_SETCERT, "Error setting the SSL certificate file" },
diff -Naru xmail-1.27_orig/Errors.h xmail-1.27/Errors.h
--- xmail-1.27_orig/Errors.h	2010-02-26 12:33:44.000000000 +0900
+++ xmail-1.27/Errors.h	2015-07-14 21:03:02.519913107 +0900
@@ -724,6 +724,12 @@
 	__ERR_SSLCTX_CREATE,
 #define ERR_SSLCTX_CREATE (-__ERR_SSLCTX_CREATE)
 
+	__ERR_SSLCTX_SETCIPHERLIST,
+#define ERR_SSLCTX_SETCIPHERLIST (-__ERR_SSLCTX_SETCIPHERLIST)
+
+	__ERR_SSLCTX_SETDHPARAM,
+#define ERR_SSLCTX_SETDHPARAM (-__ERR_SSLCTX_SETDHPARAM)
+
 	__ERR_SSL_CREATE,
 #define ERR_SSL_CREATE (-__ERR_SSL_CREATE)
 
diff -Naru xmail-1.27_orig/SSLBind.cpp xmail-1.27/SSLBind.cpp
--- xmail-1.27_orig/SSLBind.cpp	2010-02-26 12:33:44.000000000 +0900
+++ xmail-1.27/SSLBind.cpp	2015-07-14 21:03:02.520913184 +0900
@@ -426,6 +426,49 @@
 	return 0;
 }
 
+int BSslSetFlagsAndCiphers(SSL_CTX *pSCtx, SslServerBind const *pSSLB) {
+	long lFlags;
+
+	if (pSSLB == NULL) {
+		return 0;
+	}
+
+	lFlags = 0;
+	if (pSSLB->ulFlags & BSSLF_NOSSLV2)
+		lFlags |= SSL_OP_NO_SSLv2;
+	if (pSSLB->ulFlags & BSSLF_NOSSLV3)
+		lFlags |= SSL_OP_NO_SSLv3;
+	if (pSSLB->ulFlags & BSSLF_NOTLSV1)
+		lFlags |= SSL_OP_NO_TLSv1;
+	SSL_CTX_set_options(pSCtx, lFlags);
+
+	if (pSSLB->pszCipherSuite != NULL) {
+		if (SSL_CTX_set_cipher_list(pSCtx,
+			pSSLB->pszCipherSuite) != 1) {
+				ErrSetErrorCode(ERR_SSLCTX_SETCIPHERLIST);
+				return ERR_SSLCTX_SETCIPHERLIST;
+		}
+	}
+
+	if (pSSLB->pszDHParamFile != NULL) {
+		FILE *fDHParamFile = fopen(pSSLB->pszDHParamFile, "r");
+
+		// silently ignores error when file was unable to read.
+		if (fDHParamFile != NULL) {
+			if (SSL_CTX_set_tmp_dh(pSCtx,
+				PEM_read_DHparams(fDHParamFile, NULL,
+					NULL, NULL)) != 1) {
+				ErrSetErrorCode(ERR_SSLCTX_SETDHPARAM);
+				return ERR_SSLCTX_SETDHPARAM;
+			}
+
+			fclose(fDHParamFile);
+		}
+	}
+
+	return 0;
+}
+
 int BSslBindClient(BSOCK_HANDLE hBSock, SslServerBind const *pSSLB,
 		   int (*pfEnvCB)(void *, int, void const *), void *pPrivate)
 {
@@ -443,6 +486,10 @@
 		return ERR_SSLCTX_CREATE;
 	}
 	SSL_CTX_set_session_cache_mode(pSCtx, SSL_SESS_CACHE_OFF);
+	if (BSslSetFlagsAndCiphers(pSCtx, pSSLB) < 0) {
+		SSL_CTX_free(pSCtx);
+		return ErrGetErrorCode();
+	}
 	/*
 	 * Client may not supply a certificate.
 	 */
@@ -517,6 +564,10 @@
 		return ERR_SSLCTX_CREATE;
 	}
 	SSL_CTX_set_session_cache_mode(pSCtx, SSL_SESS_CACHE_OFF);
+	if (BSslSetFlagsAndCiphers(pSCtx, pSSLB) < 0) {
+		SSL_CTX_free(pSCtx);
+		return ErrGetErrorCode();
+	}
 	if (BSslSetupVerify(pSCtx, pSSLB) < 0) {
 		SSL_CTX_free(pSCtx);
 		return ErrGetErrorCode();
diff -Naru xmail-1.27_orig/SSLBind.h xmail-1.27/SSLBind.h
--- xmail-1.27_orig/SSLBind.h	2010-02-26 12:33:44.000000000 +0900
+++ xmail-1.27/SSLBind.h	2015-07-14 21:03:02.520913184 +0900
@@ -31,7 +31,9 @@
 #define BSSLF_WANT_VERIFY (1 << 0)
 #define BSSLF_WANT_CERT (1 << 1)
 #define BSSLF_ALLOW_SEFLSIGNED (1 << 2)
-
+#define BSSLF_NOSSLV2 (1 << 3)
+#define BSSLF_NOSSLV3 (1 << 4)
+#define BSSLF_NOTLSV1 (1 << 5)
 
 struct SslServerBind {
 	char *pszKeyFile;
@@ -40,6 +42,8 @@
 	int iMaxDepth;
 	char *pszCAFile;
 	char *pszCAPath;
+	char *pszCipherSuite;
+	char *pszDHParamFile;
 };
 
 struct SslBindEnv {
diff -Naru xmail-1.27_orig/SSLConfig.cpp xmail-1.27/SSLConfig.cpp
--- xmail-1.27_orig/SSLConfig.cpp	2010-02-26 12:33:44.000000000 +0900
+++ xmail-1.27/SSLConfig.cpp	2015-07-14 21:03:11.611836478 +0900
@@ -77,6 +77,21 @@
 
 	pSSLB->iMaxDepth = SvrGetConfigInt("SSLMaxCertsDepth", 0, hCfg);
 
+	if (SvrTestConfigFlag("SSLNoSSLv2", false, hCfg))
+		pSSLB->ulFlags |= BSSLF_NOSSLV2;
+
+ 	if (SvrTestConfigFlag("SSLNoSSLv3", false, hCfg))
+		pSSLB->ulFlags |= BSSLF_NOSSLV3;
+
+	if (SvrTestConfigFlag("SSLNoTLSv1", false, hCfg))
+		pSSLB->ulFlags |= BSSLF_NOTLSV1;
+
+	pSSLB->pszCipherSuite =
+		SvrGetConfigVar(hCfg, "SSLCipherSuite", "ALL");
+
+	SysSNPrintf(szPath, sizeof(szPath) - 1, "%sdhparam.pem", szMailRoot);
+	pSSLB->pszDHParamFile = SysStrDup(szPath);
+
 	SvrReleaseConfigHandle(hCfg);
 
 
@@ -90,5 +105,7 @@
 	SysFree(pSSLB->pszCertFile);
 	SysFree(pSSLB->pszCAFile);
 	SysFree(pSSLB->pszCAPath);
+	SysFree(pSSLB->pszCipherSuite);
+	SysFree(pSSLB->pszDHParamFile);
 }