[evolution-data-server/gnome-3-8] [Camel] Disable SSL v2 and weak ciphers by default

[Milan Crha <mcrha src gnome org>]

commit 76b6e96b76c1616987c5da8dabc7fd1dd3dac394
Author: Milan Crha <mcrha redhat com>
Date:   Thu Aug 8 14:36:10 2013 +0200

    [Camel] Disable SSL v2 and weak ciphers by default
    
    The change for disabled weak ciphers require at least NSS 3.14, thus
    weak ciphers are enabled, if it's compiled with older NSS. In case
    any server will require either weak ciphers or SSL v2 (while there
    really should not anyone use it these days), then two environment
    variables were added:
    
       CAMEL_SSL_V2_ENABLE=1 - to have SSL v2 enabled, otherwise it's disabled,
           regardless what camel providers request (they usually request v2 and
           v3 together)
    
       CAMEL_SSL_WEAK_CIPHERS=1 - to enable weak ciphers, almost the same as
           before; otherwise these are disabled and only those covered by
           NSS_SetDomesticPolicy() are enabled
    
    These are added to the group of one for SSL V2 compatible hello:
    
       CAMEL_SSL_V2_HELLO=1 - to force SSL v2 compatible hello on SSL connections

 camel/camel-tcp-stream-ssl.c |    7 ++++++-
 camel/camel.c                |   35 +++++++++++++++++++++++++++--------
 2 files changed, 33 insertions(+), 9 deletions(-)
---
diff --git a/camel/camel-tcp-stream-ssl.c b/camel/camel-tcp-stream-ssl.c
index 9e58400..97f053c 100644
--- a/camel/camel-tcp-stream-ssl.c
+++ b/camel/camel-tcp-stream-ssl.c
@@ -544,6 +544,7 @@ enable_ssl (CamelTcpStreamSSL *ssl,
             PRFileDesc *fd)
 {
        PRFileDesc *ssl_fd;
+       static gchar v2_enabled = -1;
 
        g_assert (fd != NULL);
 
@@ -553,7 +554,11 @@ enable_ssl (CamelTcpStreamSSL *ssl,
 
        SSL_OptionSet (ssl_fd, SSL_SECURITY, PR_TRUE);
 
-       if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_SSL2) {
+       /* check camel.c for the same "CAMEL_SSL_V2_ENABLE" */
+       if (v2_enabled == -1)
+               v2_enabled = g_strcmp0 (g_getenv ("CAMEL_SSL_V2_ENABLE"), "1") == 0 ? 1 : 0;
+
+       if (v2_enabled && (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_SSL2) != 0) {
                static gchar v2_hello = -1;
 
                /* Zarafa server with disabled SSL v2 rejects connection when
diff --git a/camel/camel.c b/camel/camel.c
index 49f2d60..fc73fe5 100644
--- a/camel/camel.c
+++ b/camel/camel.c
@@ -31,6 +31,7 @@
 #include <prthread.h>
 #include "nss.h"      /* Don't use <> here or it will include the system nss.h instead */
 #include <ssl.h>
+#include <sslproto.h>
 #include <errno.h>
 
 #include <glib/gi18n-lib.h>
@@ -95,10 +96,22 @@ camel_init (const gchar *configdir,
        camel_debug_init ();
 
        if (nss_init) {
+               static gchar v2_enabled = -1, weak_ciphers = -1;
                gchar *nss_configdir = NULL;
                gchar *nss_sql_configdir = NULL;
                SECStatus status = SECFailure;
-               PRUint16 indx;
+
+#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 14)
+               /* NSS pre-3.14 has most of the ciphers disabled, thus enable
+                * weak ciphers, if it's compiled against such */
+               weak_ciphers = 1;
+#endif
+
+               /* check camel-tcp-stream-ssl.c for the same "CAMEL_SSL_V2_ENABLE" */
+               if (v2_enabled == -1)
+                       v2_enabled = g_strcmp0 (g_getenv ("CAMEL_SSL_V2_ENABLE"), "1") == 0 ? 1 : 0;
+               if (weak_ciphers == -1)
+                       weak_ciphers = g_strcmp0 (g_getenv ("CAMEL_SSL_WEAK_CIPHERS"), "1") == 0 ? 1 : 0;
 
                if (nss_initlock == NULL) {
                        PR_Init (PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 10);
@@ -185,18 +198,24 @@ skip_nss_init:
 
                NSS_SetDomesticPolicy ();
 
-               PR_Unlock (nss_initlock);
+               if (weak_ciphers) {
+                       PRUint16 indx;
 
-               /* we must enable all ciphersuites */
-               for (indx = 0; indx < SSL_NumImplementedCiphers; indx++) {
-                       if (!SSL_IS_SSL2_CIPHER (SSL_ImplementedCiphers[indx]))
-                               SSL_CipherPrefSetDefault (SSL_ImplementedCiphers[indx], PR_TRUE);
+                       /* enable SSL3/TLS cipher-suites */
+                       for (indx = 0; indx < SSL_NumImplementedCiphers; indx++) {
+                               if (!SSL_IS_SSL2_CIPHER (SSL_ImplementedCiphers[indx]) &&
+                                   SSL_ImplementedCiphers[indx] != SSL_RSA_WITH_NULL_SHA &&
+                                   SSL_ImplementedCiphers[indx] != SSL_RSA_WITH_NULL_MD5)
+                                       SSL_CipherPrefSetDefault (SSL_ImplementedCiphers[indx], PR_TRUE);
+                       }
                }
 
-               SSL_OptionSetDefault (SSL_ENABLE_SSL2, PR_TRUE);
+               SSL_OptionSetDefault (SSL_ENABLE_SSL2, v2_enabled ? PR_TRUE : PR_FALSE);
+               SSL_OptionSetDefault (SSL_V2_COMPATIBLE_HELLO, PR_FALSE);
                SSL_OptionSetDefault (SSL_ENABLE_SSL3, PR_TRUE);
                SSL_OptionSetDefault (SSL_ENABLE_TLS, PR_TRUE);
-               SSL_OptionSetDefault (SSL_V2_COMPATIBLE_HELLO, PR_TRUE /* maybe? */);
+
+               PR_Unlock (nss_initlock);
 
                g_free (nss_configdir);
                g_free (nss_sql_configdir);