diff --exclude=man --exclude=html --exclude=README_FILES --exclude=INSTALL --exclude=.indent.pro --exclude=Makefile.in -r -cr --exclude=WISHLIST /var/tmp/postfix-2.10-20120407/HISTORY ./HISTORY *** /var/tmp/postfix-2.10-20120407/HISTORY Sat Apr 7 19:10:44 2012 --- ./HISTORY Sun Apr 22 19:49:00 2012 *************** *** 17723,17725 **** --- 17723,17734 ---- Bugfix (introduced: 20120330): don't replace by when a reply footer starts with \c and contains no \n. File: global/smtp_reply_footer.c. + + 20120422 + + Bit-rot: OpenSSL 1.0.1 introduces new protocols. Update the + known TLS protocol list so that protocols can be turned off + selectively to work around implementation bugs. Based on + a patch by Victor Duchovni. Files: proto/TLS_README.html, + proto/postconf.proto, tls/tls.h, tls/tls_misc.c, tls/tls_client.c, + tls/tls_server.c. diff --exclude=man --exclude=html --exclude=README_FILES --exclude=INSTALL --exclude=.indent.pro --exclude=Makefile.in -r -cr --exclude=WISHLIST /var/tmp/postfix-2.10-20120407/proto/TLS_README.html ./proto/TLS_README.html *** /var/tmp/postfix-2.10-20120407/proto/TLS_README.html Tue Dec 6 10:21:13 2011 --- ./proto/TLS_README.html Mon Apr 23 13:53:55 2012 *************** *** 704,715 **** "export".

With mandatory TLS encryption, the Postfix SMTP server will by ! default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The mandatory TLS protocol list is specified via the smtpd_tls_mandatory_protocols configuration parameter. The corresponding smtpd_tls_protocols parameter (Postfix ≥ 2.6) controls the SSL/TLS protocols used with opportunistic TLS.

For a server that is not a public Internet MX host, Postfix supports configurations with no server certificates that use only the anonymous ciphers. This is --- 704,721 ---- "export".

With mandatory TLS encryption, the Postfix SMTP server will by ! default disable SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS protocol list is specified via the smtpd_tls_mandatory_protocols configuration parameter. The corresponding smtpd_tls_protocols parameter (Postfix ≥ 2.6) controls the SSL/TLS protocols used with opportunistic TLS.

+

Note that the OpenSSL library only supports protocol exclusion + (not inclusion). For this reason, Postfix can exclude only protocols + that are known at the time the Postfix software is written. If new + protocols are added to the OpenSSL library, they cannot be excluded + without corresponding changes to the Postfix source code.

+

For a server that is not a public Internet MX host, Postfix supports configurations with no server certificates that use only the anonymous ciphers. This is *************** *** 727,735 **** smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_security_level = encrypt ! smtpd_tls_mandatory_protocols = TLSv1 ! # Also available with Postfix ≥ 2.5: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 --- 733,742 ---- smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_security_level = encrypt ! # Preferred form with Postfix ≥ 2.5: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 + # Alternative form. + smtpd_tls_mandatory_protocols = TLSv1 *************** *** 773,780 ****

Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later allows TLS servers to preempt the TLS client's cipher preference list. ! This is only possible with SSLv3, as in SSLv2 the client chooses the ! cipher from a list supplied by the server.

By default, the OpenSSL server selects the client's most preferred cipher that the server supports. With SSLv3 and later, the server --- 780,787 ----

Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later allows TLS servers to preempt the TLS client's cipher preference list. ! This is possible only with SSLv3 and later, as in SSLv2 the client ! chooses the cipher from a list supplied by the server.

By default, the OpenSSL server selects the client's most preferred cipher that the server supports. With SSLv3 and later, the server *************** *** 1010,1018 ****

Examples:

In the example below, traffic to example.com and its sub-domains ! via the corresponding MX hosts always uses TLS. The protocol version will be ! "SSLv3" or "TLSv1" (the default setting of smtp_tls_mandatory_protocols ! excludes "SSLv2"). Only high or medium strength (i.e. 128 bit or better) ciphers will be used by default for all "encrypt" security level sessions.

--- 1017,1025 ----

Examples:

In the example below, traffic to example.com and its sub-domains ! via the corresponding MX hosts always uses TLS. The SSLv2 protocol ! will be disabled (the default setting of smtp_tls_mandatory_protocols ! excludes "SSLv2"). Only high- or medium-strength (i.e. 128 bit or better) ciphers will be used by default for all "encrypt" security level sessions.

*************** *** 1883,1889 **** "export".

With mandatory TLS encryption, the Postfix SMTP client will by ! default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The mandatory TLS protocol list is specified via the smtp_tls_mandatory_protocols configuration parameter. The corresponding smtp_tls_protocols parameter (Postfix ≥ 2.6) controls --- 1890,1896 ---- "export".

With mandatory TLS encryption, the Postfix SMTP client will by ! default disable SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS protocol list is specified via the smtp_tls_mandatory_protocols configuration parameter. The corresponding smtp_tls_protocols parameter (Postfix ≥ 2.6) controls *************** *** 1897,1905 **** smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = RC4, MD5 smtp_tls_exclude_ciphers = aNULL ! smtp_tls_mandatory_protocols = SSLv3, TLSv1 ! # Also available with Postfix ≥ 2.5: smtp_tls_mandatory_protocols = !SSLv2 # Also available with Postfix ≥ 2.6: smtp_tls_ciphers = export smtp_tls_protocols = !SSLv2 --- 1904,1913 ---- smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = RC4, MD5 smtp_tls_exclude_ciphers = aNULL ! # Preferred form with Postfix ≥ 2.5: smtp_tls_mandatory_protocols = !SSLv2 + # Alternative form. + smtp_tls_mandatory_protocols = SSLv3, TLSv1 # Also available with Postfix ≥ 2.6: smtp_tls_ciphers = export smtp_tls_protocols = !SSLv2 diff --exclude=man --exclude=html --exclude=README_FILES --exclude=INSTALL --exclude=.indent.pro --exclude=Makefile.in -r -cr --exclude=WISHLIST /var/tmp/postfix-2.10-20120407/proto/postconf.proto ./proto/postconf.proto *** /var/tmp/postfix-2.10-20120407/proto/postconf.proto Sun Apr 1 14:32:20 2012 --- ./proto/postconf.proto Mon Apr 23 13:25:55 2012 *************** *** 10476,10482 ****

This feature is available in Postfix 2.3 and later.

! %PARAM smtp_tls_mandatory_protocols SSLv3, TLSv1

List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. In main.cf the values are separated by --- 10476,10482 ----

This feature is available in Postfix 2.3 and later.

! %PARAM smtp_tls_mandatory_protocols !SSLv2

List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. In main.cf the values are separated by *************** *** 10485,10496 **** empty value means allow all protocols. The valid protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".

With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is still ! supported; use the form you find more intuitive.

Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that by --- 10485,10503 ---- empty value means allow all protocols. The valid protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".

+

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" + and "TLSv1.2". If an older Postfix version is linked against OpenSSL + 1.0.1 or later, these, or any other new protocol versions, are + unconditionally enabled.

+

With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is ! supported, but not recommended. The exclusion form more closely ! matches the behaviour when the OpenSSL library is newer than Postfix. !

Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that by *************** *** 10503,10511 ****

Example:

! smtp_tls_mandatory_protocols = TLSv1
! # Alternative form with Postfix ≥ 2.5:
  smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
  

This feature is available in Postfix 2.3 and later.

--- 10510,10519 ----

Example:

! # Preferred form with Postfix ≥ 2.5:
  smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+ # Alternative form.
+ smtp_tls_mandatory_protocols = TLSv1
  

This feature is available in Postfix 2.3 and later.

*************** *** 10635,10641 ****

This feature is available in Postfix 2.3 and later.

! %PARAM lmtp_tls_mandatory_protocols SSLv3, TLSv1

The LMTP-specific version of the smtp_tls_mandatory_protocols configuration parameter. See there for details.

--- 10643,10649 ----

This feature is available in Postfix 2.3 and later.

! %PARAM lmtp_tls_mandatory_protocols !SSLv2

The LMTP-specific version of the smtp_tls_mandatory_protocols configuration parameter. See there for details.

*************** *** 10656,10662 ****

This feature is available in Postfix 2.3 and later.

! %PARAM smtpd_tls_mandatory_protocols SSLv3, TLSv1

The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. If the list is empty, the server supports all --- 10664,10670 ----

This feature is available in Postfix 2.3 and later.

! %PARAM smtpd_tls_mandatory_protocols !SSLv2

The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. If the list is empty, the server supports all *************** *** 10665,10676 **** names separated by whitespace, commas or colons. The supported protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.

With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is still ! supported, use the form you find more intuitive.

Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that --- 10673,10691 ---- names separated by whitespace, commas or colons. The supported protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.

+

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" + and "TLSv1.2". If an older Postfix version is linked against OpenSSL + 1.0.1 or later, these, or any other new protocol versions, are + unconditionally enabled.

+

With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing ! the protocols to include, rather than protocols to exclude, is ! supported, but not recommended. The exclusion form more closely ! matches the behaviour when the OpenSSL library is newer than Postfix. !

Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that *************** *** 11697,11710 **** protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".

To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to ! include, is supported, but not recommended. OpenSSL provides no mechanisms ! for excluding protocols not known at compile-time. If Postfix is linked ! against an OpenSSL library that supports additional protocol versions, ! they cannot be excluded using either syntax.

Example:

--- 11712,11729 ----
  protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3"
  and "TLSv1". 

+

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" + and "TLSv1.2". If an older Postfix version is linked against OpenSSL + 1.0.1 or later, these, or any other new protocol versions, are + unconditionally enabled.

+

To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to ! include, rather than protocols to exclude, is supported, but not ! recommended. The exclusion form more closely matches the behaviour ! when the OpenSSL library is newer than Postfix.

Example:

***************
*** 11727,11740 ****
  "TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute
  values are separated by a colon. 

To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to ! include, is supported, but not recommended. OpenSSL provides no mechanisms ! for excluding protocols not known at compile-time. If Postfix is linked ! against an OpenSSL library that supports additional protocol versions, ! they cannot be excluded using either syntax.

Example:

--- 11746,11763 ----
  "TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute
  values are separated by a colon. 

+

Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" + and "TLSv1.2". If an older Postfix version is linked against OpenSSL + 1.0.1 or later, these, or any other new protocol versions, are + unconditionally enabled.

+

To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 even for opportunistic TLS set "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to ! include, rather than protocols to exclude, is supported, but not ! recommended. The exclusion form more closely matches the behaviour ! when the OpenSSL library is newer than Postfix.

Example:

diff --exclude=man --exclude=html --exclude=README_FILES --exclude=INSTALL --exclude=.indent.pro --exclude=Makefile.in -r -cr --exclude=WISHLIST /var/tmp/postfix-2.10-20120407/src/global/mail_params.h ./src/global/mail_params.h
*** /var/tmp/postfix-2.10-20120407/src/global/mail_params.h	Wed Apr  4 13:01:58 2012
--- ./src/global/mail_params.h	Sun Apr 22 17:53:38 2012
***************
*** 1257,1263 ****
  extern char *var_smtpd_tls_proto;
  
  #define VAR_SMTPD_TLS_MAND_PROTO	"smtpd_tls_mandatory_protocols"
! #define DEF_SMTPD_TLS_MAND_PROTO	"SSLv3, TLSv1"
  extern char *var_smtpd_tls_mand_proto;
  
  #define VAR_SMTPD_TLS_CIPH	"smtpd_tls_ciphers"
--- 1257,1263 ----
  extern char *var_smtpd_tls_proto;
  
  #define VAR_SMTPD_TLS_MAND_PROTO	"smtpd_tls_mandatory_protocols"
! #define DEF_SMTPD_TLS_MAND_PROTO	"!SSLv2"
  extern char *var_smtpd_tls_mand_proto;
  
  #define VAR_SMTPD_TLS_CIPH	"smtpd_tls_ciphers"
***************
*** 1470,1478 ****
  extern char *var_smtp_tls_proto;
  
  #define VAR_SMTP_TLS_MAND_PROTO	"smtp_tls_mandatory_protocols"
! #define DEF_SMTP_TLS_MAND_PROTO	"SSLv3, TLSv1"
  #define VAR_LMTP_TLS_MAND_PROTO	"lmtp_tls_mandatory_protocols"
! #define DEF_LMTP_TLS_MAND_PROTO	"SSLv3, TLSv1"
  extern char *var_smtp_tls_mand_proto;
  
  #define VAR_SMTP_TLS_VFY_CMATCH	"smtp_tls_verify_cert_match"
--- 1470,1478 ----
  extern char *var_smtp_tls_proto;
  
  #define VAR_SMTP_TLS_MAND_PROTO	"smtp_tls_mandatory_protocols"
! #define DEF_SMTP_TLS_MAND_PROTO	"!SSLv2"
  #define VAR_LMTP_TLS_MAND_PROTO	"lmtp_tls_mandatory_protocols"
! #define DEF_LMTP_TLS_MAND_PROTO	"!SSLv2"
  extern char *var_smtp_tls_mand_proto;
  
  #define VAR_SMTP_TLS_VFY_CMATCH	"smtp_tls_verify_cert_match"
diff --exclude=man --exclude=html --exclude=README_FILES --exclude=INSTALL --exclude=.indent.pro --exclude=Makefile.in -r -cr --exclude=WISHLIST /var/tmp/postfix-2.10-20120407/src/global/mail_version.h ./src/global/mail_version.h
*** /var/tmp/postfix-2.10-20120407/src/global/mail_version.h	Sat Apr  7 19:21:16 2012
--- ./src/global/mail_version.h	Mon Apr 23 14:00:09 2012
***************
*** 20,26 ****
    * Patches change both the patchlevel and the release date. Snapshots have no
    * patchlevel; they change the release date only.
    */
! #define MAIL_RELEASE_DATE	"20120407"
  #define MAIL_VERSION_NUMBER	"2.10"
  
  #ifdef SNAPSHOT
--- 20,26 ----
    * Patches change both the patchlevel and the release date. Snapshots have no
    * patchlevel; they change the release date only.
    */
! #define MAIL_RELEASE_DATE	"20120423"
  #define MAIL_VERSION_NUMBER	"2.10"
  
  #ifdef SNAPSHOT
diff --exclude=man --exclude=html --exclude=README_FILES --exclude=INSTALL --exclude=.indent.pro --exclude=Makefile.in -r -cr --exclude=WISHLIST /var/tmp/postfix-2.10-20120407/src/tls/tls.h ./src/tls/tls.h
*** /var/tmp/postfix-2.10-20120407/src/tls/tls.h	Wed Apr  4 13:53:48 2012
--- ./src/tls/tls.h	Sun Apr 22 18:28:54 2012
***************
*** 173,180 ****
  #define TLS_PROTOCOL_SSLv2	(1<<0)	/* SSLv2 */
  #define TLS_PROTOCOL_SSLv3	(1<<1)	/* SSLv3 */
  #define TLS_PROTOCOL_TLSv1	(1<<2)	/* TLSv1 */
  #define TLS_KNOWN_PROTOCOLS	\
! 	( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 )
  
  extern int tls_protocol_mask(const char *);
  
--- 173,191 ----
  #define TLS_PROTOCOL_SSLv2	(1<<0)	/* SSLv2 */
  #define TLS_PROTOCOL_SSLv3	(1<<1)	/* SSLv3 */
  #define TLS_PROTOCOL_TLSv1	(1<<2)	/* TLSv1 */
+ #ifdef SSL_TXT_TLSV1_1
+ #define TLS_PROTOCOL_TLSv1_1	(1<<3)	/* TLSv1_1 */
+ #else
+ #define TLS_PROTOCOL_TLSv1_1	0	/* Unknown */
+ #endif
+ #ifdef SSL_TXT_TLSV1_2
+ #define TLS_PROTOCOL_TLSv1_2	(1<<4)	/* TLSv1_2 */
+ #else
+ #define TLS_PROTOCOL_TLSv1_2	0	/* Unknown */
+ #endif
  #define TLS_KNOWN_PROTOCOLS	\
! 	( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \
! 	   | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 )
  
  extern int tls_protocol_mask(const char *);
  
diff --exclude=man --exclude=html --exclude=README_FILES --exclude=INSTALL --exclude=.indent.pro --exclude=Makefile.in -r -cr --exclude=WISHLIST /var/tmp/postfix-2.10-20120407/src/tls/tls_client.c ./src/tls/tls_client.c
*** /var/tmp/postfix-2.10-20120407/src/tls/tls_client.c	Mon Dec  5 16:03:07 2011
--- ./src/tls/tls_client.c	Sun Apr 22 18:12:25 2012
***************
*** 859,864 ****
--- 859,870 ----
      if (protomask != 0)
  	SSL_set_options(TLScontext->con,
  		   ((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L)
+ #ifdef SSL_OP_NO_TLSv1_1
+ 	     | ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L)
+ #endif
+ #ifdef SSL_OP_NO_TLSv1_2
+ 	     | ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L)
+ #endif
  		 | ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L)
  	       | ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L));
  
diff --exclude=man --exclude=html --exclude=README_FILES --exclude=INSTALL --exclude=.indent.pro --exclude=Makefile.in -r -cr --exclude=WISHLIST /var/tmp/postfix-2.10-20120407/src/tls/tls_misc.c ./src/tls/tls_misc.c
*** /var/tmp/postfix-2.10-20120407/src/tls/tls_misc.c	Mon Dec  5 16:03:07 2011
--- ./src/tls/tls_misc.c	Sun Apr 22 18:08:04 2012
***************
*** 224,229 ****
--- 224,235 ----
      SSL_TXT_SSLV2, TLS_PROTOCOL_SSLv2,
      SSL_TXT_SSLV3, TLS_PROTOCOL_SSLv3,
      SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1,
+ #ifdef SSL_TXT_TLSV1_1
+     SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1,
+ #endif
+ #ifdef SSL_TXT_TLSV1_2
+     SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2,
+ #endif
      0, TLS_PROTOCOL_INVALID,
  };
  
diff --exclude=man --exclude=html --exclude=README_FILES --exclude=INSTALL --exclude=.indent.pro --exclude=Makefile.in -r -cr --exclude=WISHLIST /var/tmp/postfix-2.10-20120407/src/tls/tls_server.c ./src/tls/tls_server.c
*** /var/tmp/postfix-2.10-20120407/src/tls/tls_server.c	Mon Dec  5 16:03:07 2011
--- ./src/tls/tls_server.c	Sun Apr 22 18:13:25 2012
***************
*** 403,408 ****
--- 403,414 ----
      if (protomask != 0)
  	SSL_CTX_set_options(server_ctx,
  		   ((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L)
+ #ifdef SSL_OP_NO_TLSv1_1
+ 	     | ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L)
+ #endif
+ #ifdef SSL_OP_NO_TLSv1_2
+ 	     | ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L)
+ #endif
  		 | ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L)
  	       | ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L));