Description: switch to SSLv23_client_method() and use CTX options to select protocol
 With us disabling SSLv3 we now either will not build (on Debian) or
 coredump during initialisation.  As per the Debian bug recommendation
 switch to always using SSLv23_client_method() as that can handle the best
 protocol available (including TLS etc) going forward.  Where we need to
 specify a specific protocol start using SSL_CTS_set_options() to limit
 the negociable protocols.
Author: Andy Whitcroft <apw@ubuntu.com>
Bug-Debian: https://bugs.debian.org/804457
Bug-Ubuntu: https://launchpad.net/bugs/1516585

Index: imapfilter.git/src/imapfilter.c
===================================================================
--- imapfilter.git.orig/src/imapfilter.c
+++ imapfilter.git/src/imapfilter.c
@@ -21,10 +21,7 @@
 
 extern buffer ibuf, obuf, nbuf, cbuf;
 extern regexp responses[];
-extern SSL_CTX *ssl3ctx, *ssl23ctx, *tls1ctx;
-#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
-extern SSL_CTX *tls11ctx, *tls12ctx;
-#endif
+extern SSL_CTX *ssl23ctx;
 
 options opts;			/* Program options. */
 environment env;		/* Environment variables. */
@@ -114,24 +111,12 @@ main(int argc, char *argv[])
 
 	SSL_library_init();
 	SSL_load_error_strings();
-	ssl3ctx = SSL_CTX_new(SSLv3_client_method());
 	ssl23ctx = SSL_CTX_new(SSLv23_client_method());
-	tls1ctx = SSL_CTX_new(TLSv1_client_method());
-#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
-	tls11ctx = SSL_CTX_new(TLSv1_1_client_method());
-	tls12ctx = SSL_CTX_new(TLSv1_2_client_method());
-#endif
 	if (exists_dir(opts.truststore))
 		capath = opts.truststore;
 	else if (exists_file(opts.truststore))
 		cafile = opts.truststore;
-	SSL_CTX_load_verify_locations(ssl3ctx, cafile, capath);
 	SSL_CTX_load_verify_locations(ssl23ctx, cafile, capath);
-	SSL_CTX_load_verify_locations(tls1ctx, cafile, capath);
-#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
-	SSL_CTX_load_verify_locations(tls11ctx, cafile, capath);
-	SSL_CTX_load_verify_locations(tls12ctx, cafile, capath);
-#endif
 
 	start_lua();
 #if LUA_VERSION_NUM < 502
@@ -150,13 +135,7 @@ main(int argc, char *argv[])
 #endif
 	stop_lua();
 
-	SSL_CTX_free(ssl3ctx);
 	SSL_CTX_free(ssl23ctx);
-	SSL_CTX_free(tls1ctx);
-#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
-	SSL_CTX_free(tls11ctx);
-	SSL_CTX_free(tls12ctx);
-#endif
 	ERR_free_strings();
 
 	regexp_free(responses);
Index: imapfilter.git/src/socket.c
===================================================================
--- imapfilter.git.orig/src/socket.c
+++ imapfilter.git/src/socket.c
@@ -17,11 +17,7 @@
 #include "session.h"
 
 
-SSL_CTX *ssl3ctx, *ssl23ctx, *tls1ctx;
-#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
-SSL_CTX *tls11ctx, *tls12ctx;
-#endif
-
+SSL_CTX *ssl23ctx;
 
 /*
  * Connect to mail server.
@@ -90,28 +86,28 @@ int
 open_secure_connection(session *ssn)
 {
 	int r, e;
-	SSL_CTX *ctx;
+	SSL_CTX *ctx = ssl23ctx;
 
-	if (!ssn->sslproto) {
-		ctx = ssl23ctx;
-	} else if (!strcasecmp(ssn->sslproto, "ssl3")) {
-		ctx = ssl3ctx;
+	if (!strcasecmp(ssn->sslproto, "ssl3")) {
+		SSL_CTX_set_options(ctx, SSL_OP_NO_SSL_MASK);
+		SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
 	} else if (!strcasecmp(ssn->sslproto, "tls1")) {
-		ctx = tls1ctx;
+		SSL_CTX_set_options(ctx, SSL_OP_NO_SSL_MASK);
+		SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1);
 	} else if (!strcasecmp(ssn->sslproto, "tls1.1")) {
+		SSL_CTX_set_options(ctx, SSL_OP_NO_SSL_MASK);
 #if OPENSSL_VERSION_NUMBER >= 0x01000100fL
-		ctx = tls11ctx;
+		SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_1);
 #else
-		ctx = tls1ctx;
+		SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1);
 #endif
 	} else if (!strcasecmp(ssn->sslproto, "tls1.2")) {
+		SSL_CTX_set_options(ctx, SSL_OP_NO_SSL_MASK);
 #if OPENSSL_VERSION_NUMBER >= 0x01000100fL
-		ctx = tls12ctx;
+		SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_2);
 #else
-		ctx = tls1ctx;
+		SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1);
 #endif
-	} else {
-		ctx = ssl23ctx;
 	}
 
 	if (!(ssn->sslconn = SSL_new(ctx)))