From b4250036c6a41e815a8190a1f44ee974c1fbb733 Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@normation.com>
Date: Mon, 17 Jul 2017 22:17:22 +0200
Subject: [PATCH] feat(transport): Disallow TLS 1.0 by default

---
 lettre/src/smtp/client/net.rs |  6 +++++-
 lettre/src/smtp/error.rs      | 11 +++++++++++
 lettre/src/smtp/mod.rs        |  7 ++++++-
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/lettre/src/smtp/client/net.rs b/lettre/src/smtp/client/net.rs
index 7253aa8..626a96e 100644
--- a/lettre/src/smtp/client/net.rs
+++ b/lettre/src/smtp/client/net.rs
@@ -1,6 +1,6 @@
 //! A trait to represent a stream
 
-use native_tls::{TlsConnector, TlsStream};
+use native_tls::{TlsConnector, TlsStream, Protocol};
 use smtp::client::mock::MockStream;
 use std::io::{self, ErrorKind, Read, Write};
 use std::net::{Ipv4Addr, Shutdown, SocketAddr, SocketAddrV4, TcpStream};
@@ -25,6 +25,10 @@ impl ClientTlsParameters {
     }
 }
 
+/// Accepted protocols by default.
+/// This removes TLS 1.0 compared to tls-native defaults.
+pub const DEFAULT_TLS_PROTOCOLS : &'static [Protocol] = &[Protocol::Tlsv11, Protocol::Tlsv12];
+
 #[derive(Debug)]
 /// Represents the different types of underlying network streams
 pub enum NetworkStream {
diff --git a/lettre/src/smtp/error.rs b/lettre/src/smtp/error.rs
index c1996d7..67fdfa9 100644
--- a/lettre/src/smtp/error.rs
+++ b/lettre/src/smtp/error.rs
@@ -8,6 +8,7 @@ use std::fmt;
 use std::fmt::{Display, Formatter};
 use std::io;
 use std::string::FromUtf8Error;
+use native_tls;
 
 /// An enum of all error kinds.
 #[derive(Debug)]
@@ -32,6 +33,8 @@ pub enum Error {
     Resolution,
     /// IO error
     Io(io::Error),
+    /// TLS error
+    Tls(native_tls::Error),
 }
 
 impl Display for Error {
@@ -64,6 +67,7 @@ impl StdError for Error {
             Resolution => "could not resolve hostname",
             Client(err) => err,
             Io(ref err) => err.description(),
+            Tls(ref err) => err.description(),
         }
     }
 
@@ -72,6 +76,7 @@ impl StdError for Error {
             ChallengeParsing(ref err) => Some(&*err as &StdError),
             Utf8Parsing(ref err) => Some(&*err as &StdError),
             Io(ref err) => Some(&*err as &StdError),
+            Tls(ref err) => Some(&*err as &StdError),
             _ => None,
         }
     }
@@ -83,6 +88,12 @@ impl From<io::Error> for Error {
     }
 }
 
+impl From<native_tls::Error> for Error {
+    fn from(err: native_tls::Error) -> Error {
+        Tls(err)
+    }
+}
+
 impl From<Response> for Error {
     fn from(response: Response) -> Error {
         match response.code.severity {
diff --git a/lettre/src/smtp/mod.rs b/lettre/src/smtp/mod.rs
index ce995ad..b86739f 100644
--- a/lettre/src/smtp/mod.rs
+++ b/lettre/src/smtp/mod.rs
@@ -113,6 +113,7 @@ use smtp::client::Client;
 use smtp::client::net::ClientTlsParameters;
 use smtp::commands::*;
 use smtp::error::{Error, SmtpResult};
+use smtp::client::net::DEFAULT_TLS_PROTOCOLS;
 use smtp::extension::{ClientId, Extension, MailBodyParameter, MailParameter, ServerInfo};
 use std::io::Read;
 use std::net::{SocketAddr, ToSocketAddrs};
@@ -322,9 +323,13 @@ impl<'a> SmtpTransport {
     /// Creates an encrypted transport over submission port, using the provided domain
     /// to validate TLS certificates.
     pub fn simple_builder(domain: String) -> Result<SmtpTransportBuilder, Error> {
+
+        let mut tls_builder = TlsConnector::builder()?;
+        tls_builder.supported_protocols(DEFAULT_TLS_PROTOCOLS)?;
+
         let tls_parameters = ClientTlsParameters::new(
             domain.clone(),
-            TlsConnector::builder().unwrap().build().unwrap(),
+            tls_builder.build().unwrap(),
         );
 
         SmtpTransportBuilder::new(