Menu
▾
▴
[AOLSERVER-COMMITS] nsopenssl ChangeLog, 1.119, 1.120 defaults.h, 1.4, 1.5 sslcontext.c, 1.13, 1.14
|
From: Scott S. G. <sc...@us...> - 2016-12-18 18:22:00
|
Update of /cvsroot/aolserver/nsopenssl In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv22782 Modified Files: ChangeLog defaults.h sslcontext.c Log Message: * sslcontext.c: Fixed Protocols string processing and setting of SSL/TLS protocols. The existing code wasn't doing the right things, and is now processing the Protocols string properly. Added the TLSv1.1 and TLSv1.2 protocols as options. The 'All' parameter in the Protocols string is dangerous as it will silently turn on SSLv2 and SSLv3, so better logging information has been added. Needs to be refactored to simplify the code (will do that another time). Also fixed the ECDH notice about failing to set ECDH parameters when they were actually set successfully. * defaults.h: Updated DEFAULT_PROTOCOLS to be more secure. SSLv2 and SSLv3 are not secure and we take them out up front. We don't use the "All" parameter. ns_param Protocols "-SSLv2 -SSLv3 TLSv1 TLSv1.1 TLSv1.2" Index: sslcontext.c =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/sslcontext.c,v retrieving revision 1.13 retrieving revision 1.14 diff -C2 -d -r1.13 -r1.14 *** sslcontext.c 17 Dec 2016 22:55:49 -0000 1.13 --- sslcontext.c 18 Dec 2016 18:21:58 -0000 1.14 *************** *** 294,298 **** EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); ! if (ecdh == NULL || SSL_CTX_set_tmp_ecdh(sslcontext->sslctx, ecdh) == 1) { Ns_Log(Error, "%s (%s): failed to set ECDH parameters - some ciphers will not be available", MODULE, server); --- 294,298 ---- EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); ! if (ecdh == NULL || SSL_CTX_set_tmp_ecdh(sslcontext->sslctx, ecdh) != 1) { Ns_Log(Error, "%s (%s): failed to set ECDH parameters - some ciphers will not be available", MODULE, server); *************** *** 1858,1890 **** char *lprotocols = NULL; ! bits = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1; if (sslcontext->protocols == NULL) { ! Ns_Log(Notice, "%s (%s): '%s' protocol parameter not set; using all protocols: SSLv2, SSLv3 and TLSv1", ! MODULE, sslcontext->server, sslcontext->name); bits &= ~bits; ! } else { ! lprotocols = ns_strdup(sslcontext->protocols); ! lprotocols = Ns_StrToLower(lprotocols); ! if (strstr(lprotocols, "all") != NULL) { ! Ns_Log(Notice, "%s (%s): '%s' using all protocols: SSLv2, SSLv3 and TLSv1", ! MODULE, sslcontext->server, sslcontext->name); ! bits &= ~bits; ! } else { ! if (strstr(lprotocols, "sslv2") != NULL) { ! Ns_Log(Notice, "%s (%s): '%s' using SSLv2 protocol", MODULE, sslcontext->server, sslcontext->name); ! bits &= ~SSL_OP_NO_SSLv2; ! } ! if (strstr(lprotocols, "sslv3") != NULL) { ! Ns_Log(Notice, "%s (%s): '%s' using SSLv3 protocol", MODULE, sslcontext->server, sslcontext->name); ! bits &= ~SSL_OP_NO_SSLv3; ! } ! if (strstr(lprotocols, "tlsv1") != NULL) { ! Ns_Log(Notice, "%s (%s): '%s' using TLSv1 protocol", ! MODULE, sslcontext->server, sslcontext->name); ! bits &= ~SSL_OP_NO_TLSv1; ! } ! } ! ns_free(lprotocols); } if (SSL_CTX_set_options(sslcontext->sslctx, bits) == 0) { Ns_Log(Error, "%s (%s): protocol initialization failed", --- 1858,1927 ---- char *lprotocols = NULL; ! /* Turn off all protocols to start with */ ! bits = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2; ! ! /* This should always be set when the context is initialized, but just in case ... */ if (sslcontext->protocols == NULL) { ! sslcontext->protocols = DEFAULT_PROTOCOLS; ! Ns_Log(Notice, "%s (%s): '%s' no Protocols string is set in the config file - using the default: %s", ! MODULE, sslcontext->server, sslcontext->name, DEFAULT_PROTOCOLS); ! } ! ! lprotocols = Ns_StrToLower(ns_strdup(sslcontext->protocols)); ! ! if (strstr(lprotocols, "all") != NULL) { bits &= ~bits; ! Ns_Log(Warning, "%s (%s): '%s' enabling all protocols; ensure you turn off SSLv2 and SSLv3 in config Protocols string as they are insecure", ! MODULE, sslcontext->server, sslcontext->name); ! Ns_Log(Notice, "%s (%s): '%s' you are using this Protocols string: %s", ! MODULE, sslcontext->server, sslcontext->name, sslcontext->protocols); ! Ns_Log(Notice, "%s (%s): '%s' consider using this Protocols string instead: %s", ! MODULE, sslcontext->server, sslcontext->name, "ALL -SSLv2 -SSLv3"); } + + if (strstr(lprotocols, "-sslv2") != NULL) { + Ns_Log(Notice, "%s (%s): '%s' disabling SSLv2 protocol", MODULE, sslcontext->server, sslcontext->name); + bits |= SSL_OP_NO_SSLv2; + } else if (strstr(lprotocols, "sslv2") != NULL) { + Ns_Log(Warning, "%s (%s): '%s' enabling SSLv2 protocol - SSLv2 is insecure and should not be used", + MODULE, sslcontext->server, sslcontext->name); + bits &= ~SSL_OP_NO_SSLv2; + } + + if (strstr(lprotocols, "-sslv3") != NULL) { + Ns_Log(Notice, "%s (%s): '%s' disabling SSLv3 protocol", MODULE, sslcontext->server, sslcontext->name); + bits |= SSL_OP_NO_SSLv3; + } else if (strstr(lprotocols, "sslv3") != NULL) { + Ns_Log(Warning, "%s (%s): '%s' enabling SSLv3 protocol - SSLv3 is insecure and should not be used", + MODULE, sslcontext->server, sslcontext->name); + bits &= ~SSL_OP_NO_SSLv3; + } + + if (strstr(lprotocols, "-tlsv1") != NULL) { + Ns_Log(Notice, "%s (%s): '%s' disabling TLSv1 protocol", MODULE, sslcontext->server, sslcontext->name); + bits |= SSL_OP_NO_TLSv1; + } else if (strstr(lprotocols, "tlsv1") != NULL) { + Ns_Log(Notice, "%s (%s): '%s' enabling TLSv1 protocol", MODULE, sslcontext->server, sslcontext->name); + bits &= ~SSL_OP_NO_TLSv1; + } + + if (strstr(lprotocols, "-tlsv1.1") != NULL) { + Ns_Log(Notice, "%s (%s): '%s' disabling TLSv1.1 protocol", MODULE, sslcontext->server, sslcontext->name); + bits |= SSL_OP_NO_TLSv1_1; + } else if (strstr(lprotocols, "tlsv1.1") != NULL) { + Ns_Log(Notice, "%s (%s): '%s' enabling TLSv1.1 protocol", MODULE, sslcontext->server, sslcontext->name); + bits &= ~SSL_OP_NO_TLSv1_1; + } + + if (strstr(lprotocols, "-tlsv1.2") != NULL) { + Ns_Log(Notice, "%s (%s): '%s' disabling TLSv1.2 protocol", MODULE, sslcontext->server, sslcontext->name); + bits |= SSL_OP_NO_TLSv1_2; + } else if (strstr(lprotocols, "tlsv1.2") != NULL) { + Ns_Log(Notice, "%s (%s): '%s' enabling TLSv1.2 protocol", MODULE, sslcontext->server, sslcontext->name); + bits &= ~SSL_OP_NO_TLSv1_2; + } + + ns_free(lprotocols); + if (SSL_CTX_set_options(sslcontext->sslctx, bits) == 0) { Ns_Log(Error, "%s (%s): protocol initialization failed", Index: defaults.h =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/defaults.h,v retrieving revision 1.4 retrieving revision 1.5 diff -C2 -d -r1.4 -r1.5 *** defaults.h 24 Jun 2004 03:29:37 -0000 1.4 --- defaults.h 18 Dec 2016 18:21:58 -0000 1.5 *************** *** 10,14 **** #define SERVER_ROLE 1 #define CLIENT_ROLE 0 ! #define DEFAULT_PROTOCOLS "All" #define DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST //#define DEFAULT_CERT_FILE "certificate.pem" --- 10,14 ---- #define SERVER_ROLE 1 #define CLIENT_ROLE 0 ! #define DEFAULT_PROTOCOLS "-SSLv2 -SSLv3 TLSv1 TLSv1.1 TLSv1.2" #define DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST //#define DEFAULT_CERT_FILE "certificate.pem" Index: ChangeLog =================================================================== RCS file: /cvsroot/aolserver/nsopenssl/ChangeLog,v retrieving revision 1.119 retrieving revision 1.120 diff -C2 -d -r1.119 -r1.120 *** ChangeLog 17 Dec 2016 22:55:49 -0000 1.119 --- ChangeLog 18 Dec 2016 18:21:58 -0000 1.120 *************** *** 1,14 **** ! 2016-12-17 Scott S. Goodwin <sc...@sc...> ! * sslcontext.c: Set up ECDH parameters to enable the use of ciphers ! that require these parameters, some of which provide for forward ! secrecy. Without configured ECDH paramaters, OpenSSL silently ignores ! ciphers that require them, even if you expliticly add them to the ! CipherSuite configuration string. Also minor cleanup of the DH code ! committed yesterday. ! See: https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman ! 2016-12-16 Scott S. Goodwin <sc...@sc...> * sslcontext.c: Set up ECDH parameters to enable the use of ciphers --- 1,21 ---- ! 2016-12-18 Scott S. Goodwin <sc...@sc...> ! * sslcontext.c: Fixed Protocols string processing and setting of ! SSL/TLS protocols. The existing code wasn't doing the right things, ! and is now processing the Protocols string properly. Added the ! TLSv1.1 and TLSv1.2 protocols as options. The 'All' parameter in the ! Protocols string is dangerous as it will silently turn on SSLv2 and ! SSLv3, so better logging information has been added. Needs to be ! refactored to simplify the code (will do that another time). Also ! fixed the ECDH notice about failing to set ECDH parameters when they ! were actually set successfully. ! * defaults.h: Updated DEFAULT_PROTOCOLS to be more secure. SSLv2 and ! SSLv3 are not secure and we take them out up front. We don't use the ! "All" parameter. ! ns_param Protocols "-SSLv2 -SSLv3 TLSv1 TLSv1.1 TLSv1.2" ! ! 2016-12-17 Scott S. Goodwin <sc...@sc...> * sslcontext.c: Set up ECDH parameters to enable the use of ciphers *************** *** 16,20 **** secrecy. Without configured ECDH paramaters, OpenSSL silently ignores ciphers that require them, even if you expliticly add them to the ! CipherSuite configuration string. See: https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman --- 23,28 ---- secrecy. Without configured ECDH paramaters, OpenSSL silently ignores ciphers that require them, even if you expliticly add them to the ! CipherSuite configuration string. Also minor cleanup of the DH code ! committed yesterday. See: https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman |