From: Dave H. <hel...@us...> - 2014-12-21 19:28:00
|
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "sfcb - Small Footprint CIM Broker". The branch, master has been updated via decd3c6b996ed5f10b5cb4ac1b23f37c36cd00cb (commit) from cd0689e1b9150be739f281043d7c568dc54379eb (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit decd3c6b996ed5f10b5cb4ac1b23f37c36cd00cb Author: Dave Heller <hel...@us...> Date: Sun Dec 21 14:26:53 2014 -0500 [sfcb-tix:#110] Allow older SSL protocols to be disabled ----------------------------------------------------------------------- Summary of changes: control.c | 2 ++ httpAdapter.c | 19 +++++++++++++------ sfcb.cfg.pre.in | 7 +++++++ 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/control.c b/control.c index ed0e5df..95ca246 100644 --- a/control.c +++ b/control.c @@ -175,6 +175,8 @@ static Control init[] = { {"sslCiphers", CTL_STRING, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH", {0}}, {"sslDhParamsFilePath", CTL_STRING, NULL, {0}}, {"sslEcDhCurveName", CTL_STRING, "secp224r1", {0}}, + {"sslNoSSLv3", CTL_BOOL, NULL, {.b=0}}, + {"sslNoTLSv1", CTL_BOOL, NULL, {.b=0}}, {"enableSslCipherServerPref", CTL_BOOL, NULL, {.b=0}}, {"registrationDir", CTL_STRING, SFCB_STATEDIR "/registration", {0}}, diff --git a/httpAdapter.c b/httpAdapter.c index 2719e6c..67b6860 100644 --- a/httpAdapter.c +++ b/httpAdapter.c @@ -2039,7 +2039,7 @@ initSSL() *fdhp, *sslCiphers; int rc, - escsp; + sslopt; if (ctx) SSL_CTX_free(ctx); @@ -2087,14 +2087,21 @@ initSSL() /* * Set options */ - SSL_CTX_set_options(ctx, SSL_OP_ALL | - SSL_OP_NO_SSLv2 | - SSL_OP_SINGLE_DH_USE); + long options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2; - if (!getControlBool("enableSslCipherServerPref", &escsp) && escsp) { + if (!getControlBool("sslNoSSLv3", &sslopt) && sslopt) + options |= SSL_OP_NO_SSLv3; + if (!getControlBool("sslNoTLSv1", &sslopt) && sslopt) + options |= SSL_OP_NO_TLSv1; + _SFCB_TRACE(1, ("--- sslNoSSLv3=%s, sslNoTLSv1=%s", + (options & SSL_OP_NO_SSLv3 ? "true" : "false"), + (options & SSL_OP_NO_TLSv1 ? "true" : "false"))); + + if (!getControlBool("enableSslCipherServerPref", &sslopt) && sslopt) { _SFCB_TRACE(1, ("--- enableSslCipherServerPref = true")); - SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + options |= SSL_OP_CIPHER_SERVER_PREFERENCE; } + SSL_CTX_set_options(ctx, options); /* * Set valid ciphers diff --git a/sfcb.cfg.pre.in b/sfcb.cfg.pre.in index 77a2155..fdcfb2e 100644 --- a/sfcb.cfg.pre.in +++ b/sfcb.cfg.pre.in @@ -288,6 +288,13 @@ certificateAuthLib: sfcCertificateAuthentication ## weak ciphers. sslCiphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH +## When set to true, disable the indicated SSL/TLS protocol. This sets +## the corresponding openssl option SSL_OP_NO_SSLv3 or SSL_OP_NO_TLSv1. +## See man SSL_CTX_set_options(3) for details. +## Default is false for both +#sslNoSSLv3: false +#sslNoTLSv1: false + ## Optionally configure a DH parameters file for ephemeral key generation. ## See man SSL_CTX_set_tmp_dh_callback(3) for details. The value should be ## the full path to the file. Note that ephemeral key generation will still hooks/post-receive -- sfcb - Small Footprint CIM Broker |