[Sblim-commit] Git: sfcb - Small Footprint CIM Broker branch, master_1.3, updated. 155e19f6664719711c97dd1519baa95d1d71a3f7

[Dave H. <hel...@us...>]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "sfcb - Small Footprint CIM Broker".

The branch, master_1.3 has been updated
       via  155e19f6664719711c97dd1519baa95d1d71a3f7 (commit)
      from  23352ebf56d78632d05e0879c293039c7da52c30 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 155e19f6664719711c97dd1519baa95d1d71a3f7
Author: Dave Heller <hel...@us...>
Date:   Sun Dec 21 19:18:56 2014 -0500

    [sfcb-tix:#110] Allow older SSL protocols to be disabled

-----------------------------------------------------------------------

Summary of changes:
 control.c       |    2 ++
 httpAdapter.c   |   19 +++++++++++++------
 sfcb.cfg.pre.in |    7 +++++++
 3 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/control.c b/control.c
index 830ff57..6c25431 100644
--- a/control.c
+++ b/control.c
@@ -111,6 +111,8 @@ static Control init[] = {
    {"sslCiphers", 0, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"},
    {"sslDhParamsFilePath", 0, NULL},
    {"sslEcDhCurveName", 0, "secp224r1"},
+   {"sslNoSSLv3", 2, "false"},
+   {"sslNoTLSv1", 2, "false"},
    {"enableSslCipherServerPref", 2, "false"},
 
    {"registrationDir", 0, SFCB_STATEDIR "/registration"},
diff --git a/httpAdapter.c b/httpAdapter.c
index 2d1569e..7f3b569 100644
--- a/httpAdapter.c
+++ b/httpAdapter.c
@@ -1703,7 +1703,7 @@ initSSL()
                  *fdhp,
                  *sslCiphers;
   int             rc,
-                  escsp;
+                  sslopt;
 
   if (ctx)
     SSL_CTX_free(ctx);
@@ -1749,14 +1749,21 @@ initSSL()
   /*
    * Set options 
    */
-  SSL_CTX_set_options(ctx, SSL_OP_ALL | 
-                           SSL_OP_NO_SSLv2 |
-                           SSL_OP_SINGLE_DH_USE);
+  long options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2;
 
-  if (!getControlBool("enableSslCipherServerPref", &escsp) && escsp) {
+  if (!getControlBool("sslNoSSLv3", &sslopt) && sslopt)
+    options |= SSL_OP_NO_SSLv3;
+  if (!getControlBool("sslNoTLSv1", &sslopt) && sslopt)
+    options |= SSL_OP_NO_TLSv1;
+  _SFCB_TRACE(1, ("---  sslNoSSLv3=%s, sslNoTLSv1=%s",
+      (options & SSL_OP_NO_SSLv3 ? "true" : "false"),
+      (options & SSL_OP_NO_TLSv1 ? "true" : "false")));
+
+  if (!getControlBool("enableSslCipherServerPref", &sslopt) && sslopt) {
     _SFCB_TRACE(1, ("---  enableSslCipherServerPref = true"));
-    SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+    options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
   }
+  SSL_CTX_set_options(ctx, options);
 
   /*
    * Set valid ciphers
diff --git a/sfcb.cfg.pre.in b/sfcb.cfg.pre.in
index 2f78beb..c030abd 100644
--- a/sfcb.cfg.pre.in
+++ b/sfcb.cfg.pre.in
@@ -208,6 +208,13 @@ certificateAuthLib:   sfcCertificateAuthentication
 ##      weak ciphers.
 sslCiphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
 
+## When set to true, disable the indicated SSL/TLS protocol. This sets
+## the corresponding openssl option SSL_OP_NO_SSLv3 or SSL_OP_NO_TLSv1.
+## See man SSL_CTX_set_options(3) for details.
+## Default is false for both
+#sslNoSSLv3: false
+#sslNoTLSv1: false
+
 ## Optionally configure a DH parameters file for ephemeral key generation.
 ## See man SSL_CTX_set_tmp_dh_callback(3) for details. The value should be
 ## the full path to the file. Note that ephemeral key generation will still


hooks/post-receive
-- 
sfcb - Small Footprint CIM Broker