This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "sfcb - Small Footprint CIM Broker".
The branch, master_1.3 has been updated
via 155e19f6664719711c97dd1519baa95d1d71a3f7 (commit)
from 23352ebf56d78632d05e0879c293039c7da52c30 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 155e19f6664719711c97dd1519baa95d1d71a3f7
Author: Dave Heller <hel...@us...>
Date: Sun Dec 21 19:18:56 2014 -0500
[sfcb-tix:#110] Allow older SSL protocols to be disabled
-----------------------------------------------------------------------
Summary of changes:
control.c | 2 ++
httpAdapter.c | 19 +++++++++++++------
sfcb.cfg.pre.in | 7 +++++++
3 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/control.c b/control.c
index 830ff57..6c25431 100644
--- a/control.c
+++ b/control.c
@@ -111,6 +111,8 @@ static Control init[] = {
{"sslCiphers", 0, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"},
{"sslDhParamsFilePath", 0, NULL},
{"sslEcDhCurveName", 0, "secp224r1"},
+ {"sslNoSSLv3", 2, "false"},
+ {"sslNoTLSv1", 2, "false"},
{"enableSslCipherServerPref", 2, "false"},
{"registrationDir", 0, SFCB_STATEDIR "/registration"},
diff --git a/httpAdapter.c b/httpAdapter.c
index 2d1569e..7f3b569 100644
--- a/httpAdapter.c
+++ b/httpAdapter.c
@@ -1703,7 +1703,7 @@ initSSL()
*fdhp,
*sslCiphers;
int rc,
- escsp;
+ sslopt;
if (ctx)
SSL_CTX_free(ctx);
@@ -1749,14 +1749,21 @@ initSSL()
/*
* Set options
*/
- SSL_CTX_set_options(ctx, SSL_OP_ALL |
- SSL_OP_NO_SSLv2 |
- SSL_OP_SINGLE_DH_USE);
+ long options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2;
- if (!getControlBool("enableSslCipherServerPref", &escsp) && escsp) {
+ if (!getControlBool("sslNoSSLv3", &sslopt) && sslopt)
+ options |= SSL_OP_NO_SSLv3;
+ if (!getControlBool("sslNoTLSv1", &sslopt) && sslopt)
+ options |= SSL_OP_NO_TLSv1;
+ _SFCB_TRACE(1, ("--- sslNoSSLv3=%s, sslNoTLSv1=%s",
+ (options & SSL_OP_NO_SSLv3 ? "true" : "false"),
+ (options & SSL_OP_NO_TLSv1 ? "true" : "false")));
+
+ if (!getControlBool("enableSslCipherServerPref", &sslopt) && sslopt) {
_SFCB_TRACE(1, ("--- enableSslCipherServerPref = true"));
- SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+ options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
}
+ SSL_CTX_set_options(ctx, options);
/*
* Set valid ciphers
diff --git a/sfcb.cfg.pre.in b/sfcb.cfg.pre.in
index 2f78beb..c030abd 100644
--- a/sfcb.cfg.pre.in
+++ b/sfcb.cfg.pre.in
@@ -208,6 +208,13 @@ certificateAuthLib: sfcCertificateAuthentication
## weak ciphers.
sslCiphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
+## When set to true, disable the indicated SSL/TLS protocol. This sets
+## the corresponding openssl option SSL_OP_NO_SSLv3 or SSL_OP_NO_TLSv1.
+## See man SSL_CTX_set_options(3) for details.
+## Default is false for both
+#sslNoSSLv3: false
+#sslNoTLSv1: false
+
## Optionally configure a DH parameters file for ephemeral key generation.
## See man SSL_CTX_set_tmp_dh_callback(3) for details. The value should be
## the full path to the file. Note that ephemeral key generation will still
hooks/post-receive
--
sfcb - Small Footprint CIM Broker
|
