Menu
▾
▴
webadmin-devel
|
From: Jonathan G. <jon...@oi...> - 2006-01-31 17:30:44
|
I've made a small change to miniserv.pl to force SSLv3/TLSv1 in the
HTTPS server. I'm not a developer, so don't know the correct way to
share this information with you, so I'll just post the code change in
this email. Hopefully someone from webmin will incorporate this simple
change to kill off those older ciphers, or at least make it an option
somewhere.
Original:
#!/usr/bin/perl
# A very simple perl web server used by Webmin
# Require basic libraries
package miniserv;
use Socket;
use POSIX;
# Find and read config file
if (@ARGV != 1) {
die "Usage: miniserv.pl <config file>";
}
if ($ARGV[0] =~ /^([a-z]:)?\//i) {
$config_file = $ARGV[0];
}
else {
chop($pwd = `pwd`);
$config_file = "$pwd/$ARGV[0]";
}
%config = &read_config_file($config_file);
# Check is SSL is enabled and available
if ($config{'ssl'}) {
eval "use Net::SSLeay";
if (!$@) {
$use_ssl = 1;
# These functions only exist for SSLeay 1.0
eval "Net::SSLeay::SSLeay_add_ssl_algorithms()";
eval "Net::SSLeay::load_error_strings()";
if (defined(&Net::SSLeay::X509_STORE_CTX_get_current_cert) &&
defined(&Net::SSLeay::CTX_load_verify_locations) &&
defined(&Net::SSLeay::CTX_set_verify)) {
$client_certs = 1;
}
}
CHANGED
#!/usr/bin/perl
# A very simple perl web server used by Webmin
# Require basic libraries
package miniserv;
use Socket;
use POSIX;
# Find and read config file
if (@ARGV != 1) {
die "Usage: miniserv.pl <config file>";
}
if ($ARGV[0] =~ /^([a-z]:)?\//i) {
$config_file = $ARGV[0];
}
else {
chop($pwd = `pwd`);
$config_file = "$pwd/$ARGV[0]";
}
%config = &read_config_file($config_file);
# Check is SSL is enabled and available
if ($config{'ssl'}) {
eval "use Net::SSLeay";
if (!$@) {
$use_ssl = 1;
# These functions only exist for SSLeay 1.0
eval "Net::SSLeay::SSLeay_add_ssl_algorithms()";
eval "Net::SSLeay::load_error_strings()";
eval "Net::SSLeay::CTX_set_options( $ctx,&Net::SSLeay::OP_NO_SSLv2 )";
if (defined(&Net::SSLeay::X509_STORE_CTX_get_current_cert) &&
defined(&Net::SSLeay::CTX_load_verify_locations) &&
defined(&Net::SSLeay::CTX_set_verify)) {
$client_certs = 1;
}
}
--
Jonathan Glass, RHCE, Security+, Linux+, Network+
Information Security Engineer III
Office of Information Technology - Information Security
Georgia Institute of Technology
258 4th St NW, Atlanta, Georgia 30332-0700
Office: 404-385-6900 Fax: 404-385-2331
PGP Key ID: 0xAB50FF20
Fingerprint: 3CD2 1BC6 4485 720B AB45 FF3E 8B3B D6F5 AB50 FF20
|
|
From: Jamie C. <jca...@we...> - 2006-01-31 22:38:12
|
Hi Jonathan,
Was the change you made just adding the line :
eval "Net::SSLeay::CTX_set_options( $ctx,&Net::SSLeay::OP_NO_SSLv2 )";
Probably the best way to submit changes like this is via a diff betweem
the old and new versions .. that way I (and the patch program) can see
exactly what has changed.
- Jamie
On Wed, 2006-02-01 at 04:29, Jonathan Glass wrote:
> I've made a small change to miniserv.pl to force SSLv3/TLSv1 in the
> HTTPS server. I'm not a developer, so don't know the correct way to
> share this information with you, so I'll just post the code change in
> this email. Hopefully someone from webmin will incorporate this simple
> change to kill off those older ciphers, or at least make it an option
> somewhere.
>
> Original:
> #!/usr/bin/perl
> # A very simple perl web server used by Webmin
>
> # Require basic libraries
> package miniserv;
> use Socket;
> use POSIX;
>
> # Find and read config file
> if (@ARGV != 1) {
> die "Usage: miniserv.pl <config file>";
> }
> if ($ARGV[0] =~ /^([a-z]:)?\//i) {
> $config_file = $ARGV[0];
> }
> else {
> chop($pwd = `pwd`);
> $config_file = "$pwd/$ARGV[0]";
> }
> %config = &read_config_file($config_file);
>
> # Check is SSL is enabled and available
> if ($config{'ssl'}) {
> eval "use Net::SSLeay";
> if (!$@) {
> $use_ssl = 1;
> # These functions only exist for SSLeay 1.0
> eval "Net::SSLeay::SSLeay_add_ssl_algorithms()";
> eval "Net::SSLeay::load_error_strings()";
> if (defined(&Net::SSLeay::X509_STORE_CTX_get_current_cert) &&
> defined(&Net::SSLeay::CTX_load_verify_locations) &&
> defined(&Net::SSLeay::CTX_set_verify)) {
> $client_certs = 1;
> }
> }
>
>
> CHANGED
> #!/usr/bin/perl
> # A very simple perl web server used by Webmin
>
> # Require basic libraries
> package miniserv;
> use Socket;
> use POSIX;
>
> # Find and read config file
> if (@ARGV != 1) {
> die "Usage: miniserv.pl <config file>";
> }
> if ($ARGV[0] =~ /^([a-z]:)?\//i) {
> $config_file = $ARGV[0];
> }
> else {
> chop($pwd = `pwd`);
> $config_file = "$pwd/$ARGV[0]";
> }
> %config = &read_config_file($config_file);
>
> # Check is SSL is enabled and available
> if ($config{'ssl'}) {
> eval "use Net::SSLeay";
> if (!$@) {
> $use_ssl = 1;
> # These functions only exist for SSLeay 1.0
> eval "Net::SSLeay::SSLeay_add_ssl_algorithms()";
> eval "Net::SSLeay::load_error_strings()";
> eval "Net::SSLeay::CTX_set_options( $ctx,&Net::SSLeay::OP_NO_SSLv2 )";
> if (defined(&Net::SSLeay::X509_STORE_CTX_get_current_cert) &&
> defined(&Net::SSLeay::CTX_load_verify_locations) &&
> defined(&Net::SSLeay::CTX_set_verify)) {
> $client_certs = 1;
> }
> }
|
|
From: Jonathan G. <jon...@oi...> - 2006-01-31 23:17:51
Attachments:
miniserv.pl.diff
|
Jamie Cameron wrote: >Hi Jonathan, > >Was the change you made just adding the line : > >eval "Net::SSLeay::CTX_set_options( $ctx,&Net::SSLeay::OP_NO_SSLv2 )"; > >Probably the best way to submit changes like this is via a diff betweem >the old and new versions .. that way I (and the patch program) can see >exactly what has changed. > > - Jamie > That's all I did, working on version 1.260. Diff report attached. Thanks Jonathan |
|
From: Jamie C. <jca...@we...> - 2006-02-01 00:41:27
|
On Wed, 2006-02-01 at 10:17, Jonathan Glass wrote: > Jamie Cameron wrote: > > >Hi Jonathan, > > > >Was the change you made just adding the line : > > > >eval "Net::SSLeay::CTX_set_options( $ctx,&Net::SSLeay::OP_NO_SSLv2 )"; > > > >Probably the best way to submit changes like this is via a diff betweem > >the old and new versions .. that way I (and the patch program) can see > >exactly what has changed. > > > > - Jamie > > > > That's all I did, working on version 1.260. Diff report attached. Thanks .. I will add an option in the next Webmin release to enable that (and thus block SSL v2). - Jamie |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X