Fix OpenSSL error, wrong initialization order.

This commit is contained in:
Jan Vidar Krey 2019-04-24 10:32:01 +02:00
parent bc8974b9a3
commit 076e75897b

View File

@ -129,51 +129,49 @@ static void add_io_stats(struct net_ssl_openssl* handle)
} }
} }
static const SSL_METHOD* get_ssl_method(const struct net_context_openssl* ctx, const char* tls_version) static const SSL_METHOD* get_ssl_method(const char* tls_version, long* flags)
{ {
if (!flags)
{
LOG_ERROR("flags is null");
return 0;
}
if (!tls_version || !*tls_version) if (!tls_version || !*tls_version)
{ {
LOG_ERROR("tls_version is not set."); LOG_ERROR("tls_version is not set.");
return 0; return 0;
} }
/* Disable SSLv2 */ *flags = 0;
SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_SSLv2); *flags |= SSL_OP_NO_SSLv2;
*flags |= SSL_OP_NO_SSLv3;
/* Disable SSLv3 */
SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_SSLv3);
#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (!strcmp(tls_version, "1.0")) if (!strcmp(tls_version, "1.0"))
return TLSv1_method(); {
if (!strcmp(tls_version, "1.1")) // not much to do.
return TLSv1_1_method(); }
if (!strcmp(tls_version, "1.2")) else if (!strcmp(tls_version, "1.1"))
return TLSv1_2_method(); {
*flags |= SSL_OP_NO_TLSv1;
LOG_ERROR("Unable to recognize tls_version."); }
else if (!strcmp(tls_version, "1.2"))
{
*flags |= SSL_OP_NO_TLSv1;
*flags |= SSL_OP_NO_TLSv1_1;
}
else if (!strcmp(tls_version, "1.3"))
{
*flags |= SSL_OP_NO_TLSv1;
*flags |= SSL_OP_NO_TLSv1_1;
*flags |= SSL_OP_NO_TLSv1_2;
}
else
{
LOG_ERROR("Unable to recognize tls_version: %s", tls_version);
return 0; return 0;
#else
if (!strcmp(tls_version, "1.0"))
{
// Not much to do - allow TLS 1.0 and above.
} }
if (!strcmp(tls_version, "1.1"))
{
// Disable anything below TLS 1.1
SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_TLSv1);
}
if (!strcmp(tls_version, "1.2"))
{
// Disable anything below TLS 1.2
SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_TLSv1);
SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_TLSv1_1);
}
return TLS_method(); return TLS_method();
#endif
} }
/** /**
@ -208,7 +206,8 @@ static int alpn_server_select_protocol(SSL *ssl, const unsigned char **out, unsi
struct ssl_context_handle* net_ssl_context_create(const char* tls_version, const char* tls_ciphersuite) struct ssl_context_handle* net_ssl_context_create(const char* tls_version, const char* tls_ciphersuite)
{ {
struct net_context_openssl* ctx = (struct net_context_openssl*) hub_malloc_zero(sizeof(struct net_context_openssl)); struct net_context_openssl* ctx = (struct net_context_openssl*) hub_malloc_zero(sizeof(struct net_context_openssl));
const SSL_METHOD* ssl_method = get_ssl_method(ctx, tls_version); long flags = 0;
const SSL_METHOD* ssl_method = get_ssl_method(tls_version, &flags);
if (!ssl_method) if (!ssl_method)
{ {
@ -224,9 +223,12 @@ struct ssl_context_handle* net_ssl_context_create(const char* tls_version, const
#ifdef SSL_OP_NO_COMPRESSION #ifdef SSL_OP_NO_COMPRESSION
/* Disable compression */ /* Disable compression */
LOG_TRACE("Disabling SSL compression."); /* "CRIME" attack */ LOG_TRACE("Disabling SSL compression."); /* "CRIME" attack */
SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_COMPRESSION); flags |= SSL_OP_NO_COMPRESSION;
#endif #endif
// Set flags
SSL_CTX_set_options(ctx->ssl, flags);
/* Set preferred cipher suite */ /* Set preferred cipher suite */
if (SSL_CTX_set_cipher_list(ctx->ssl, tls_ciphersuite) != 1) if (SSL_CTX_set_cipher_list(ctx->ssl, tls_ciphersuite) != 1)
{ {
@ -352,6 +354,8 @@ ssize_t net_con_ssl_connect(struct net_connection* con)
} }
ret = handle_openssl_error(con, ret, tls_st_connecting); ret = handle_openssl_error(con, ret, tls_st_connecting);
if (ret != 0)
LOG_ERROR("net_con_ssl_connect: ret=%d", ret); LOG_ERROR("net_con_ssl_connect: ret=%d", ret);
return ret; return ret;
} }