external
/
uhub
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add better TLS protocol negotiation for OpenSSL >1.0.1

This commit is contained in:
Jan Vidar Krey 2019-04-23 16:16:36 +02:00
parent 1eb00ac04a
commit bc8974b9a3
1 changed files with 26 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
src/network/openssl.c
View File

@ -129,7 +129,7 @@ static void add_io_stats(struct net_ssl_openssl* handle)
} }
} }
static const SSL_METHOD* get_ssl_method(const char* tls_version) static const SSL_METHOD* get_ssl_method(const struct net_context_openssl* ctx, const char* tls_version)
{ {
if (!tls_version || !*tls_version) if (!tls_version || !*tls_version)
{ {
@ -137,6 +137,12 @@ static const SSL_METHOD* get_ssl_method(const char* tls_version)
return 0; return 0;
} }
/* Disable SSLv2 */
SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_SSLv2);
/* Disable SSLv3 */
SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_SSLv3);
#if OPENSSL_VERSION_NUMBER < 0x10100000L #if OPENSSL_VERSION_NUMBER < 0x10100000L
if (!strcmp(tls_version, "1.0")) if (!strcmp(tls_version, "1.0"))
return TLSv1_method(); return TLSv1_method();
@ -148,7 +154,24 @@ static const SSL_METHOD* get_ssl_method(const char* tls_version)
LOG_ERROR("Unable to recognize tls_version."); LOG_ERROR("Unable to recognize tls_version.");
return 0; return 0;
#else #else
LOG_WARN("tls_version is obsolete, and should not be used."); if (!strcmp(tls_version, "1.0"))
{
// Not much to do - allow TLS 1.0 and above.
}
if (!strcmp(tls_version, "1.1"))
{
// Disable anything below TLS 1.1
SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_TLSv1);
}
if (!strcmp(tls_version, "1.2"))
{
// Disable anything below TLS 1.2
SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_TLSv1);
SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_TLSv1_1);
}
return TLS_method(); return TLS_method();
#endif #endif
} }
@ -185,7 +208,7 @@ static int alpn_server_select_protocol(SSL *ssl, const unsigned char **out, unsi
struct ssl_context_handle* net_ssl_context_create(const char* tls_version, const char* tls_ciphersuite) struct ssl_context_handle* net_ssl_context_create(const char* tls_version, const char* tls_ciphersuite)
{ {
struct net_context_openssl* ctx = (struct net_context_openssl*) hub_malloc_zero(sizeof(struct net_context_openssl)); struct net_context_openssl* ctx = (struct net_context_openssl*) hub_malloc_zero(sizeof(struct net_context_openssl));
const SSL_METHOD* ssl_method = get_ssl_method(tls_version); const SSL_METHOD* ssl_method = get_ssl_method(ctx, tls_version);
if (!ssl_method) if (!ssl_method)
{ {
@ -195,14 +218,6 @@ struct ssl_context_handle* net_ssl_context_create(const char* tls_version, const
ctx->ssl = SSL_CTX_new(ssl_method); ctx->ssl = SSL_CTX_new(ssl_method);
/* Disable SSLv2 */
SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_SSLv2);
// #ifdef SSL_OP_NO_SSLv3
/* Disable SSLv3 */
SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_SSLv3);
// #endif
// FIXME: Why did we need this again? // FIXME: Why did we need this again?
SSL_CTX_set_quiet_shutdown(ctx->ssl, 1); SSL_CTX_set_quiet_shutdown(ctx->ssl, 1);