external/uhub
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add better TLS protocol negotiation for OpenSSL >1.0.1

Browse Source
This commit is contained in:
Jan Vidar Krey 2019-04-23 16:16:36 +02:00
parent 1eb00ac04a
commit bc8974b9a3
1 changed files with 26 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
src/network/openssl.c
View File

@ -129,7 +129,7 @@ static void add_io_stats(struct net_ssl_openssl* handle)
}
}
static const SSL_METHOD* get_ssl_method(const char* tls_version)
static const SSL_METHOD* get_ssl_method(const struct net_context_openssl* ctx, const char* tls_version)
{
if (!tls_version || !*tls_version)
{
@ -137,6 +137,12 @@ static const SSL_METHOD* get_ssl_method(const char* tls_version)
return 0;
}
/* Disable SSLv2 */
SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_SSLv2);
/* Disable SSLv3 */
SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_SSLv3);
#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (!strcmp(tls_version, "1.0"))
return TLSv1_method();
@ -148,7 +154,24 @@ static const SSL_METHOD* get_ssl_method(const char* tls_version)
LOG_ERROR("Unable to recognize tls_version.");
return 0;
#else
LOG_WARN("tls_version is obsolete, and should not be used.");
if (!strcmp(tls_version, "1.0"))
{
// Not much to do - allow TLS 1.0 and above.
}
if (!strcmp(tls_version, "1.1"))
{
// Disable anything below TLS 1.1
SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_TLSv1);
}
if (!strcmp(tls_version, "1.2"))
{
// Disable anything below TLS 1.2
SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_TLSv1);
SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_TLSv1_1);
}
return TLS_method();
#endif
}
@ -185,7 +208,7 @@ static int alpn_server_select_protocol(SSL *ssl, const unsigned char **out, unsi
struct ssl_context_handle* net_ssl_context_create(const char* tls_version, const char* tls_ciphersuite)
{
struct net_context_openssl* ctx = (struct net_context_openssl*) hub_malloc_zero(sizeof(struct net_context_openssl));
const SSL_METHOD* ssl_method = get_ssl_method(tls_version);
const SSL_METHOD* ssl_method = get_ssl_method(ctx, tls_version);
if (!ssl_method)
{
@ -195,14 +218,6 @@ struct ssl_context_handle* net_ssl_context_create(const char* tls_version, const
ctx->ssl = SSL_CTX_new(ssl_method);
/* Disable SSLv2 */
SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_SSLv2);
// #ifdef SSL_OP_NO_SSLv3
/* Disable SSLv3 */
SSL_CTX_set_options(ctx->ssl, SSL_OP_NO_SSLv3);
// #endif
// FIXME: Why did we need this again?
SSL_CTX_set_quiet_shutdown(ctx->ssl, 1);