author | Norm Jacobs <Norm.Jacobs@Oracle.COM> |
Sun, 03 Apr 2016 22:57:07 -0700 | |
changeset 5787 | c0615d62b41a |
parent 4289 | a8f2d3273985 |
permissions | -rw-r--r-- |
4289
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
1 |
# Disable SSLv2 and SSLv3. |
4070
de7938d475ad
20722552 upgrade libneon to 0.30.1
Stefan Teleman <stefan.teleman@oracle.com>
parents:
diff
changeset
|
2 |
# Internal patch. Not a chance it will be accepted upstream. |
4289
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
3 |
--- src/ne_openssl.c 2015-05-13 12:22:57.460825869 -0700 |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
4 |
+++ src/ne_openssl.c 2015-05-13 12:31:36.644453270 -0700 |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
5 |
@@ -565,7 +565,7 @@ |
4070
de7938d475ad
20722552 upgrade libneon to 0.30.1
Stefan Teleman <stefan.teleman@oracle.com>
parents:
diff
changeset
|
6 |
/* set client cert callback. */ |
de7938d475ad
20722552 upgrade libneon to 0.30.1
Stefan Teleman <stefan.teleman@oracle.com>
parents:
diff
changeset
|
7 |
SSL_CTX_set_client_cert_cb(ctx->ctx, provide_client_cert); |
4289
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
8 |
/* enable workarounds for buggy SSL server implementations */ |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
9 |
- SSL_CTX_set_options(ctx->ctx, SSL_OP_ALL); |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
10 |
+ SSL_CTX_set_options(ctx->ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); |
4070
de7938d475ad
20722552 upgrade libneon to 0.30.1
Stefan Teleman <stefan.teleman@oracle.com>
parents:
diff
changeset
|
11 |
SSL_CTX_set_verify(ctx->ctx, SSL_VERIFY_PEER, verify_callback); |
de7938d475ad
20722552 upgrade libneon to 0.30.1
Stefan Teleman <stefan.teleman@oracle.com>
parents:
diff
changeset
|
12 |
} else if (mode == NE_SSL_CTX_SERVER) { |
4289
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
13 |
ctx->ctx = SSL_CTX_new(SSLv23_server_method()); |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
14 |
@@ -573,7 +573,8 @@ |
4070
de7938d475ad
20722552 upgrade libneon to 0.30.1
Stefan Teleman <stefan.teleman@oracle.com>
parents:
diff
changeset
|
15 |
#ifdef SSL_OP_NO_TICKET |
de7938d475ad
20722552 upgrade libneon to 0.30.1
Stefan Teleman <stefan.teleman@oracle.com>
parents:
diff
changeset
|
16 |
/* disable ticket support since it inhibits testing of session |
4289
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
17 |
* caching. */ |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
18 |
- SSL_CTX_set_options(ctx->ctx, SSL_OP_NO_TICKET); |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
19 |
+ SSL_CTX_set_options(ctx->ctx, |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
20 |
+ SSL_OP_NO_TICKET|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
21 |
#endif |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
22 |
} else { |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
23 |
#ifdef OPENSSL_NO_SSL2 |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
24 |
@@ -581,6 +582,7 @@ |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
25 |
return NULL; |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
26 |
#else |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
27 |
ctx->ctx = SSL_CTX_new(SSLv2_server_method()); |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
28 |
+ SSL_CTX_set_options(ctx->ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
29 |
SSL_CTX_set_session_cache_mode(ctx->ctx, SSL_SESS_CACHE_CLIENT); |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
30 |
#endif |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
31 |
} |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
32 |
@@ -590,18 +592,8 @@ |
4070
de7938d475ad
20722552 upgrade libneon to 0.30.1
Stefan Teleman <stefan.teleman@oracle.com>
parents:
diff
changeset
|
33 |
void ne_ssl_context_set_flag(ne_ssl_context *ctx, int flag, int value) |
de7938d475ad
20722552 upgrade libneon to 0.30.1
Stefan Teleman <stefan.teleman@oracle.com>
parents:
diff
changeset
|
34 |
{ |
de7938d475ad
20722552 upgrade libneon to 0.30.1
Stefan Teleman <stefan.teleman@oracle.com>
parents:
diff
changeset
|
35 |
long opts = SSL_CTX_get_options(ctx->ctx); |
4289
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
36 |
- |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
37 |
- switch (flag) { |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
38 |
- case NE_SSL_CTX_SSLv2: |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
39 |
- if (value) { |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
40 |
- /* Enable SSLv2 support; clear the "no SSLv2" flag. */ |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
41 |
- opts &= ~SSL_OP_NO_SSLv2; |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
42 |
- } else { |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
43 |
- /* Disable it: set the flag. */ |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
44 |
opts |= SSL_OP_NO_SSLv2; |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
45 |
- } |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
46 |
- break; |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
47 |
- } |
4070
de7938d475ad
20722552 upgrade libneon to 0.30.1
Stefan Teleman <stefan.teleman@oracle.com>
parents:
diff
changeset
|
48 |
+ opts |= SSL_OP_NO_SSLv3; |
de7938d475ad
20722552 upgrade libneon to 0.30.1
Stefan Teleman <stefan.teleman@oracle.com>
parents:
diff
changeset
|
49 |
|
4289
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
50 |
SSL_CTX_set_options(ctx->ctx, opts); |
a8f2d3273985
21085454 libneon should allow TLSv1.0 TLSv1.1 and TLSv1.2
Stefan Teleman <stefan.teleman@oracle.com>
parents:
4070
diff
changeset
|
51 |
} |