author | Rich Burridge <rich.burridge@oracle.com> |
Fri, 14 Nov 2014 05:49:51 -0800 | |
branch | s11-update |
changeset 3467 | de2c1a2b2040 |
permissions | -rw-r--r-- |
3467
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
1 |
Remove SSLv3 from SSL default due to the POODLE attack. |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
2 |
|
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
3 |
Based on the following curl changeset: |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
4 |
|
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
5 |
commit ec783dc142129d3860e542b443caaa78a6172d56 |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
6 |
Author: Jay Satiro <[email protected]> |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
7 |
Date: Fri Oct 24 13:41:56 2014 +0200 |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
8 |
|
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
9 |
- Remove SSLv3 from the SSL default effectively making the default TLS 1.x. |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
10 |
- Update curl_easy_setopt doc. |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
11 |
|
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
12 |
--- ./docs/libcurl/curl_easy_setopt.3.orig 2014-11-11 12:03:20.659217117 -0800 |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
13 |
+++ ./docs/libcurl/curl_easy_setopt.3 2014-11-11 12:06:57.274210401 -0800 |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
14 |
@@ -1819,8 +1819,7 @@ |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
15 |
.RS |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
16 |
.IP CURL_SSLVERSION_DEFAULT |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
17 |
The default action. This will attempt to figure out the remote SSL protocol |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
18 |
-version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
19 |
-by default with 7.18.1). |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
20 |
+version. SSLv2 and SSLv3 are disabled by default. |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
21 |
.IP CURL_SSLVERSION_TLSv1 |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
22 |
Force TLSv1 |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
23 |
.IP CURL_SSLVERSION_SSLv2 |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
24 |
--- ./lib/nss.c.orig 2014-11-11 12:08:37.152918397 -0800 |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
25 |
+++ ./lib/nss.c 2014-11-11 12:11:02.819141917 -0800 |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
26 |
@@ -1177,12 +1177,6 @@ |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
27 |
switch (data->set.ssl.version) { |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
28 |
default: |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
29 |
case CURL_SSLVERSION_DEFAULT: |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
30 |
- ssl3 = PR_TRUE; |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
31 |
- if (data->state.ssl_connect_retry) |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
32 |
- infof(data, "TLS disabled due to previous handshake failure\n"); |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
33 |
- else |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
34 |
- tlsv1 = PR_TRUE; |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
35 |
- break; |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
36 |
case CURL_SSLVERSION_TLSv1: |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
37 |
tlsv1 = PR_TRUE; |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
38 |
break; |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
39 |
--- ./lib/qssl.c.orig 2014-11-11 12:08:44.037832982 -0800 |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
40 |
+++ ./lib/qssl.c 2014-11-11 12:12:10.802950719 -0800 |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
41 |
@@ -192,9 +192,6 @@ |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
42 |
|
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
43 |
default: |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
44 |
case CURL_SSLVERSION_DEFAULT: |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
45 |
- h->protocol = SSL_VERSION_CURRENT; /* TLSV1 compat. SSLV[23]. */ |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
46 |
- break; |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
47 |
- |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
48 |
case CURL_SSLVERSION_TLSv1: |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
49 |
h->protocol = TLS_VERSION_1; |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
50 |
break; |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
51 |
--- ./lib/ssluse.c.orig 2014-11-11 12:08:52.156569428 -0800 |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
52 |
+++ ./lib/ssluse.c 2014-11-11 12:21:38.593664424 -0800 |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
53 |
@@ -1448,10 +1448,6 @@ |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
54 |
switch(data->set.ssl.version) { |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
55 |
default: |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
56 |
case CURL_SSLVERSION_DEFAULT: |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
57 |
- /* we try to figure out version */ |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
58 |
- req_method = SSLv23_client_method(); |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
59 |
- use_sni(TRUE); |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
60 |
- break; |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
61 |
case CURL_SSLVERSION_TLSv1: |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
62 |
req_method = TLSv1_client_method(); |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
63 |
use_sni(TRUE); |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
64 |
@@ -1531,9 +1527,9 @@ |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
65 |
|
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
66 |
SSL_CTX_set_options(connssl->ctx, ctx_options); |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
67 |
|
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
68 |
- /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
69 |
+ /* disable SSLv2 and SSLv3 in the default case (i.e. allow TLSv1) */ |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
70 |
if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT) |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
71 |
- SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2); |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
72 |
+ SSL_CTX_set_options(connssl->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
73 |
|
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
74 |
#if 0 |
de2c1a2b2040
20010069 curl should disable SSLv3 by default
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
75 |
/* |