1 # Disable SSLv2, SSLv3 and TLSv1.0. |
1 # Disable SSLv2 and SSLv3. |
2 # Internal patch. Not a chance it will be accepted upstream. |
2 # Internal patch. Not a chance it will be accepted upstream. |
3 --- src/ne_openssl.c 2014-09-20 11:59:52.000000000 -0700 |
3 --- src/ne_openssl.c 2015-05-13 12:22:57.460825869 -0700 |
4 +++ src/ne_openssl.c 2015-04-03 13:40:17.212657899 -0700 |
4 +++ src/ne_openssl.c 2015-05-13 12:31:36.644453270 -0700 |
5 @@ -560,7 +560,7 @@ |
5 @@ -565,7 +565,7 @@ |
6 { |
|
7 ne_ssl_context *ctx = ne_calloc(sizeof *ctx); |
|
8 if (mode == NE_SSL_CTX_CLIENT) { |
|
9 - ctx->ctx = SSL_CTX_new(SSLv23_client_method()); |
|
10 + ctx->ctx = SSL_CTX_new(TLSv1_1_client_method()); |
|
11 ctx->sess = NULL; |
|
12 /* set client cert callback. */ |
6 /* set client cert callback. */ |
13 SSL_CTX_set_client_cert_cb(ctx->ctx, provide_client_cert); |
7 SSL_CTX_set_client_cert_cb(ctx->ctx, provide_client_cert); |
14 @@ -568,7 +568,7 @@ |
8 /* enable workarounds for buggy SSL server implementations */ |
15 SSL_CTX_set_options(ctx->ctx, SSL_OP_ALL); |
9 - SSL_CTX_set_options(ctx->ctx, SSL_OP_ALL); |
|
10 + SSL_CTX_set_options(ctx->ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); |
16 SSL_CTX_set_verify(ctx->ctx, SSL_VERIFY_PEER, verify_callback); |
11 SSL_CTX_set_verify(ctx->ctx, SSL_VERIFY_PEER, verify_callback); |
17 } else if (mode == NE_SSL_CTX_SERVER) { |
12 } else if (mode == NE_SSL_CTX_SERVER) { |
18 - ctx->ctx = SSL_CTX_new(SSLv23_server_method()); |
13 ctx->ctx = SSL_CTX_new(SSLv23_server_method()); |
19 + ctx->ctx = SSL_CTX_new(TLSv1_1_server_method()); |
14 @@ -573,7 +573,8 @@ |
20 SSL_CTX_set_session_cache_mode(ctx->ctx, SSL_SESS_CACHE_CLIENT); |
|
21 #ifdef SSL_OP_NO_TICKET |
15 #ifdef SSL_OP_NO_TICKET |
22 /* disable ticket support since it inhibits testing of session |
16 /* disable ticket support since it inhibits testing of session |
23 @@ -590,6 +590,8 @@ |
17 * caching. */ |
|
18 - SSL_CTX_set_options(ctx->ctx, SSL_OP_NO_TICKET); |
|
19 + SSL_CTX_set_options(ctx->ctx, |
|
20 + SSL_OP_NO_TICKET|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); |
|
21 #endif |
|
22 } else { |
|
23 #ifdef OPENSSL_NO_SSL2 |
|
24 @@ -581,6 +582,7 @@ |
|
25 return NULL; |
|
26 #else |
|
27 ctx->ctx = SSL_CTX_new(SSLv2_server_method()); |
|
28 + SSL_CTX_set_options(ctx->ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); |
|
29 SSL_CTX_set_session_cache_mode(ctx->ctx, SSL_SESS_CACHE_CLIENT); |
|
30 #endif |
|
31 } |
|
32 @@ -590,18 +592,8 @@ |
24 void ne_ssl_context_set_flag(ne_ssl_context *ctx, int flag, int value) |
33 void ne_ssl_context_set_flag(ne_ssl_context *ctx, int flag, int value) |
25 { |
34 { |
26 long opts = SSL_CTX_get_options(ctx->ctx); |
35 long opts = SSL_CTX_get_options(ctx->ctx); |
27 + opts |= SSL_OP_NO_SSLv2; |
36 - |
|
37 - switch (flag) { |
|
38 - case NE_SSL_CTX_SSLv2: |
|
39 - if (value) { |
|
40 - /* Enable SSLv2 support; clear the "no SSLv2" flag. */ |
|
41 - opts &= ~SSL_OP_NO_SSLv2; |
|
42 - } else { |
|
43 - /* Disable it: set the flag. */ |
|
44 opts |= SSL_OP_NO_SSLv2; |
|
45 - } |
|
46 - break; |
|
47 - } |
28 + opts |= SSL_OP_NO_SSLv3; |
48 + opts |= SSL_OP_NO_SSLv3; |
29 |
49 |
30 switch (flag) { |
50 SSL_CTX_set_options(ctx->ctx, opts); |
31 case NE_SSL_CTX_SSLv2: |
51 } |