NorwayFun
/
efl
forked from enlightenment/efl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Patch for T6342 

Summary: Deprecate SSLv3.

Reviewers: zmike, raster, devilhorns

Reviewed By: zmike

Subscribers: cedric, #committers

Tags: #efl

Differential Revision: https://phab.enlightenment.org/D6334
This commit is contained in:
Alastair Poole 2018-06-20 14:11:52 +01:00
parent a8532e4ed6
commit d1cbd161bd
8 changed files with 15 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/examples/ecore/efl_net_server_example.c
View File

@ -467,7 +467,6 @@ static const char * protocols[] = {
static const char *ciphers_strs[] = {
"auto",
"sslv3",
"tlsv1",
"tlsv1.1",
"tlsv1.2",
@ -702,8 +701,6 @@ efl_main(void *data EINA_UNUSED,
{
if (strcmp(cipher_choice, "auto") == 0)
cipher = EFL_NET_SSL_CIPHER_AUTO;
else if (strcmp(cipher_choice, "sslv3") == 0)
cipher = EFL_NET_SSL_CIPHER_SSLV3;
else if (strcmp(cipher_choice, "tlsv1") == 0)
cipher = EFL_NET_SSL_CIPHER_TLSV1;
else if (strcmp(cipher_choice, "tlsv1.1") == 0)

3
src/examples/ecore/efl_net_server_simple_example.c
View File

@ -271,7 +271,6 @@ static const char * protocols[] = {
static const char *ciphers_strs[] = {
"auto",
"sslv3",
"tlsv1",
"tlsv1.1",
"tlsv1.2",
@ -510,8 +509,6 @@ efl_main(void *data EINA_UNUSED,
{
if (strcmp(cipher_choice, "auto") == 0)
cipher = EFL_NET_SSL_CIPHER_AUTO;
else if (strcmp(cipher_choice, "sslv3") == 0)
cipher = EFL_NET_SSL_CIPHER_SSLV3;
else if (strcmp(cipher_choice, "tlsv1") == 0)
cipher = EFL_NET_SSL_CIPHER_TLSV1;
else if (strcmp(cipher_choice, "tlsv1.1") == 0)

3
src/examples/ecore/efl_net_socket_ssl_dialer_example.c
View File

@ -231,7 +231,6 @@ static const char *verify_mode_strs[] = {
static const char *ciphers_strs[] = {
"auto",
"sslv3",
"tlsv1",
"tlsv1.1",
"tlsv1.2",
@ -416,8 +415,6 @@ efl_main(void *data EINA_UNUSED,
{
if (strcmp(cipher_choice, "auto") == 0)
cipher = EFL_NET_SSL_CIPHER_AUTO;
else if (strcmp(cipher_choice, "sslv3") == 0)
cipher = EFL_NET_SSL_CIPHER_SSLV3;
else if (strcmp(cipher_choice, "tlsv1") == 0)
cipher = EFL_NET_SSL_CIPHER_TLSV1;
else if (strcmp(cipher_choice, "tlsv1.1") == 0)

3
src/examples/ecore/efl_net_socket_ssl_server_example.c
View File

@ -157,7 +157,6 @@ EFL_CALLBACKS_ARRAY_DEFINE(server_cbs,
static const char *ciphers_strs[] = {
"auto",
"sslv3",
"tlsv1",
"tlsv1.1",
"tlsv1.2",
@ -291,8 +290,6 @@ efl_main(void *data EINA_UNUSED,
{
if (strcmp(cipher_choice, "auto") == 0)
cipher = EFL_NET_SSL_CIPHER_AUTO;
else if (strcmp(cipher_choice, "sslv3") == 0)
cipher = EFL_NET_SSL_CIPHER_SSLV3;
else if (strcmp(cipher_choice, "tlsv1") == 0)
cipher = EFL_NET_SSL_CIPHER_TLSV1;
else if (strcmp(cipher_choice, "tlsv1.1") == 0)

15
src/lib/ecore_con/ecore_con_legacy.c
View File

@ -1609,7 +1609,10 @@ _ecore_con_server_ssl_ctx_create(const Ecore_Con_Server *svr)
else if (ssl_type & ECORE_CON_USE_TLS)
cipher = EFL_NET_SSL_CIPHER_TLSV1;
else if (ssl_type & ECORE_CON_USE_SSL3)
cipher = EFL_NET_SSL_CIPHER_SSLV3;
{
ERR("SSLv3 is unsupported!");
return NULL;
}
else if (ssl_type & ECORE_CON_USE_SSL2)
{
ERR("SSLv2 is unsupported!");
@ -1986,7 +1989,10 @@ _ecore_con_server_dialer_ssl_job(void *data, const Eina_Value v,
else if (ssl_type & ECORE_CON_USE_TLS)
cipher = EFL_NET_SSL_CIPHER_TLSV1;
else if (ssl_type & ECORE_CON_USE_SSL3)
cipher = EFL_NET_SSL_CIPHER_SSLV3;
{
ERR("SSLv3 is unsupported!");
goto error_ssl_ctx;
}
else if (ssl_type & ECORE_CON_USE_SSL2)
{
ERR("SSLv2 is unsupported!");
@ -2078,7 +2084,10 @@ _ecore_con_server_dialer_ssl_upgrade_job(void *data, const Eina_Value v,
else if (ssl_type & ECORE_CON_USE_TLS)
cipher = EFL_NET_SSL_CIPHER_TLSV1;
else if (ssl_type & ECORE_CON_USE_SSL3)
cipher = EFL_NET_SSL_CIPHER_SSLV3;
{
ERR("SSLv3 is unsupported!");
goto error_ssl_ctx;
}
else if (ssl_type & ECORE_CON_USE_SSL2)
{
ERR("SSLv2 is unsupported!");

3
src/lib/ecore_con/efl_net_ssl_ctx-gnutls.c
View File

@ -215,9 +215,6 @@ efl_net_ssl_ctx_setup(Efl_Net_Ssl_Ctx *ctx, Efl_Net_Ssl_Ctx_Config cfg)
case EFL_NET_SSL_CIPHER_AUTO:
priority = NULL;
break;
case EFL_NET_SSL_CIPHER_SSLV3:
priority = "NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT:!VERS-TLS1.0:!VERS-TLS1.1:!VERS-TLS1.2";
break;
case EFL_NET_SSL_CIPHER_TLSV1:
priority = "NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT:!VERS-SSL3.0!VERS-TLS1.1:!VERS-TLS1.2";
break;

22
src/lib/ecore_con/efl_net_ssl_ctx-openssl.c
View File

@ -263,14 +263,7 @@ efl_net_ssl_ctx_setup(Efl_Net_Ssl_Ctx *ctx, Efl_Net_Ssl_Ctx_Config cfg)
switch (cfg.cipher)
{
case EFL_NET_SSL_CIPHER_AUTO:
ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
break;
case EFL_NET_SSL_CIPHER_SSLV3:
#ifndef OPENSSL_NO_SSL3_METHOD
ctx->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
#else
ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
#endif
ctx->ssl_ctx = SSL_CTX_new(TLS_client_method());
break;
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
case EFL_NET_SSL_CIPHER_TLSV1:
@ -301,14 +294,7 @@ efl_net_ssl_ctx_setup(Efl_Net_Ssl_Ctx *ctx, Efl_Net_Ssl_Ctx_Config cfg)
switch (cfg.cipher)
{
case EFL_NET_SSL_CIPHER_AUTO:
ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
break;
case EFL_NET_SSL_CIPHER_SSLV3:
#ifndef OPENSSL_NO_SSL3_METHOD
ctx->ssl_ctx = SSL_CTX_new(SSLv3_server_method());
#else
ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
#endif
ctx->ssl_ctx = SSL_CTX_new(TLS_server_method());
break;
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
case EFL_NET_SSL_CIPHER_TLSV1:
@ -338,9 +324,7 @@ efl_net_ssl_ctx_setup(Efl_Net_Ssl_Ctx *ctx, Efl_Net_Ssl_Ctx_Config cfg)
options = SSL_CTX_get_options(ctx->ssl_ctx);
options |= SSL_OP_NO_SSLv2;
options |= SSL_OP_SINGLE_DH_USE;
if (cfg.cipher != EFL_NET_SSL_CIPHER_SSLV3)
options |= SSL_OP_NO_SSLv3;
options |= SSL_OP_NO_SSLv3;
SSL_CTX_set_options(ctx->ssl_ctx, options);

1
src/lib/ecore_con/efl_net_ssl_types.eot
View File

@ -19,7 +19,6 @@ enum Efl.Net.Ssl.Cipher {
@since 1.19
]]
auto, [[The default. Use the best your system supports, disables dangerous ciphers]]
sslv3, [[SSLv3, insecure and unsupported - DANGEROUS]]
tlsv1, [[TLSv1, secure and widely available]]
tlsv1_1, [[TLSv1.1, secure]]
tlsv1_2, [[TLSv1.2, secure]]