forked from enlightenment/efl
Patch for T6342
Summary: Deprecate SSLv3. Reviewers: zmike, raster, devilhorns Reviewed By: zmike Subscribers: cedric, #committers Tags: #efl Differential Revision: https://phab.enlightenment.org/D6334
This commit is contained in:
parent
a8532e4ed6
commit
d1cbd161bd
|
@ -467,7 +467,6 @@ static const char * protocols[] = {
|
|||
|
||||
static const char *ciphers_strs[] = {
|
||||
"auto",
|
||||
"sslv3",
|
||||
"tlsv1",
|
||||
"tlsv1.1",
|
||||
"tlsv1.2",
|
||||
|
@ -702,8 +701,6 @@ efl_main(void *data EINA_UNUSED,
|
|||
{
|
||||
if (strcmp(cipher_choice, "auto") == 0)
|
||||
cipher = EFL_NET_SSL_CIPHER_AUTO;
|
||||
else if (strcmp(cipher_choice, "sslv3") == 0)
|
||||
cipher = EFL_NET_SSL_CIPHER_SSLV3;
|
||||
else if (strcmp(cipher_choice, "tlsv1") == 0)
|
||||
cipher = EFL_NET_SSL_CIPHER_TLSV1;
|
||||
else if (strcmp(cipher_choice, "tlsv1.1") == 0)
|
||||
|
|
|
@ -271,7 +271,6 @@ static const char * protocols[] = {
|
|||
|
||||
static const char *ciphers_strs[] = {
|
||||
"auto",
|
||||
"sslv3",
|
||||
"tlsv1",
|
||||
"tlsv1.1",
|
||||
"tlsv1.2",
|
||||
|
@ -510,8 +509,6 @@ efl_main(void *data EINA_UNUSED,
|
|||
{
|
||||
if (strcmp(cipher_choice, "auto") == 0)
|
||||
cipher = EFL_NET_SSL_CIPHER_AUTO;
|
||||
else if (strcmp(cipher_choice, "sslv3") == 0)
|
||||
cipher = EFL_NET_SSL_CIPHER_SSLV3;
|
||||
else if (strcmp(cipher_choice, "tlsv1") == 0)
|
||||
cipher = EFL_NET_SSL_CIPHER_TLSV1;
|
||||
else if (strcmp(cipher_choice, "tlsv1.1") == 0)
|
||||
|
|
|
@ -231,7 +231,6 @@ static const char *verify_mode_strs[] = {
|
|||
|
||||
static const char *ciphers_strs[] = {
|
||||
"auto",
|
||||
"sslv3",
|
||||
"tlsv1",
|
||||
"tlsv1.1",
|
||||
"tlsv1.2",
|
||||
|
@ -416,8 +415,6 @@ efl_main(void *data EINA_UNUSED,
|
|||
{
|
||||
if (strcmp(cipher_choice, "auto") == 0)
|
||||
cipher = EFL_NET_SSL_CIPHER_AUTO;
|
||||
else if (strcmp(cipher_choice, "sslv3") == 0)
|
||||
cipher = EFL_NET_SSL_CIPHER_SSLV3;
|
||||
else if (strcmp(cipher_choice, "tlsv1") == 0)
|
||||
cipher = EFL_NET_SSL_CIPHER_TLSV1;
|
||||
else if (strcmp(cipher_choice, "tlsv1.1") == 0)
|
||||
|
|
|
@ -157,7 +157,6 @@ EFL_CALLBACKS_ARRAY_DEFINE(server_cbs,
|
|||
|
||||
static const char *ciphers_strs[] = {
|
||||
"auto",
|
||||
"sslv3",
|
||||
"tlsv1",
|
||||
"tlsv1.1",
|
||||
"tlsv1.2",
|
||||
|
@ -291,8 +290,6 @@ efl_main(void *data EINA_UNUSED,
|
|||
{
|
||||
if (strcmp(cipher_choice, "auto") == 0)
|
||||
cipher = EFL_NET_SSL_CIPHER_AUTO;
|
||||
else if (strcmp(cipher_choice, "sslv3") == 0)
|
||||
cipher = EFL_NET_SSL_CIPHER_SSLV3;
|
||||
else if (strcmp(cipher_choice, "tlsv1") == 0)
|
||||
cipher = EFL_NET_SSL_CIPHER_TLSV1;
|
||||
else if (strcmp(cipher_choice, "tlsv1.1") == 0)
|
||||
|
|
|
@ -1609,7 +1609,10 @@ _ecore_con_server_ssl_ctx_create(const Ecore_Con_Server *svr)
|
|||
else if (ssl_type & ECORE_CON_USE_TLS)
|
||||
cipher = EFL_NET_SSL_CIPHER_TLSV1;
|
||||
else if (ssl_type & ECORE_CON_USE_SSL3)
|
||||
cipher = EFL_NET_SSL_CIPHER_SSLV3;
|
||||
{
|
||||
ERR("SSLv3 is unsupported!");
|
||||
return NULL;
|
||||
}
|
||||
else if (ssl_type & ECORE_CON_USE_SSL2)
|
||||
{
|
||||
ERR("SSLv2 is unsupported!");
|
||||
|
@ -1986,7 +1989,10 @@ _ecore_con_server_dialer_ssl_job(void *data, const Eina_Value v,
|
|||
else if (ssl_type & ECORE_CON_USE_TLS)
|
||||
cipher = EFL_NET_SSL_CIPHER_TLSV1;
|
||||
else if (ssl_type & ECORE_CON_USE_SSL3)
|
||||
cipher = EFL_NET_SSL_CIPHER_SSLV3;
|
||||
{
|
||||
ERR("SSLv3 is unsupported!");
|
||||
goto error_ssl_ctx;
|
||||
}
|
||||
else if (ssl_type & ECORE_CON_USE_SSL2)
|
||||
{
|
||||
ERR("SSLv2 is unsupported!");
|
||||
|
@ -2078,7 +2084,10 @@ _ecore_con_server_dialer_ssl_upgrade_job(void *data, const Eina_Value v,
|
|||
else if (ssl_type & ECORE_CON_USE_TLS)
|
||||
cipher = EFL_NET_SSL_CIPHER_TLSV1;
|
||||
else if (ssl_type & ECORE_CON_USE_SSL3)
|
||||
cipher = EFL_NET_SSL_CIPHER_SSLV3;
|
||||
{
|
||||
ERR("SSLv3 is unsupported!");
|
||||
goto error_ssl_ctx;
|
||||
}
|
||||
else if (ssl_type & ECORE_CON_USE_SSL2)
|
||||
{
|
||||
ERR("SSLv2 is unsupported!");
|
||||
|
|
|
@ -215,9 +215,6 @@ efl_net_ssl_ctx_setup(Efl_Net_Ssl_Ctx *ctx, Efl_Net_Ssl_Ctx_Config cfg)
|
|||
case EFL_NET_SSL_CIPHER_AUTO:
|
||||
priority = NULL;
|
||||
break;
|
||||
case EFL_NET_SSL_CIPHER_SSLV3:
|
||||
priority = "NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT:!VERS-TLS1.0:!VERS-TLS1.1:!VERS-TLS1.2";
|
||||
break;
|
||||
case EFL_NET_SSL_CIPHER_TLSV1:
|
||||
priority = "NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT:!VERS-SSL3.0!VERS-TLS1.1:!VERS-TLS1.2";
|
||||
break;
|
||||
|
|
|
@ -263,14 +263,7 @@ efl_net_ssl_ctx_setup(Efl_Net_Ssl_Ctx *ctx, Efl_Net_Ssl_Ctx_Config cfg)
|
|||
switch (cfg.cipher)
|
||||
{
|
||||
case EFL_NET_SSL_CIPHER_AUTO:
|
||||
ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
|
||||
break;
|
||||
case EFL_NET_SSL_CIPHER_SSLV3:
|
||||
#ifndef OPENSSL_NO_SSL3_METHOD
|
||||
ctx->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
|
||||
#else
|
||||
ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
|
||||
#endif
|
||||
ctx->ssl_ctx = SSL_CTX_new(TLS_client_method());
|
||||
break;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
||||
case EFL_NET_SSL_CIPHER_TLSV1:
|
||||
|
@ -301,14 +294,7 @@ efl_net_ssl_ctx_setup(Efl_Net_Ssl_Ctx *ctx, Efl_Net_Ssl_Ctx_Config cfg)
|
|||
switch (cfg.cipher)
|
||||
{
|
||||
case EFL_NET_SSL_CIPHER_AUTO:
|
||||
ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
|
||||
break;
|
||||
case EFL_NET_SSL_CIPHER_SSLV3:
|
||||
#ifndef OPENSSL_NO_SSL3_METHOD
|
||||
ctx->ssl_ctx = SSL_CTX_new(SSLv3_server_method());
|
||||
#else
|
||||
ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
|
||||
#endif
|
||||
ctx->ssl_ctx = SSL_CTX_new(TLS_server_method());
|
||||
break;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
||||
case EFL_NET_SSL_CIPHER_TLSV1:
|
||||
|
@ -338,9 +324,7 @@ efl_net_ssl_ctx_setup(Efl_Net_Ssl_Ctx *ctx, Efl_Net_Ssl_Ctx_Config cfg)
|
|||
options = SSL_CTX_get_options(ctx->ssl_ctx);
|
||||
options |= SSL_OP_NO_SSLv2;
|
||||
options |= SSL_OP_SINGLE_DH_USE;
|
||||
|
||||
if (cfg.cipher != EFL_NET_SSL_CIPHER_SSLV3)
|
||||
options |= SSL_OP_NO_SSLv3;
|
||||
options |= SSL_OP_NO_SSLv3;
|
||||
|
||||
SSL_CTX_set_options(ctx->ssl_ctx, options);
|
||||
|
||||
|
|
|
@ -19,7 +19,6 @@ enum Efl.Net.Ssl.Cipher {
|
|||
@since 1.19
|
||||
]]
|
||||
auto, [[The default. Use the best your system supports, disables dangerous ciphers]]
|
||||
sslv3, [[SSLv3, insecure and unsupported - DANGEROUS]]
|
||||
tlsv1, [[TLSv1, secure and widely available]]
|
||||
tlsv1_1, [[TLSv1.1, secure]]
|
||||
tlsv1_2, [[TLSv1.2, secure]]
|
||||
|
|
Loading…
Reference in New Issue