summaryrefslogtreecommitdiff
path: root/src/lib/ecore_con
diff options
context:
space:
mode:
authorAlastair Poole <netstar@gmail.com>2018-06-20 14:11:52 +0100
committerAlastair Poole <netstar@gmail.com>2018-06-20 14:17:25 +0100
commitd1cbd161bdf1bcb9c0c8429210647245a31559a4 (patch)
treefe39069911865f64bfe3cefb847104146c8bcc97 /src/lib/ecore_con
parenta8532e4ed6eeb187b95ebaa37f52188d2208f487 (diff)
Patch for T6342
Summary: Deprecate SSLv3. Reviewers: zmike, raster, devilhorns Reviewed By: zmike Subscribers: cedric, #committers Tags: #efl Differential Revision: https://phab.enlightenment.org/D6334
Diffstat (limited to 'src/lib/ecore_con')
-rw-r--r--src/lib/ecore_con/ecore_con_legacy.c15
-rw-r--r--src/lib/ecore_con/efl_net_ssl_ctx-gnutls.c3
-rw-r--r--src/lib/ecore_con/efl_net_ssl_ctx-openssl.c22
-rw-r--r--src/lib/ecore_con/efl_net_ssl_types.eot1
4 files changed, 15 insertions, 26 deletions
diff --git a/src/lib/ecore_con/ecore_con_legacy.c b/src/lib/ecore_con/ecore_con_legacy.c
index 067cf71..4534c5d 100644
--- a/src/lib/ecore_con/ecore_con_legacy.c
+++ b/src/lib/ecore_con/ecore_con_legacy.c
@@ -1609,7 +1609,10 @@ _ecore_con_server_ssl_ctx_create(const Ecore_Con_Server *svr)
1609 else if (ssl_type & ECORE_CON_USE_TLS) 1609 else if (ssl_type & ECORE_CON_USE_TLS)
1610 cipher = EFL_NET_SSL_CIPHER_TLSV1; 1610 cipher = EFL_NET_SSL_CIPHER_TLSV1;
1611 else if (ssl_type & ECORE_CON_USE_SSL3) 1611 else if (ssl_type & ECORE_CON_USE_SSL3)
1612 cipher = EFL_NET_SSL_CIPHER_SSLV3; 1612 {
1613 ERR("SSLv3 is unsupported!");
1614 return NULL;
1615 }
1613 else if (ssl_type & ECORE_CON_USE_SSL2) 1616 else if (ssl_type & ECORE_CON_USE_SSL2)
1614 { 1617 {
1615 ERR("SSLv2 is unsupported!"); 1618 ERR("SSLv2 is unsupported!");
@@ -1986,7 +1989,10 @@ _ecore_con_server_dialer_ssl_job(void *data, const Eina_Value v,
1986 else if (ssl_type & ECORE_CON_USE_TLS) 1989 else if (ssl_type & ECORE_CON_USE_TLS)
1987 cipher = EFL_NET_SSL_CIPHER_TLSV1; 1990 cipher = EFL_NET_SSL_CIPHER_TLSV1;
1988 else if (ssl_type & ECORE_CON_USE_SSL3) 1991 else if (ssl_type & ECORE_CON_USE_SSL3)
1989 cipher = EFL_NET_SSL_CIPHER_SSLV3; 1992 {
1993 ERR("SSLv3 is unsupported!");
1994 goto error_ssl_ctx;
1995 }
1990 else if (ssl_type & ECORE_CON_USE_SSL2) 1996 else if (ssl_type & ECORE_CON_USE_SSL2)
1991 { 1997 {
1992 ERR("SSLv2 is unsupported!"); 1998 ERR("SSLv2 is unsupported!");
@@ -2078,7 +2084,10 @@ _ecore_con_server_dialer_ssl_upgrade_job(void *data, const Eina_Value v,
2078 else if (ssl_type & ECORE_CON_USE_TLS) 2084 else if (ssl_type & ECORE_CON_USE_TLS)
2079 cipher = EFL_NET_SSL_CIPHER_TLSV1; 2085 cipher = EFL_NET_SSL_CIPHER_TLSV1;
2080 else if (ssl_type & ECORE_CON_USE_SSL3) 2086 else if (ssl_type & ECORE_CON_USE_SSL3)
2081 cipher = EFL_NET_SSL_CIPHER_SSLV3; 2087 {
2088 ERR("SSLv3 is unsupported!");
2089 goto error_ssl_ctx;
2090 }
2082 else if (ssl_type & ECORE_CON_USE_SSL2) 2091 else if (ssl_type & ECORE_CON_USE_SSL2)
2083 { 2092 {
2084 ERR("SSLv2 is unsupported!"); 2093 ERR("SSLv2 is unsupported!");
diff --git a/src/lib/ecore_con/efl_net_ssl_ctx-gnutls.c b/src/lib/ecore_con/efl_net_ssl_ctx-gnutls.c
index 67b7c25..7a92a82 100644
--- a/src/lib/ecore_con/efl_net_ssl_ctx-gnutls.c
+++ b/src/lib/ecore_con/efl_net_ssl_ctx-gnutls.c
@@ -215,9 +215,6 @@ efl_net_ssl_ctx_setup(Efl_Net_Ssl_Ctx *ctx, Efl_Net_Ssl_Ctx_Config cfg)
215 case EFL_NET_SSL_CIPHER_AUTO: 215 case EFL_NET_SSL_CIPHER_AUTO:
216 priority = NULL; 216 priority = NULL;
217 break; 217 break;
218 case EFL_NET_SSL_CIPHER_SSLV3:
219 priority = "NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT:!VERS-TLS1.0:!VERS-TLS1.1:!VERS-TLS1.2";
220 break;
221 case EFL_NET_SSL_CIPHER_TLSV1: 218 case EFL_NET_SSL_CIPHER_TLSV1:
222 priority = "NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT:!VERS-SSL3.0!VERS-TLS1.1:!VERS-TLS1.2"; 219 priority = "NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT:!VERS-SSL3.0!VERS-TLS1.1:!VERS-TLS1.2";
223 break; 220 break;
diff --git a/src/lib/ecore_con/efl_net_ssl_ctx-openssl.c b/src/lib/ecore_con/efl_net_ssl_ctx-openssl.c
index 0fef44e..1e3e14c 100644
--- a/src/lib/ecore_con/efl_net_ssl_ctx-openssl.c
+++ b/src/lib/ecore_con/efl_net_ssl_ctx-openssl.c
@@ -263,14 +263,7 @@ efl_net_ssl_ctx_setup(Efl_Net_Ssl_Ctx *ctx, Efl_Net_Ssl_Ctx_Config cfg)
263 switch (cfg.cipher) 263 switch (cfg.cipher)
264 { 264 {
265 case EFL_NET_SSL_CIPHER_AUTO: 265 case EFL_NET_SSL_CIPHER_AUTO:
266 ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method()); 266 ctx->ssl_ctx = SSL_CTX_new(TLS_client_method());
267 break;
268 case EFL_NET_SSL_CIPHER_SSLV3:
269#ifndef OPENSSL_NO_SSL3_METHOD
270 ctx->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
271#else
272 ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
273#endif
274 break; 267 break;
275#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) 268#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
276 case EFL_NET_SSL_CIPHER_TLSV1: 269 case EFL_NET_SSL_CIPHER_TLSV1:
@@ -301,14 +294,7 @@ efl_net_ssl_ctx_setup(Efl_Net_Ssl_Ctx *ctx, Efl_Net_Ssl_Ctx_Config cfg)
301 switch (cfg.cipher) 294 switch (cfg.cipher)
302 { 295 {
303 case EFL_NET_SSL_CIPHER_AUTO: 296 case EFL_NET_SSL_CIPHER_AUTO:
304 ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method()); 297 ctx->ssl_ctx = SSL_CTX_new(TLS_server_method());
305 break;
306 case EFL_NET_SSL_CIPHER_SSLV3:
307#ifndef OPENSSL_NO_SSL3_METHOD
308 ctx->ssl_ctx = SSL_CTX_new(SSLv3_server_method());
309#else
310 ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
311#endif
312 break; 298 break;
313#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) 299#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
314 case EFL_NET_SSL_CIPHER_TLSV1: 300 case EFL_NET_SSL_CIPHER_TLSV1:
@@ -338,9 +324,7 @@ efl_net_ssl_ctx_setup(Efl_Net_Ssl_Ctx *ctx, Efl_Net_Ssl_Ctx_Config cfg)
338 options = SSL_CTX_get_options(ctx->ssl_ctx); 324 options = SSL_CTX_get_options(ctx->ssl_ctx);
339 options |= SSL_OP_NO_SSLv2; 325 options |= SSL_OP_NO_SSLv2;
340 options |= SSL_OP_SINGLE_DH_USE; 326 options |= SSL_OP_SINGLE_DH_USE;
341 327 options |= SSL_OP_NO_SSLv3;
342 if (cfg.cipher != EFL_NET_SSL_CIPHER_SSLV3)
343 options |= SSL_OP_NO_SSLv3;
344 328
345 SSL_CTX_set_options(ctx->ssl_ctx, options); 329 SSL_CTX_set_options(ctx->ssl_ctx, options);
346 330
diff --git a/src/lib/ecore_con/efl_net_ssl_types.eot b/src/lib/ecore_con/efl_net_ssl_types.eot
index 6556f7c..5c41b92 100644
--- a/src/lib/ecore_con/efl_net_ssl_types.eot
+++ b/src/lib/ecore_con/efl_net_ssl_types.eot
@@ -19,7 +19,6 @@ enum Efl.Net.Ssl.Cipher {
19 @since 1.19 19 @since 1.19
20 ]] 20 ]]
21 auto, [[The default. Use the best your system supports, disables dangerous ciphers]] 21 auto, [[The default. Use the best your system supports, disables dangerous ciphers]]
22 sslv3, [[SSLv3, insecure and unsupported - DANGEROUS]]
23 tlsv1, [[TLSv1, secure and widely available]] 22 tlsv1, [[TLSv1, secure and widely available]]
24 tlsv1_1, [[TLSv1.1, secure]] 23 tlsv1_1, [[TLSv1.1, secure]]
25 tlsv1_2, [[TLSv1.2, secure]] 24 tlsv1_2, [[TLSv1.2, secure]]