From 9be332cf608782a9676fabe18d0f97094c9c9dc9 Mon Sep 17 00:00:00 2001 From: des Date: Wed, 15 Oct 2014 07:35:50 +0000 Subject: As pointed out by several people, r273114 was incorrect: it unconditionally disabled everything except TLS 1.0. Replace it with a more carefully wrought patch: - Switch the default for SSLv3 from on to off - Add environment variables to control TLS 1.1 and 1.2 - In verbose mode, report which version is used - Update the man page to reflect these changes. MFC after: 1 week --- lib/libfetch/common.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'lib/libfetch/common.c') diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c index 498ef48..eabea2b 100644 --- a/lib/libfetch/common.c +++ b/lib/libfetch/common.c @@ -675,10 +675,14 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose) ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_TICKET; if (getenv("SSL_ALLOW_SSL2") == NULL) ssl_ctx_options |= SSL_OP_NO_SSLv2; - if (getenv("SSL_NO_SSL3") != NULL) + if (getenv("SSL_ALLOW_SSL3") == NULL) ssl_ctx_options |= SSL_OP_NO_SSLv3; if (getenv("SSL_NO_TLS1") != NULL) ssl_ctx_options |= SSL_OP_NO_TLSv1; + if (getenv("SSL_NO_TLS1_1") != NULL) + ssl_ctx_options |= SSL_OP_NO_TLSv1_1; + if (getenv("SSL_NO_TLS1_2") != NULL) + ssl_ctx_options |= SSL_OP_NO_TLSv1_2; if (verbose) fetch_info("SSL options: %lx", ssl_ctx_options); SSL_CTX_set_options(ctx, ssl_ctx_options); @@ -820,7 +824,7 @@ fetch_ssl(conn_t *conn, const struct url *URL, int verbose) SSL_load_error_strings(); - conn->ssl_meth = TLSv1_client_method(); + conn->ssl_meth = SSLv23_client_method(); conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth); SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY); @@ -873,8 +877,8 @@ fetch_ssl(conn_t *conn, const struct url *URL, int verbose) } if (verbose) { - fetch_info("SSL connection established using %s", - SSL_get_cipher(conn->ssl)); + fetch_info("%s connection established using %s", + SSL_get_version(conn->ssl), SSL_get_cipher(conn->ssl)); name = X509_get_subject_name(conn->ssl_cert); str = X509_NAME_oneline(name, 0, 0); fetch_info("Certificate subject: %s", str); -- cgit v1.1