From c6cfcc3c30f492fb5291ca5a15767a4f96b5d9a8 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Wed, 22 Oct 2014 23:14:07 +0900 Subject: [PATCH] src: Disable insecure SSLv3 --- src/HttpServer.cc | 3 ++- src/asio_http2_impl.cc | 3 ++- src/nghttp.cc | 3 ++- src/shrpx.cc | 4 ++-- src/shrpx_ssl.cc | 10 ++++++---- 5 files changed, 14 insertions(+), 9 deletions(-) diff --git a/src/HttpServer.cc b/src/HttpServer.cc index 7bfc24d3..01f97a3e 100644 --- a/src/HttpServer.cc +++ b/src/HttpServer.cc @@ -1513,7 +1513,8 @@ int HttpServer::run() } SSL_CTX_set_options(ssl_ctx, - SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION | + SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | + SSL_OP_NO_COMPRESSION | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_TICKET | diff --git a/src/asio_http2_impl.cc b/src/asio_http2_impl.cc index a5dd8607..229dcf3b 100644 --- a/src/asio_http2_impl.cc +++ b/src/asio_http2_impl.cc @@ -103,7 +103,8 @@ void http2_impl::listen(const std::string& address, uint16_t port, auto ctx = ssl_ctx->native_handle(); SSL_CTX_set_options(ctx, - SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION | + SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | + SSL_OP_NO_COMPRESSION | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_TICKET | diff --git a/src/nghttp.cc b/src/nghttp.cc index 599df041..28097145 100644 --- a/src/nghttp.cc +++ b/src/nghttp.cc @@ -1710,7 +1710,8 @@ int communicate(const std::string& scheme, const std::string& host, goto fin; } SSL_CTX_set_options(ssl_ctx, - SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION | + SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | + SSL_OP_NO_COMPRESSION | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY); diff --git a/src/shrpx.cc b/src/shrpx.cc index 65277894..0802788b 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -1060,8 +1060,8 @@ SSL/TLS: --tls-proto-list= Comma delimited list of SSL/TLS protocol to be enabled. The following protocols are available: - TLSv1.2, TLSv1.1, TLSv1.0 and SSLv3. The name - matching is done in case-insensitive manner. The + TLSv1.2, TLSv1.1 and TLSv1.0. The name matching + is done in case-insensitive manner. The parameter must be delimited by a single comma only and any white spaces are treated as a part of protocol string. diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc index f543d4dc..bd0ffcc6 100644 --- a/src/shrpx_ssl.cc +++ b/src/shrpx_ssl.cc @@ -196,10 +196,10 @@ int alpn_select_proto_cb(SSL *ssl, #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L namespace { -const char *tls_names[] = { "TLSv1.2", "TLSv1.1", "TLSv1.0", "SSLv3" }; +const char *tls_names[] = { "TLSv1.2", "TLSv1.1", "TLSv1.0" }; const size_t tls_namelen = util::array_size(tls_names); const long int tls_masks[] = { SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_1, - SSL_OP_NO_TLSv1, SSL_OP_NO_SSLv3 }; + SSL_OP_NO_TLSv1 }; } // namespace long int create_tls_proto_mask(const std::vector& tls_proto_list) @@ -231,7 +231,8 @@ SSL_CTX* create_ssl_context(const char *private_key_file, } SSL_CTX_set_options(ssl_ctx, - SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION | + SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | + SSL_OP_NO_COMPRESSION | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE | SSL_OP_NO_TICKET | @@ -384,7 +385,8 @@ SSL_CTX* create_ssl_client_context() DIE(); } SSL_CTX_set_options(ssl_ctx, - SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION | + SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | + SSL_OP_NO_COMPRESSION | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | get_config()->tls_proto_mask);