| Message ID | 755f8b7f8332e53e0361649e8566b65b1bc3e38f.1532701780.git.tredaelli@redhat.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [ovs-dev] stream-ssl: Don't enable new TLS versions by default | expand |
On Fri, Jul 27, 2018 at 04:29:40PM +0200, Timothy Redaelli wrote: > Currently protocol_flags is populated by the list of SSL and TLS > protocols by hand. This means that when a new TLS version is added to > openssl (in this case TLS v1.3 is added to openssl 1.1.1 beta) > ovsdb-server automatically enable support to it with the default ciphers. > This can be a security problem (since other ciphers can be enabled) and it > also makes a test (SSL db: implementation) to fail. > > This commit changes the 'protocol_flags' to use the list of all protocol > flags as provided by openssl library (SSL_OP_NO_SSL_MASK) so there is no > need to keep the list updated by hand. > > Signed-off-by: Timothy Redaelli <tredaelli@redhat.com> Thanks, applied to master and backported as far as branch-2.7.
diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index c7443470f..f3d623c03 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -1188,8 +1188,7 @@ stream_ssl_set_protocols(const char *arg) } /* Start with all the flags off and turn them on as requested. */ - long protocol_flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1; - protocol_flags |= SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2; + long protocol_flags = SSL_OP_NO_SSL_MASK; char *s = xstrdup(arg); char *save_ptr = NULL;
Currently protocol_flags is populated by the list of SSL and TLS protocols by hand. This means that when a new TLS version is added to openssl (in this case TLS v1.3 is added to openssl 1.1.1 beta) ovsdb-server automatically enable support to it with the default ciphers. This can be a security problem (since other ciphers can be enabled) and it also makes a test (SSL db: implementation) to fail. This commit changes the 'protocol_flags' to use the list of all protocol flags as provided by openssl library (SSL_OP_NO_SSL_MASK) so there is no need to keep the list updated by hand. Signed-off-by: Timothy Redaelli <tredaelli@redhat.com> --- lib/stream-ssl.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)