From ce088c2b9ef7da45b8db0971a28116d098fdcfad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9mie=20Courr=C3=A8ges-Anglas?= Date: Mon, 1 Dec 2014 13:41:59 +0100 Subject: [PATCH] openssl backend: repair use of TLSv1+ protocols The use of TLSv1_client_method() means that the protocol used will be limited to TLSv1.0. This is not desirable for --secure-protocol values of "auto" (default) and "pfs". Fix by using SSLv23_client_method() and disabling SSLv[23]. Issue reported by Mikolaj Kucharski. --- src/ChangeLog | 5 +++++ src/openssl.c | 8 ++++++++ 2 files changed, 13 insertions(+) diff --git a/src/ChangeLog b/src/ChangeLog index 97a895e8..a9fa0bcd 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2014-12-03 Jérémie Courrèges-Anglas (tiny change) + + * openssl.c (ssl_init): Allow pfs to be used with protocols other than + TLSv1. + 2014-12-01 Tim Ruehsen * connect.c, iri.c, url.c, warc.c: Fix issues reported diff --git a/src/openssl.c b/src/openssl.c index 38c6ac4c..81da5a2b 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -203,6 +203,8 @@ ssl_init (void) SSLeay_add_all_algorithms (); SSLeay_add_ssl_algorithms (); + long ssl_options = 0; + switch (opt.secure_protocol) { #ifndef OPENSSL_NO_SSL2 @@ -219,6 +221,9 @@ ssl_init (void) case secure_protocol_auto: case secure_protocol_pfs: + meth = SSLv23_client_method (); + ssl_options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + break; case secure_protocol_tlsv1: meth = TLSv1_client_method (); break; @@ -253,6 +258,9 @@ ssl_init (void) if (!ssl_ctx) goto error; + if (ssl_options) + SSL_CTX_set_options (ssl_ctx, ssl_options); + /* OpenSSL ciphers: https://www.openssl.org/docs/apps/ciphers.html * Since we want a good protection, we also use HIGH (that excludes MD4 ciphers and some more) */