[trafficserver] branch master updated: TS-4357: Remove SSLv2 and only allow SSLv3 to origin with configure option.

sorber Thu, 21 Apr 2016 09:35:10 -0700

This is an automated email from the ASF dual-hosted git repository.

sorber pushed a commit to branch master
in repository https://git-dual.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
       new  ba22efd   TS-4357: Remove SSLv2 and only allow SSLv3 to origin with 
configure option.
ba22efd is described below

commit ba22efdd28aae323206da91fd0053a518db9dbb5
Author: Phil Sorber <sor...@apache.org>
AuthorDate: Wed Apr 20 15:09:44 2016 -0600

    TS-4357: Remove SSLv2 and only allow SSLv3 to origin with configure option.
---
 configure.ac                                | 12 ++++++++++++
 doc/admin-guide/files/records.config.en.rst |  8 --------
 iocore/net/SSLConfig.cc                     | 19 ++++++-------------
 lib/ts/ink_config.h.in                      |  1 +
 mgmt/RecordsConfig.cc                       | 10 +++-------
 5 files changed, 22 insertions(+), 28 deletions(-)

diff --git a/configure.ac b/configure.ac
index bac6bf0..75e391d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -332,6 +332,18 @@ AC_ARG_ENABLE([hardening],
 AC_MSG_RESULT([$enable_hardening])
 
 #
+# Enable SSLv3 to origin
+#
+AC_MSG_CHECKING([whether to enable SSLv3 config for origin connections])
+AC_ARG_ENABLE([sslv3-client],
+  [AS_HELP_STRING([--enable-sslv3-client],[Enable SSLv3 config for origin 
connections (Only do this if you understand the risks)])],
+  [],
+  [enable_sslv3_client="no"]
+)
+AC_MSG_RESULT([$enable_sslv3_client])
+TS_ARG_ENABLE_VAR([use], [sslv3-client])
+
+#
 # Use TPROXY for connection transparency.
 #
 AC_MSG_CHECKING([whether to enable TPROXY based transparency])
diff --git a/doc/admin-guide/files/records.config.en.rst 
b/doc/admin-guide/files/records.config.en.rst
index 1122694..67a9b09 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -2643,14 +2643,6 @@ SSL Termination
 
    
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-
 [...]
 
-.. ts:cv:: CONFIG proxy.config.ssl.SSLv2 INT 0
-
-   Enables (``1``) or disables (``0``) SSLv2. Please don't enable it.
-
-.. ts:cv:: CONFIG proxy.config.ssl.SSLv3 INT 0
-
-   Enables (``1``) or disables (``0``) SSLv3.
-
 .. ts:cv:: CONFIG proxy.config.ssl.TLSv1 INT 1
 
    Enables (``1``) or disables (``0``) TLSv1.
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 63540ce..1fb6ff3 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -72,8 +72,8 @@ SSLConfigParams::SSLConfigParams()
 
   clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0;
 
-  ssl_ctx_options = 0;
-  ssl_client_ctx_protocols = 0;
+  ssl_ctx_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+  ssl_client_ctx_protocols = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
   ssl_session_cache = SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL;
   ssl_session_cache_size = 1024 * 100;
   ssl_session_cache_num_buckets = 1024; // Sessions per bucket is 
ceil(ssl_session_cache_size / ssl_session_cache_num_buckets)
@@ -161,22 +161,15 @@ SSLConfigParams::initialize()
 
   int options;
   int client_ssl_options;
-  REC_ReadConfigInteger(options, "proxy.config.ssl.SSLv2");
-  if (!options)
-    ssl_ctx_options |= SSL_OP_NO_SSLv2;
-  REC_ReadConfigInteger(options, "proxy.config.ssl.SSLv3");
-  if (!options)
-    ssl_ctx_options |= SSL_OP_NO_SSLv3;
   REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1");
   if (!options)
     ssl_ctx_options |= SSL_OP_NO_TLSv1;
 
-  REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.SSLv2");
-  if (!client_ssl_options)
-    ssl_client_ctx_protocols |= SSL_OP_NO_SSLv2;
+#if TS_USE_SSLV3_CLIENT
   REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.SSLv3");
-  if (!client_ssl_options)
-    ssl_client_ctx_protocols |= SSL_OP_NO_SSLv3;
+  if (client_ssl_options)
+    ssl_client_ctx_protocols &= ~SSL_OP_NO_SSLv3;
+#endif
   REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.TLSv1");
   if (!client_ssl_options)
     ssl_client_ctx_protocols |= SSL_OP_NO_TLSv1;
diff --git a/lib/ts/ink_config.h.in b/lib/ts/ink_config.h.in
index c4edecd..119ed96 100644
--- a/lib/ts/ink_config.h.in
+++ b/lib/ts/ink_config.h.in
@@ -80,6 +80,7 @@
 #define TS_USE_LINUX_NATIVE_AIO        @use_linux_native_aio@
 #define TS_USE_REMOTE_UNWINDING               @use_remote_unwinding@
 #define TS_USE_LUAJIT                  @use_luajit@
+#define TS_USE_SSLV3_CLIENT            @use_sslv3_client@
 
 #define TS_HAS_SO_PEERCRED             @has_so_peercred@
 
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 0ce9df9..b500027 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1219,10 +1219,6 @@ static const RecordElement RecordsConfig[] =
   
//##############################################################################
   {RECT_CONFIG, "proxy.config.ssl.enabled", RECD_INT, "0", RECU_RESTART_TS, 
RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,
-  {RECT_CONFIG, "proxy.config.ssl.SSLv2", RECD_INT, "0", RECU_RESTART_TS, 
RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
-  ,
-  {RECT_CONFIG, "proxy.config.ssl.SSLv3", RECD_INT, "0", RECU_RESTART_TS, 
RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
-  ,
   {RECT_CONFIG, "proxy.config.ssl.TLSv1", RECD_INT, "1", RECU_RESTART_TS, 
RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,
   {RECT_CONFIG, "proxy.config.ssl.TLSv1_1", RECD_INT, "1", RECU_RESTART_TS, 
RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
@@ -1232,10 +1228,10 @@ static const RecordElement RecordsConfig[] =
   ,
 
   // Client SSL protocols
-  {RECT_CONFIG, "proxy.config.ssl.client.SSLv2", RECD_INT, "0", 
RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
-  ,
-  {RECT_CONFIG, "proxy.config.ssl.client.SSLv3", RECD_INT, "1", 
RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+#if TS_USE_SSLV3_CLIENT
+  {RECT_CONFIG, "proxy.config.ssl.client.SSLv3", RECD_INT, "0", 
RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,
+#endif
   {RECT_CONFIG, "proxy.config.ssl.client.TLSv1", RECD_INT, "1", 
RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,
   {RECT_CONFIG, "proxy.config.ssl.client.TLSv1_1", RECD_INT, "1", 
RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}

-- 
To stop receiving notification emails like this one, please contact
['"commits@trafficserver.apache.org" <commits@trafficserver.apache.org>'].

[trafficserver] branch master updated: TS-4357: Remove SSLv2 and only allow SSLv3 to origin with configure option.

Reply via email to