This is an automated email from the ASF dual-hosted git repository. sorber pushed a commit to branch master in repository https://git-dual.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push: new ba22efd TS-4357: Remove SSLv2 and only allow SSLv3 to origin with configure option. ba22efd is described below commit ba22efdd28aae323206da91fd0053a518db9dbb5 Author: Phil Sorber <sor...@apache.org> AuthorDate: Wed Apr 20 15:09:44 2016 -0600 TS-4357: Remove SSLv2 and only allow SSLv3 to origin with configure option. --- configure.ac | 12 ++++++++++++ doc/admin-guide/files/records.config.en.rst | 8 -------- iocore/net/SSLConfig.cc | 19 ++++++------------- lib/ts/ink_config.h.in | 1 + mgmt/RecordsConfig.cc | 10 +++------- 5 files changed, 22 insertions(+), 28 deletions(-) diff --git a/configure.ac b/configure.ac index bac6bf0..75e391d 100644 --- a/configure.ac +++ b/configure.ac @@ -332,6 +332,18 @@ AC_ARG_ENABLE([hardening], AC_MSG_RESULT([$enable_hardening]) # +# Enable SSLv3 to origin +# +AC_MSG_CHECKING([whether to enable SSLv3 config for origin connections]) +AC_ARG_ENABLE([sslv3-client], + [AS_HELP_STRING([--enable-sslv3-client],[Enable SSLv3 config for origin connections (Only do this if you understand the risks)])], + [], + [enable_sslv3_client="no"] +) +AC_MSG_RESULT([$enable_sslv3_client]) +TS_ARG_ENABLE_VAR([use], [sslv3-client]) + +# # Use TPROXY for connection transparency. # AC_MSG_CHECKING([whether to enable TPROXY based transparency]) diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst index 1122694..67a9b09 100644 --- a/doc/admin-guide/files/records.config.en.rst +++ b/doc/admin-guide/files/records.config.en.rst @@ -2643,14 +2643,6 @@ SSL Termination ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128- [...] -.. ts:cv:: CONFIG proxy.config.ssl.SSLv2 INT 0 - - Enables (``1``) or disables (``0``) SSLv2. Please don't enable it. - -.. ts:cv:: CONFIG proxy.config.ssl.SSLv3 INT 0 - - Enables (``1``) or disables (``0``) SSLv3. - .. ts:cv:: CONFIG proxy.config.ssl.TLSv1 INT 1 Enables (``1``) or disables (``0``) TLSv1. diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc index 63540ce..1fb6ff3 100644 --- a/iocore/net/SSLConfig.cc +++ b/iocore/net/SSLConfig.cc @@ -72,8 +72,8 @@ SSLConfigParams::SSLConfigParams() clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0; - ssl_ctx_options = 0; - ssl_client_ctx_protocols = 0; + ssl_ctx_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + ssl_client_ctx_protocols = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; ssl_session_cache = SSL_SESSION_CACHE_MODE_SERVER_ATS_IMPL; ssl_session_cache_size = 1024 * 100; ssl_session_cache_num_buckets = 1024; // Sessions per bucket is ceil(ssl_session_cache_size / ssl_session_cache_num_buckets) @@ -161,22 +161,15 @@ SSLConfigParams::initialize() int options; int client_ssl_options; - REC_ReadConfigInteger(options, "proxy.config.ssl.SSLv2"); - if (!options) - ssl_ctx_options |= SSL_OP_NO_SSLv2; - REC_ReadConfigInteger(options, "proxy.config.ssl.SSLv3"); - if (!options) - ssl_ctx_options |= SSL_OP_NO_SSLv3; REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1"); if (!options) ssl_ctx_options |= SSL_OP_NO_TLSv1; - REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.SSLv2"); - if (!client_ssl_options) - ssl_client_ctx_protocols |= SSL_OP_NO_SSLv2; +#if TS_USE_SSLV3_CLIENT REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.SSLv3"); - if (!client_ssl_options) - ssl_client_ctx_protocols |= SSL_OP_NO_SSLv3; + if (client_ssl_options) + ssl_client_ctx_protocols &= ~SSL_OP_NO_SSLv3; +#endif REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.TLSv1"); if (!client_ssl_options) ssl_client_ctx_protocols |= SSL_OP_NO_TLSv1; diff --git a/lib/ts/ink_config.h.in b/lib/ts/ink_config.h.in index c4edecd..119ed96 100644 --- a/lib/ts/ink_config.h.in +++ b/lib/ts/ink_config.h.in @@ -80,6 +80,7 @@ #define TS_USE_LINUX_NATIVE_AIO @use_linux_native_aio@ #define TS_USE_REMOTE_UNWINDING @use_remote_unwinding@ #define TS_USE_LUAJIT @use_luajit@ +#define TS_USE_SSLV3_CLIENT @use_sslv3_client@ #define TS_HAS_SO_PEERCRED @has_so_peercred@ diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc index 0ce9df9..b500027 100644 --- a/mgmt/RecordsConfig.cc +++ b/mgmt/RecordsConfig.cc @@ -1219,10 +1219,6 @@ static const RecordElement RecordsConfig[] = //############################################################################## {RECT_CONFIG, "proxy.config.ssl.enabled", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} , - {RECT_CONFIG, "proxy.config.ssl.SSLv2", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} - , - {RECT_CONFIG, "proxy.config.ssl.SSLv3", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} - , {RECT_CONFIG, "proxy.config.ssl.TLSv1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} , {RECT_CONFIG, "proxy.config.ssl.TLSv1_1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} @@ -1232,10 +1228,10 @@ static const RecordElement RecordsConfig[] = , // Client SSL protocols - {RECT_CONFIG, "proxy.config.ssl.client.SSLv2", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} - , - {RECT_CONFIG, "proxy.config.ssl.client.SSLv3", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} +#if TS_USE_SSLV3_CLIENT + {RECT_CONFIG, "proxy.config.ssl.client.SSLv3", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} , +#endif {RECT_CONFIG, "proxy.config.ssl.client.TLSv1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} , {RECT_CONFIG, "proxy.config.ssl.client.TLSv1_1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} -- To stop receiving notification emails like this one, please contact ['"commits@trafficserver.apache.org" <commits@trafficserver.apache.org>'].