svn commit: r273124 - head/lib/libfetch

Wed, 15 Oct 2014 00:36:07 -0700 

Author: des
Date: Wed Oct 15 07:35:50 2014
New Revision: 273124
URL: https://svnweb.freebsd.org/changeset/base/273124

Log:
  As pointed out by several people, r273114 was incorrect: it unconditionally
  disabled everything except TLS 1.0.  Replace it with a more carefully
  wrought patch:
  
   - Switch the default for SSLv3 from on to off
   - Add environment variables to control TLS 1.1 and 1.2
   - In verbose mode, report which version is used
   - Update the man page to reflect these changes.
  
  MFC after:    1 week

Modified:
  head/lib/libfetch/common.c
  head/lib/libfetch/fetch.3

Modified: head/lib/libfetch/common.c
==============================================================================
--- head/lib/libfetch/common.c  Wed Oct 15 07:09:45 2014        (r273123)
+++ head/lib/libfetch/common.c  Wed Oct 15 07:35:50 2014        (r273124)
@@ -675,10 +675,14 @@ fetch_ssl_setup_transport_layer(SSL_CTX 
        ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_TICKET;
        if (getenv("SSL_ALLOW_SSL2") == NULL)
                ssl_ctx_options |= SSL_OP_NO_SSLv2;
-       if (getenv("SSL_NO_SSL3") != NULL)
+       if (getenv("SSL_ALLOW_SSL3") == NULL)
                ssl_ctx_options |= SSL_OP_NO_SSLv3;
        if (getenv("SSL_NO_TLS1") != NULL)
                ssl_ctx_options |= SSL_OP_NO_TLSv1;
+       if (getenv("SSL_NO_TLS1_1") != NULL)
+               ssl_ctx_options |= SSL_OP_NO_TLSv1_1;
+       if (getenv("SSL_NO_TLS1_2") != NULL)
+               ssl_ctx_options |= SSL_OP_NO_TLSv1_2;
        if (verbose)
                fetch_info("SSL options: %lx", ssl_ctx_options);
        SSL_CTX_set_options(ctx, ssl_ctx_options);
@@ -820,7 +824,7 @@ fetch_ssl(conn_t *conn, const struct url
 
        SSL_load_error_strings();
 
-       conn->ssl_meth = TLSv1_client_method();
+       conn->ssl_meth = SSLv23_client_method();
        conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth);
        SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY);
 
@@ -873,8 +877,8 @@ fetch_ssl(conn_t *conn, const struct url
        }
 
        if (verbose) {
-               fetch_info("SSL connection established using %s",
-                   SSL_get_cipher(conn->ssl));
+               fetch_info("%s connection established using %s",
+                   SSL_get_version(conn->ssl), SSL_get_cipher(conn->ssl));
                name = X509_get_subject_name(conn->ssl_cert);
                str = X509_NAME_oneline(name, 0, 0);
                fetch_info("Certificate subject: %s", str);

Modified: head/lib/libfetch/fetch.3
==============================================================================
--- head/lib/libfetch/fetch.3   Wed Oct 15 07:09:45 2014        (r273123)
+++ head/lib/libfetch/fetch.3   Wed Oct 15 07:35:50 2014        (r273124)
@@ -26,7 +26,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd July 30, 2013
+.Dd October 15, 2014
 .Dt FETCH 3
 .Os
 .Sh NAME
@@ -438,15 +438,17 @@ input (see
 .Pp
 By default
 .Nm libfetch
-allows SSLv3 and TLSv1 when negotiating the connecting with the remote
+allows TLSv1 and newer when negotiating the connecting with the remote
 peer.
-You can change this behavior by setting the environment variable
+You can change this behavior by setting the
 .Ev SSL_ALLOW_SSL2
-to allow SSLv2 (not recommended) and
-.Ev SSL_NO_SSL3
-or
-.Ev SSL_NO_TLS1
-to disable the respective methods.
+and
+.Ev SSL_ALLOW_SSL3
+environment variables to allow SSLv2 and SSLv3, respectively, and
+.Ev SSL_NO_TLS1 ,
+.Ev SSL_NO_TLS1_1 and
+.Ev SSL_NO_TLS1_2
+to disable TLS 1.0, 1.1 and 1.2 respectively.
 .Sh AUTHENTICATION
 Apart from setting the appropriate environment variables and
 specifying the user name and password in the URL or the
@@ -646,6 +648,8 @@ Same as
 for compatibility.
 .It Ev SSL_ALLOW_SSL2
 Allow SSL version 2 when negotiating the connection (not recommended).
+.It Ev SSL_ALLOW_SSL3
+Allow SSL version 3 when negotiating the connection (not recommended).
 .It Ev SSL_CA_CERT_FILE
 CA certificate bundle containing trusted CA certificates.
 Default value:
@@ -660,10 +664,12 @@ PEM encoded client key in case key and c
 are stored separately.
 .It Ev SSL_CRL_FILE
 File containing certificate revocation list.
-.It Ev SSL_NO_SSL3
-Don't allow SSL version 3 when negotiating the connection.
 .It Ev SSL_NO_TLS1
-Don't allow TLV version 1 when negotiating the connection.
+Do not allow TLS version 1.0 when negotiating the connection.
+.It Ev SSL_NO_TLS1_1
+Do not allow TLS version 1.1 when negotiating the connection.
+.It Ev SSL_NO_TLS1_2
+Do not allow TLS version 1.2 when negotiating the connection.
 .It Ev SSL_NO_VERIFY_HOSTNAME
 If set, do not verify that the hostname matches the subject of the
 certificate presented by the server.
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to