Module Name: src
Committed By: mrg
Date: Tue Aug 24 09:47:36 UTC 2021
Modified Files:
src/libexec/httpd: CHANGES bozohttpd.8 bozohttpd.c bozohttpd.h main.c
ssl-bozo.c
Log Message:
implement tls minimum version setting.
mostly from su...@nimmagadda.net in PR#55830, though i moved the
member into the main http structure, so that it doesn't trigger
sslinfo being allocated via command line without the rest of the
ssl being setup (which then leads to crashes.)
To generate a diff of this commit:
cvs rdiff -u -r1.49 -r1.50 src/libexec/httpd/CHANGES
cvs rdiff -u -r1.88 -r1.89 src/libexec/httpd/bozohttpd.8
cvs rdiff -u -r1.135 -r1.136 src/libexec/httpd/bozohttpd.c
cvs rdiff -u -r1.69 -r1.70 src/libexec/httpd/bozohttpd.h
cvs rdiff -u -r1.28 -r1.29 src/libexec/httpd/main.c
cvs rdiff -u -r1.29 -r1.30 src/libexec/httpd/ssl-bozo.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/libexec/httpd/CHANGES
diff -u src/libexec/httpd/CHANGES:1.49 src/libexec/httpd/CHANGES:1.50
--- src/libexec/httpd/CHANGES:1.49 Wed May 5 07:41:48 2021
+++ src/libexec/httpd/CHANGES Tue Aug 24 09:47:36 2021
@@ -1,4 +1,8 @@
-$NetBSD: CHANGES,v 1.49 2021/05/05 07:41:48 mrg Exp $
+$NetBSD: CHANGES,v 1.50 2021/08/24 09:47:36 mrg Exp $
+
+changes in bozohttpd 20210824:
+ o new "-m tlsversion" option to set the minimum TLS version
+ available. partially from <su...@nimmagadda.net>.
changes in bozohttpd 20210504:
o don't assume host BUFSIZ is sufficent. small BUFSIZ leads to
Index: src/libexec/httpd/bozohttpd.8
diff -u src/libexec/httpd/bozohttpd.8:1.88 src/libexec/httpd/bozohttpd.8:1.89
--- src/libexec/httpd/bozohttpd.8:1.88 Sun Feb 28 05:19:52 2021
+++ src/libexec/httpd/bozohttpd.8 Tue Aug 24 09:47:36 2021
@@ -1,4 +1,4 @@
-.\" $NetBSD: bozohttpd.8,v 1.88 2021/02/28 05:19:52 mrg Exp $
+.\" $NetBSD: bozohttpd.8,v 1.89 2021/08/24 09:47:36 mrg Exp $
.\"
.\" $eterna: bozohttpd.8,v 1.101 2011/11/18 01:25:11 mrg Exp $
.\"
@@ -26,7 +26,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd February 27, 2021
+.Dd August 24, 2021
.Dt BOZOHTTPD 8
.Os
.Sh NAME
@@ -39,6 +39,7 @@
.Op Fl I Ar port
.Op Fl L Ar prefix script
.Op Fl M Ar suffix type encoding encoding11
+.Op Fl m Ar version
.Op Fl P Ar pidfile
.Op Fl R Ar readme
.Op Fl S Ar version
@@ -221,6 +222,18 @@ the empty string is used instead.
Multiple
.Fl M
options may be passed.
+.It Fl m Ar version
+Set the minimum supported SSL protocol
+.Ar version .
+The valid values of
+.Ar version
+are
+.Dq TLSv1.1 ,
+.Dq TLSv1.2 ,
+and
+.Dq TLSv1.3 .
+The default version is
+.Dq TLSv1.1 .
.It Fl n
Stops
.Nm
@@ -646,7 +659,7 @@ The focus has always been simplicity and
and regular code audits.
This manual documents
.Nm
-version 20210227.
+version 20210824.
.Sh AUTHORS
.An -nosplit
.Nm
@@ -769,6 +782,10 @@ option (pidfile support) and provided so
provided many various fixes, including cgi-bin fixes and enhancements,
HTTP basic authorization support and much code clean up
.It
+.An Sunil Nimmagadda
+.Aq Mt su...@nimmagadda.net
+provided runtime TLS version control
+.It
.An Rajeev V. Pillai
.Aq Mt rajeev_v_pil...@yahoo.com
provided several fixes for virtual hosting and directory indexing and
@@ -819,7 +836,6 @@ provided http authorization fixes
.It
.Aq Mt x...@kittenz.org
provided chroot and change-to-user support, and other various fixes
-
.It
.An S.P.Zeidler
.Aq Mt s...@netbsd.org
Index: src/libexec/httpd/bozohttpd.c
diff -u src/libexec/httpd/bozohttpd.c:1.135 src/libexec/httpd/bozohttpd.c:1.136
--- src/libexec/httpd/bozohttpd.c:1.135 Tue Aug 24 05:39:39 2021
+++ src/libexec/httpd/bozohttpd.c Tue Aug 24 09:47:36 2021
@@ -1,4 +1,4 @@
-/* $NetBSD: bozohttpd.c,v 1.135 2021/08/24 05:39:39 mrg Exp $ */
+/* $NetBSD: bozohttpd.c,v 1.136 2021/08/24 09:47:36 mrg Exp $ */
/* $eterna: bozohttpd.c,v 1.178 2011/11/18 09:21:15 mrg Exp $ */
@@ -108,7 +108,7 @@
#define INDEX_HTML "index.html"
#endif
#ifndef SERVER_SOFTWARE
-#define SERVER_SOFTWARE "bozohttpd/20210504"
+#define SERVER_SOFTWARE "bozohttpd/20210824"
#endif
#ifndef PUBLIC_HTML
#define PUBLIC_HTML "public_html"
Index: src/libexec/httpd/bozohttpd.h
diff -u src/libexec/httpd/bozohttpd.h:1.69 src/libexec/httpd/bozohttpd.h:1.70
--- src/libexec/httpd/bozohttpd.h:1.69 Wed May 5 07:41:48 2021
+++ src/libexec/httpd/bozohttpd.h Tue Aug 24 09:47:36 2021
@@ -1,4 +1,4 @@
-/* $NetBSD: bozohttpd.h,v 1.69 2021/05/05 07:41:48 mrg Exp $ */
+/* $NetBSD: bozohttpd.h,v 1.70 2021/08/24 09:47:36 mrg Exp $ */
/* $eterna: bozohttpd.h,v 1.39 2011/11/18 09:21:15 mrg Exp $ */
@@ -130,6 +130,7 @@ typedef struct bozohttpd_t {
unsigned initial_timeout;/* first line timeout */
unsigned header_timeout; /* header lines timeout */
unsigned request_timeout;/* total session timeout */
+ char *ssl_min_proto; /* minimum ssl protocol level */
#ifndef NO_LUA_SUPPORT
int process_lua; /* use the Lua handler */
SIMPLEQ_HEAD(, lua_state_map) lua_states;
Index: src/libexec/httpd/main.c
diff -u src/libexec/httpd/main.c:1.28 src/libexec/httpd/main.c:1.29
--- src/libexec/httpd/main.c:1.28 Tue Aug 24 05:29:27 2021
+++ src/libexec/httpd/main.c Tue Aug 24 09:47:36 2021
@@ -1,4 +1,4 @@
-/* $NetBSD: main.c,v 1.28 2021/08/24 05:29:27 mrg Exp $ */
+/* $NetBSD: main.c,v 1.29 2021/08/24 09:47:36 mrg Exp $ */
/* $eterna: main.c,v 1.6 2011/11/18 09:21:15 mrg Exp $ */
/* from: eterna: bozohttpd.c,v 1.159 2009/05/23 02:14:30 mrg Exp */
@@ -164,7 +164,7 @@ main(int argc, char **argv)
*/
while ((c = getopt(argc, argv,
- "C:EGHI:L:M:P:R:S:T:U:VXZ:bc:defhi:np:st:uv:x:z:")) != -1) {
+ "C:EGHI:L:M:m:P:R:S:T:U:VXZ:bc:defhi:np:st:uv:x:z:")) != -1) {
switch (c) {
case 'b':
@@ -282,6 +282,15 @@ main(int argc, char **argv)
optind += 3;
break;
+ case 'm':
+ if (!have_ssl)
+ goto no_ssl;
+
+ httpd.ssl_min_proto = optarg;
+ debug((&httpd, DEBUG_NORMAL,
+ "using minimum protocol version: %s", optarg));
+ break;
+
case 'n':
bozo_set_pref(&httpd, &prefs, "numeric", "true");
break;
Index: src/libexec/httpd/ssl-bozo.c
diff -u src/libexec/httpd/ssl-bozo.c:1.29 src/libexec/httpd/ssl-bozo.c:1.30
--- src/libexec/httpd/ssl-bozo.c:1.29 Thu Oct 15 04:21:53 2020
+++ src/libexec/httpd/ssl-bozo.c Tue Aug 24 09:47:36 2021
@@ -1,4 +1,4 @@
-/* $NetBSD: ssl-bozo.c,v 1.29 2020/10/15 04:21:53 mrg Exp $ */
+/* $NetBSD: ssl-bozo.c,v 1.30 2021/08/24 09:47:36 mrg Exp $ */
/* $eterna: ssl-bozo.c,v 1.15 2011/11/18 09:21:15 mrg Exp $ */
@@ -61,13 +61,6 @@
"!KRB5-DES-CBC3-SHA"
#endif
-#ifndef BOZO_SSL_OPTIONS
-#define BOZO_SSL_OPTIONS \
- ((long)(SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1))
-#endif
-
- /* this structure encapsulates the ssl info */
-
/* this structure encapsulates the ssl info */
typedef struct sslinfo_t {
SSL_CTX *ssl_context;
@@ -78,6 +71,40 @@ typedef struct sslinfo_t {
char *ciphers;
} sslinfo_t;
+/* Default to TLS 1.3. */
+struct {
+ unsigned proto;
+ const char *name;
+} protos[] = {
+ { TLS1_3_VERSION, "TLSv1.3" },
+ { TLS1_2_VERSION, "TLSv1.2" },
+ { TLS1_1_VERSION, "TLSv1.1" },
+ { 0, NULL },
+};
+
+static int
+bozo_ssl_proto(const char *name)
+{
+ unsigned i;
+
+ if (name)
+ for (i = 0; protos[0].proto != 0; i++)
+ if (strcasecmp(name, protos[i].name) == 0)
+ return protos[i].proto;
+ return protos[0].proto;
+}
+
+static const char *
+bozo_ssl_name(unsigned version)
+{
+ unsigned i;
+
+ for (i = 0; protos[0].proto != 0; i++)
+ if (version == protos[i].proto)
+ return protos[i].name;
+ return protos[0].name;
+}
+
/*
* bozo_clear_ssl_queue: print the contents of the SSL error queue
*/
@@ -208,7 +235,7 @@ void
bozo_ssl_init(bozohttpd_t *httpd)
{
sslinfo_t *sslinfo = httpd->sslinfo;
- long options;
+ int proto;
if (sslinfo == NULL || !sslinfo->certificate_file)
return;
@@ -222,12 +249,12 @@ bozo_ssl_init(bozohttpd_t *httpd)
bozo_ssl_err(httpd, EXIT_FAILURE,
"SSL context creation failed");
- options = SSL_CTX_set_options(sslinfo->ssl_context,
- BOZO_SSL_OPTIONS);
- if ((options & BOZO_SSL_OPTIONS) != BOZO_SSL_OPTIONS)
+ proto = bozo_ssl_proto(httpd->ssl_min_proto);
+
+ if (!SSL_CTX_set_min_proto_version(sslinfo->ssl_context, proto))
bozo_ssl_err(httpd, EXIT_FAILURE,
- "Error setting ssl options requested %#lx, got %#lx",
- BOZO_SSL_OPTIONS, options);
+ "Error setting minimum protocol version '%s'",
+ bozo_ssl_name(proto));
if (!SSL_CTX_set_cipher_list(sslinfo->ssl_context,
sslinfo->ciphers ? sslinfo->ciphers : BOZO_SSL_CIPHERS))
