On Sun, Aug 26, 2012 at 11:50:15AM +0900, Hiroshi Miura wrote: > > Windows 7 disables TLSv1.1/1.2 by default. > This patch intend to behave same as Windows.
Please do not... The newer TLSv1.x fix some shortcomings of the older TLS versions. Is there a specific problem you see? Otherwise, I object. Ciao, MArcus > Signed-off-by: Hiroshi Miura <miur...@linux.com> > --- > dlls/winhttp/net.c | 74 > ++++++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 74 insertions(+) > > > > diff --git a/dlls/winhttp/net.c b/dlls/winhttp/net.c > index 5ec4e1a..03cf9b7 100644 > --- a/dlls/winhttp/net.c > +++ b/dlls/winhttp/net.c > @@ -52,6 +52,7 @@ > #include "winbase.h" > #include "winhttp.h" > #include "wincrypt.h" > +#include "winreg.h" > > #include "winhttp_private.h" > > @@ -109,8 +110,10 @@ MAKE_FUNCPTR( SSL_load_error_strings ); > MAKE_FUNCPTR( SSLv23_method ); > MAKE_FUNCPTR( SSL_CTX_free ); > MAKE_FUNCPTR( SSL_CTX_new ); > +MAKE_FUNCPTR( SSL_CTX_ctrl ); > MAKE_FUNCPTR( SSL_new ); > MAKE_FUNCPTR( SSL_free ); > +MAKE_FUNCPTR( SSL_ctrl ); > MAKE_FUNCPTR( SSL_set_fd ); > MAKE_FUNCPTR( SSL_connect ); > MAKE_FUNCPTR( SSL_shutdown ); > @@ -408,12 +411,66 @@ static int netconn_secure_verify( int preverify_ok, > X509_STORE_CTX *ctx ) > } > return ret; > } > + > +static long get_tls_option(void) { > + long tls_option; > + DWORD type, val, size; > + HKEY hkey,tls12_client,tls11_client; > + LONG res; > + const WCHAR Schannel_Prot[] = { /* > SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCANNEL\\Protocols */ > + 'S','Y','S','T','E','M','\\', > + > 'C','u','r','r','e','n','t','C','o','n','t','r','o','l','S','e','t','\\', > + 'C','o','n','t','r','o','l','\\', > + > 'S','e','c','u','r','i','t','y','P','r','o','v','i','d','e','r','s','\\', > + 'S','C','H','A','N','N','E','L','\\', > + 'P','r','o','t','o','c','o','l','s',0 }; > + const WCHAR TLS12_Client[] = {'T','L','S',' > ','1','.','2','\\','C','l','i','e','n','t',0}; > + const WCHAR TLS11_Client[] = {'T','L','S',' > ','1','.','1','\\','C','l','i','e','n','t',0}; > + const WCHAR DisabledByDefault[] = > {'D','i','s','a','b','l','e','d','B','y','D','e','f','a','u','l','t',0}; > + > + tls_option = SSL_OP_NO_SSLv2; /* disable SSLv2 for security reason, and > secur32/Schannel(GnuTLS) don't support it */ > + res = RegOpenKeyExW(HKEY_LOCAL_MACHINE, > + Schannel_Prot, > + 0, KEY_READ, &hkey); > + if (res != ERROR_SUCCESS) { > + tls_option |= SSL_OP_NO_TLSv1_2; > + tls_option |= SSL_OP_NO_TLSv1_1; > + goto end; > + } > + if (RegOpenKeyExW(hkey, TLS12_Client, 0, KEY_READ, &tls12_client) == > ERROR_SUCCESS) { > + size = sizeof(DWORD); > + if (RegQueryValueExW(tls12_client, DisabledByDefault, NULL, &type, > (LPBYTE) &val, &size) || type != REG_DWORD) { > + tls_option |= SSL_OP_NO_TLSv1_2; > + } else { > + tls_option |= val?SSL_OP_NO_TLSv1_2:0; > + } > + RegCloseKey(tls12_client); > + } else { > + tls_option |= SSL_OP_NO_TLSv1_2; > + } > + if (RegOpenKeyExW(hkey, TLS11_Client, 0, KEY_READ, &tls11_client) == > ERROR_SUCCESS) { > + size = sizeof(DWORD); > + if (RegQueryValueExW(tls11_client, DisabledByDefault, NULL, &type, > (LPBYTE) &val, &size) || type != REG_DWORD) { > + tls_option |= SSL_OP_NO_TLSv1_1; > + } else { > + tls_option |= val?SSL_OP_NO_TLSv1_1:0; > + } > + RegCloseKey(tls11_client); > + } else { > + tls_option |= SSL_OP_NO_TLSv1_1; > + } > + RegCloseKey(hkey); > + > +end: > + return tls_option; > +} > #endif > > BOOL netconn_init( netconn_t *conn, BOOL secure ) > { > #if defined(SONAME_LIBSSL) && defined(SONAME_LIBCRYPTO) > int i; > + long tls_option; > #endif > > conn->socket = -1; > @@ -453,8 +510,10 @@ BOOL netconn_init( netconn_t *conn, BOOL secure ) > LOAD_FUNCPTR( SSLv23_method ); > LOAD_FUNCPTR( SSL_CTX_free ); > LOAD_FUNCPTR( SSL_CTX_new ); > + LOAD_FUNCPTR (SSL_CTX_ctrl); > LOAD_FUNCPTR( SSL_new ); > LOAD_FUNCPTR( SSL_free ); > + LOAD_FUNCPTR( SSL_ctrl ); > LOAD_FUNCPTR( SSL_set_fd ); > LOAD_FUNCPTR( SSL_connect ); > LOAD_FUNCPTR( SSL_shutdown ); > @@ -494,11 +553,20 @@ BOOL netconn_init( netconn_t *conn, BOOL secure ) > LOAD_FUNCPTR( sk_num ); > #undef LOAD_FUNCPTR > > +#define pSSL_CTX_set_options(ctx,op) \ > + pSSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL) > +#define pSSL_set_options(ssl,op) \ > + pSSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL) > + > pSSL_library_init(); > pSSL_load_error_strings(); > > method = pSSLv23_method(); > ctx = pSSL_CTX_new( method ); > + > + tls_option = get_tls_option(); > + pSSL_CTX_set_options(ctx, tls_option); > + > if (!pSSL_CTX_set_default_verify_paths( ctx )) > { > ERR("SSL_CTX_set_default_verify_paths failed: %s\n", > pERR_error_string( pERR_get_error(), 0 )); > @@ -676,12 +744,18 @@ BOOL netconn_connect( netconn_t *conn, const struct > sockaddr *sockaddr, unsigned > BOOL netconn_secure_connect( netconn_t *conn, WCHAR *hostname ) > { > #ifdef SONAME_LIBSSL > + long tls_option; > + > if (!(conn->ssl_conn = pSSL_new( ctx ))) > { > ERR("SSL_new failed: %s\n", pERR_error_string( pERR_get_error(), 0 > )); > set_last_error( ERROR_OUTOFMEMORY ); > goto fail; > } > + > + tls_option = get_tls_option(); > + pSSL_set_options(conn->ssl_conn, tls_option); > + > if (!pSSL_set_ex_data( conn->ssl_conn, hostname_idx, hostname )) > { > ERR("SSL_set_ex_data failed: %s\n", pERR_error_string( > pERR_get_error(), 0 )); > > >