File decd3c6b9.patch of Package sblim-sfcb.6700

Overview Repositories Revisions Requests Users Attributes Meta

File decd3c6b9.patch of Package sblim-sfcb.6700

commit decd3c6b996ed5f10b5cb4ac1b23f37c36cd00cb
Author: Dave Heller <hellerda@us.ibm.com>
Date:   Sun Dec 21 14:26:53 2014 -0500

[sfcb-tix:#110] Allow older SSL protocols to be disabled

BUG: bsc923349

diff --git a/control.c b/control.c
index ed0e5df..95ca246 100644
--- a/control.c
+++ b/control.c
@@ -175,6 +175,8 @@ static Control init[] = {
   {"sslCiphers", CTL_STRING, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH", {0}},
   {"sslDhParamsFilePath", CTL_STRING, NULL, {0}},
   {"sslEcDhCurveName", CTL_STRING, "secp224r1", {0}},
+  {"sslNoSSLv3", CTL_BOOL, NULL, {.b=0}},
+  {"sslNoTLSv1", CTL_BOOL, NULL, {.b=0}},
   {"enableSslCipherServerPref", CTL_BOOL, NULL, {.b=0}},
 
   {"registrationDir", CTL_STRING, SFCB_STATEDIR "/registration", {0}},
diff --git a/httpAdapter.c b/httpAdapter.c
index 2719e6c..67b6860 100644
--- a/httpAdapter.c
+++ b/httpAdapter.c
@@ -2039,7 +2039,7 @@ initSSL()
                  *fdhp,
                  *sslCiphers;
   int             rc,
-                  escsp;
+                  sslopt;
 
   if (ctx)
     SSL_CTX_free(ctx);
@@ -2087,14 +2087,21 @@ initSSL()
   /*
    * Set options
    */
-  SSL_CTX_set_options(ctx, SSL_OP_ALL | 
-                           SSL_OP_NO_SSLv2 |
-                           SSL_OP_SINGLE_DH_USE);
+  long options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2;
 
-  if (!getControlBool("enableSslCipherServerPref", &escsp) && escsp) {
+  if (!getControlBool("sslNoSSLv3", &sslopt) && sslopt)
+    options |= SSL_OP_NO_SSLv3;
+  if (!getControlBool("sslNoTLSv1", &sslopt) && sslopt)
+    options |= SSL_OP_NO_TLSv1;
+  _SFCB_TRACE(1, ("---  sslNoSSLv3=%s, sslNoTLSv1=%s",
+      (options & SSL_OP_NO_SSLv3 ? "true" : "false"),
+      (options & SSL_OP_NO_TLSv1 ? "true" : "false")));
+
+  if (!getControlBool("enableSslCipherServerPref", &sslopt) && sslopt) {
     _SFCB_TRACE(1, ("---  enableSslCipherServerPref = true"));
-    SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+    options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
   }
+  SSL_CTX_set_options(ctx, options);
 
   /*
    * Set valid ciphers
diff --git a/sfcb.cfg.pre.in b/sfcb.cfg.pre.in
index 77a2155..fdcfb2e 100644
--- a/sfcb.cfg.pre.in
+++ b/sfcb.cfg.pre.in
@@ -288,6 +288,13 @@ certificateAuthLib:   sfcCertificateAuthentication
 ##      weak ciphers.
 sslCiphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
 
+## When set to true, disable the indicated SSL/TLS protocol. This sets
+## the corresponding openssl option SSL_OP_NO_SSLv3 or SSL_OP_NO_TLSv1.
+## See man SSL_CTX_set_options(3) for details.
+## Default is false for both
+#sslNoSSLv3: false
+#sslNoTLSv1: false
+
 ## Optionally configure a DH parameters file for ephemeral key generation.
 ## See man SSL_CTX_set_tmp_dh_callback(3) for details. The value should be
 ## the full path to the file. Note that ephemeral key generation will still

Places

File decd3c6b9.patch of Package sblim-sfcb.6700

Places