File no_tlsv1_config.patch of Package sblim-sfcb

Overview Repositories Revisions Requests Users Attributes Meta

File no_tlsv1_config.patch of Package sblim-sfcb

Index: sblim-sfcb-1.4.9/control.c
===================================================================
--- sblim-sfcb-1.4.9.orig/control.c
+++ sblim-sfcb-1.4.9/control.c
@@ -175,6 +175,9 @@ static Control init[] = {
   {"sslCiphers", CTL_STRING, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH", {0}},
   {"sslDhParamsFilePath", CTL_STRING, NULL, {0}},
   {"sslEcDhCurveName", CTL_STRING, "secp224r1", {0}},
+  {"sslNoSSLv3", CTL_BOOL, NULL, {.b=0}},
+  {"sslNoTLSv1", CTL_BOOL, NULL, {.b=0}},
+  {"sslNoTLSv1_1", CTL_BOOL, NULL, {.b=0}},
   {"enableSslCipherServerPref", CTL_BOOL, NULL, {.b=0}},
 
   {"registrationDir", CTL_STRING, SFCB_STATEDIR "/registration", {0}},
Index: sblim-sfcb-1.4.9/httpAdapter.c
===================================================================
--- sblim-sfcb-1.4.9.orig/httpAdapter.c
+++ sblim-sfcb-1.4.9/httpAdapter.c
@@ -2039,7 +2039,7 @@ initSSL()
                  *fdhp,
                  *sslCiphers;
   int             rc,
-                  escsp;
+                  sslopt;
 
   if (ctx)
     SSL_CTX_free(ctx);
@@ -2087,14 +2087,24 @@ initSSL()
   /*
    * Set options
    */
-  SSL_CTX_set_options(ctx, SSL_OP_ALL | 
-                           SSL_OP_NO_SSLv2 |
-                           SSL_OP_SINGLE_DH_USE);
+  long options = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2;
 
-  if (!getControlBool("enableSslCipherServerPref", &escsp) && escsp) {
+  if (!getControlBool("sslNoSSLv3", &sslopt) && sslopt)
+    options |= SSL_OP_NO_SSLv3;
+  if (!getControlBool("sslNoTLSv1", &sslopt) && sslopt)
+    options |= SSL_OP_NO_TLSv1;
+  if (!getControlBool("sslNoTLSv1_1", &sslopt) && sslopt)
+    options |= SSL_OP_NO_TLSv1_1;
+  _SFCB_TRACE(1, ("---  sslNoSSLv3=%s, sslNoTLSv1=%s, sslNoTLSv1_1=%s",
+      (options & SSL_OP_NO_SSLv3 ? "true" : "false"),
+      (options & SSL_OP_NO_TLSv1 ? "true" : "false"),
+      (options & SSL_OP_NO_TLSv1_1 ? "true" : "false")));
+
+  if (!getControlBool("enableSslCipherServerPref", &sslopt) && sslopt) {
     _SFCB_TRACE(1, ("---  enableSslCipherServerPref = true"));
-    SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+    options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
   }
+  SSL_CTX_set_options(ctx, options);
 
   /*
    * Set valid ciphers
Index: sblim-sfcb-1.4.9/sfcb.cfg.pre.in
===================================================================
--- sblim-sfcb-1.4.9.orig/sfcb.cfg.pre.in
+++ sblim-sfcb-1.4.9/sfcb.cfg.pre.in
@@ -288,6 +288,14 @@ certificateAuthLib:   sfcCertificateAuth
 ##      weak ciphers.
 sslCiphers: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
 
+## When set to true, disable the indicated SSL/TLS protocol. This sets
+## the corresponding openssl option SSL_OP_NO_SSLv3 or SSL_OP_NO_TLSv1.
+## See man SSL_CTX_set_options(3) for details.
+## Default is false for both
+#sslNoSSLv3: false
+#sslNoTLSv1: false
+#sslNoTLSv1_1: false
+
 ## Optionally configure a DH parameters file for ephemeral key generation.
 ## See man SSL_CTX_set_tmp_dh_callback(3) for details. The value should be
 ## the full path to the file. Note that ephemeral key generation will still

Places

File no_tlsv1_config.patch of Package sblim-sfcb

Places