The Open vSwitch SSL code was inadvertently enabling only TLSv1, not
later versions. This commit should fix it.
Signed-off-by: Ben Pfaff <b...@nicira.com>
Reported-by: Abhinav Singhal <abhinav.sing...@spirent.com>
---
AUTHORS | 1 +
lib/stream-ssl.c | 14 +++++++++++---
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/AUTHORS b/AUTHORS
index c03c705..95e074a 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -143,6 +143,7 @@ The following additional people are mentioned in commit
logs as having
provided helpful bug reports or suggestions.
Aaron M. Ucko u...@debian.org
+Abhinav Singhal abhinav.sing...@spirent.com
Adam Heath doo...@brainfood.com
Ahmed Bilal numan...@gmail.com
Alan Shieh ash...@nicira.com
diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index 3f753d1..7e58536 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -980,9 +980,17 @@ do_ssl_init(void)
RAND_seed(seed, sizeof seed);
}
- /* New OpenSSL changed TLSv1_method() to return a "const" pointer, so the
- * cast is needed to avoid a warning with those newer versions. */
- method = CONST_CAST(SSL_METHOD *, TLSv1_method());
+ /* OpenSSL has a bunch of "connection methods": SSLv2_method(),
+ * SSLv3_method(), TLSv1_method(), SSLv23_method(), ... Most of these
+ * support exactly one version of SSL, e.g. TLSv1_method() supports TLSv1
+ * only, not any earlier *or later* version. The only exception is
+ * SSLv23_method(), which in fact supports *any* version of SSL and TLS.
+ * We don't want SSLv2 or SSLv3 support, so we turn it off below with
+ * SSL_CTX_set_options().
+ *
+ * The cast is needed to avoid a warning with newer versions of OpenSSL in
+ * which SSLv23_method() returns a "const" pointer. */
+ method = CONST_CAST(SSL_METHOD *, SSLv23_method());
if (method == NULL) {
VLOG_ERR("TLSv1_method: %s", ERR_error_string(ERR_get_error(), NULL));
return ENOPROTOOPT;
--
1.7.10.4
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
