Re: [ovs-dev] [PATCH] stream-ssl: Enable TLSv1.1 and TLSv1.2.

Fri, 13 Jun 2014 15:49:27 -0700 

On Thu, Jun 12, 2014 at 4:07 PM, Ben Pfaff <b...@nicira.com> wrote:
> The Open vSwitch SSL code was inadvertently enabling only TLSv1, not
> later versions.  This commit should fix it.
>
> Signed-off-by: Ben Pfaff <b...@nicira.com>
> Reported-by: Abhinav Singhal <abhinav.sing...@spirent.com>
Based on https://www.openssl.org/docs/ssl/SSL_CTX_new.html
and http://www.postgresql.org/message-id/20131203213049.ga8...@gmail.com
Acked-by: Gurucharan Shetty <gshe...@nicira.com>
> ---
>  AUTHORS          |    1 +
>  lib/stream-ssl.c |   14 +++++++++++---
>  2 files changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/AUTHORS b/AUTHORS
> index c03c705..95e074a 100644
> --- a/AUTHORS
> +++ b/AUTHORS
> @@ -143,6 +143,7 @@ The following additional people are mentioned in commit 
> logs as having
>  provided helpful bug reports or suggestions.
>
>  Aaron M. Ucko           u...@debian.org
> +Abhinav Singhal         abhinav.sing...@spirent.com
>  Adam Heath              doo...@brainfood.com
>  Ahmed Bilal             numan...@gmail.com
>  Alan Shieh              ash...@nicira.com
> diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
> index 3f753d1..7e58536 100644
> --- a/lib/stream-ssl.c
> +++ b/lib/stream-ssl.c
> @@ -980,9 +980,17 @@ do_ssl_init(void)
>          RAND_seed(seed, sizeof seed);
>      }
>
> -    /* New OpenSSL changed TLSv1_method() to return a "const" pointer, so the
> -     * cast is needed to avoid a warning with those newer versions. */
> -    method = CONST_CAST(SSL_METHOD *, TLSv1_method());
> +    /* OpenSSL has a bunch of "connection methods": SSLv2_method(),
> +     * SSLv3_method(), TLSv1_method(), SSLv23_method(), ...  Most of these
> +     * support exactly one version of SSL, e.g. TLSv1_method() supports TLSv1
> +     * only, not any earlier *or later* version.  The only exception is
> +     * SSLv23_method(), which in fact supports *any* version of SSL and TLS.
> +     * We don't want SSLv2 or SSLv3 support, so we turn it off below with
> +     * SSL_CTX_set_options().
> +     *
> +     * The cast is needed to avoid a warning with newer versions of OpenSSL 
> in
> +     * which SSLv23_method() returns a "const" pointer. */
> +    method = CONST_CAST(SSL_METHOD *, SSLv23_method());
>      if (method == NULL) {
>          VLOG_ERR("TLSv1_method: %s", ERR_error_string(ERR_get_error(), 
> NULL));
>          return ENOPROTOOPT;
> --
> 1.7.10.4
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Reply via email to