From 23ddb6dd73485dac035bd60e5aa3aa4f8f9a5128 Mon Sep 17 00:00:00 2001 From: Emmanuel Hocdet Date: Mon, 15 May 2017 15:53:41 +0200 Subject: [PATCH 1/1] MEDIUM: ssl: disable SSLv3 per default for bind For security, disable SSLv3 on bind line must be the default configuration. SSLv3 can be enabled with "ssl-min-ver SSLv3". --- doc/configuration.txt | 3 ++- src/ssl_sock.c | 14 +++++++++----- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index 95c4a47..368c842 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -10632,7 +10632,8 @@ ssl enables SSL deciphering on connections instantiated from this listener. A certificate is necessary (see "crt" above). All contents in the buffers will appear in clear text, so that ACLs and HTTP processing will only have access - to deciphered contents. + to deciphered contents. SSLv3 is disabled per default, use "ssl-min-ver SSLv3" + to enable it. ssl-max-ver [ SSLv3 | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 ] This option enforces use of or lower on SSL connections instantiated diff --git a/src/ssl_sock.c b/src/ssl_sock.c index e4d9e9b..5f95cab 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3381,12 +3381,16 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) else flags = conf_ssl_methods->flags; + min = conf_ssl_methods->min; + max = conf_ssl_methods->max; + /* start with TLSv10 to remove SSLv3 per default */ + if (!min && (!max || max >= CONF_TLSV10)) + min = CONF_TLSV10; /* Real min and max should be determinate with configuration and openssl's capabilities */ - if (conf_ssl_methods->min) - flags |= (methodVersions[conf_ssl_methods->min].flag - 1); - if (conf_ssl_methods->max) - flags |= ~((methodVersions[conf_ssl_methods->max].flag << 1) - 1); - + if (min) + flags |= (methodVersions[min].flag - 1); + if (max) + flags |= ~((methodVersions[max].flag << 1) - 1); /* find min, max and holes */ min = max = CONF_TLSV_NONE; hole = 0; -- 2.1.4