Author: des
Date: Sat Feb 20 13:36:24 2016
New Revision: 295840
URL: https://svnweb.freebsd.org/changeset/base/295840
Log:
MFH (r273114, r273124): turn SSLv3 off by default
MFH (r294326): fall back to standard / configured CA store
MFH (r295536): fix double-free when SSL connection fails
PR: 193871 206774
Modified:
stable/9/lib/libfetch/common.c
stable/9/lib/libfetch/fetch.3
stable/9/lib/libfetch/http.c
Directory Properties:
stable/9/ (props changed)
stable/9/lib/ (props changed)
stable/9/lib/libfetch/ (props changed)
stable/9/usr.bin/ (props changed)
stable/9/usr.bin/fetch/ (props changed)
Modified: stable/9/lib/libfetch/common.c
==============================================================================
--- stable/9/lib/libfetch/common.c Sat Feb 20 13:21:59 2016
(r295839)
+++ stable/9/lib/libfetch/common.c Sat Feb 20 13:36:24 2016
(r295840)
@@ -674,7 +674,7 @@ fetch_ssl_setup_transport_layer(SSL_CTX
long ssl_ctx_options;
ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_TICKET;
- if (getenv("SSL_NO_SSL3") != NULL)
+ if (getenv("SSL_ALLOW_SSL3") == NULL)
ssl_ctx_options |= SSL_OP_NO_SSLv3;
if (getenv("SSL_NO_TLS1") != NULL)
ssl_ctx_options |= SSL_OP_NO_TLSv1;
@@ -701,7 +701,8 @@ fetch_ssl_setup_peer_verification(SSL_CT
if (ca_cert_file == NULL &&
access(LOCAL_CERT_FILE, R_OK) == 0)
ca_cert_file = LOCAL_CERT_FILE;
- if (ca_cert_file == NULL)
+ if (ca_cert_file == NULL &&
+ access(BASE_CERT_FILE, R_OK) == 0)
ca_cert_file = BASE_CERT_FILE;
ca_cert_path = getenv("SSL_CA_CERT_PATH");
if (verbose) {
@@ -712,11 +713,17 @@ fetch_ssl_setup_peer_verification(SSL_CT
if (ca_cert_path != NULL)
fetch_info("Using CA cert path: %s",
ca_cert_path);
+ if (ca_cert_file == NULL && ca_cert_path == NULL)
+ fetch_info("Using OpenSSL default "
+ "CA cert file and path");
}
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER,
fetch_ssl_cb_verify_crt);
- SSL_CTX_load_verify_locations(ctx, ca_cert_file,
- ca_cert_path);
+ if (ca_cert_file != NULL || ca_cert_path != NULL)
+ SSL_CTX_load_verify_locations(ctx, ca_cert_file,
+ ca_cert_path);
+ else
+ SSL_CTX_set_default_verify_paths(ctx);
if ((crl_file = getenv("SSL_CRL_FILE")) != NULL) {
if (verbose)
fetch_info("Using CRL file: %s", crl_file);
@@ -872,8 +879,8 @@ fetch_ssl(conn_t *conn, const struct url
}
if (verbose) {
- fetch_info("SSL connection established using %s",
- SSL_get_cipher(conn->ssl));
+ fetch_info("%s connection established using %s",
+ SSL_get_version(conn->ssl), SSL_get_cipher(conn->ssl));
name = X509_get_subject_name(conn->ssl_cert);
str = X509_NAME_oneline(name, 0, 0);
fetch_info("Certificate subject: %s", str);
Modified: stable/9/lib/libfetch/fetch.3
==============================================================================
--- stable/9/lib/libfetch/fetch.3 Sat Feb 20 13:21:59 2016
(r295839)
+++ stable/9/lib/libfetch/fetch.3 Sat Feb 20 13:36:24 2016
(r295840)
@@ -438,13 +438,13 @@ input (see
.Pp
By default
.Nm libfetch
-allows SSLv3 and TLSv1 when negotiating the connecting with the remote
+allows TLSv1 when negotiating the connecting with the remote
peer.
You can change this behavior by setting the
-.Ev SSL_NO_SSL3
-or
+.Ev SSL_ALLOW_SSL3
+environment variable to allow SSLv3 and
.Ev SSL_NO_TLS1
-environment variables to disable the respective methods.
+to disable TLS 1.0.
.Sh AUTHENTICATION
Apart from setting the appropriate environment variables and
specifying the user name and password in the URL or the
@@ -642,6 +642,8 @@ which proxies should not be used.
Same as
.Ev NO_PROXY ,
for compatibility.
+.It Ev SSL_ALLOW_SSL3
+Allow SSL version 3 when negotiating the connection (not recommended).
.It Ev SSL_CA_CERT_FILE
CA certificate bundle containing trusted CA certificates.
Default value:
@@ -656,10 +658,12 @@ PEM encoded client key in case key and c
are stored separately.
.It Ev SSL_CRL_FILE
File containing certificate revocation list.
-.It Ev SSL_NO_SSL3
-Don't allow SSL version 3 when negotiating the connection.
.It Ev SSL_NO_TLS1
-Don't allow TLV version 1 when negotiating the connection.
+Do not allow TLS version 1.0 when negotiating the connection.
+.It Ev SSL_NO_TLS1_1
+Do not allow TLS version 1.1 when negotiating the connection.
+.It Ev SSL_NO_TLS1_2
+Do not allow TLS version 1.2 when negotiating the connection.
.It Ev SSL_NO_VERIFY_HOSTNAME
If set, do not verify that the hostname matches the subject of the
certificate presented by the server.
Modified: stable/9/lib/libfetch/http.c
==============================================================================
--- stable/9/lib/libfetch/http.c Sat Feb 20 13:21:59 2016
(r295839)
+++ stable/9/lib/libfetch/http.c Sat Feb 20 13:36:24 2016
(r295840)
@@ -1435,7 +1435,6 @@ http_connect(struct url *URL, struct url
}
if (strcasecmp(URL->scheme, SCHEME_HTTPS) == 0 &&
fetch_ssl(conn, URL, verbose) == -1) {
- fetch_close(conn);
/* grrr */
errno = EAUTH;
fetch_syserr();
_______________________________________________
svn-src-stable-9@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-stable-9
To unsubscribe, send any mail to "svn-src-stable-9-unsubscr...@freebsd.org"
