Disable HTTP fallback via "/plain" URL (CVE-2015-8400)
* Disabled all methods of HTTP fallback when HTTPS is enabled. This is enforced on server side so that even modified client code (JS) can not redirect client from HTTPS to HTTP, like it was possible before (issue #355). * Current solution unfortunately also disables automatic upgrade from HTTP to HTTPS (when available), since all non-SSL connections are droped immediately.
This commit is contained in:
KLuka
parent
aaa00551bf
commit
4aa0eb97e4
7 changed files with 25 additions and 6 deletions
|
|
@ -102,7 +102,7 @@ short serverConnectionSetEvents(Server *server, ServerConnection *connection,
|
||||||
void serverExitLoop(Server *server, int exitAll);
|
void serverExitLoop(Server *server, int exitAll);
|
||||||
void serverLoop(Server *server);
|
void serverLoop(Server *server);
|
||||||
int serverSupportsSSL();
|
int serverSupportsSSL();
|
||||||
void serverEnableSSL(Server *server, int flag);
|
void serverSetupSSL(Server *server, int enable, int force);
|
||||||
void serverSetCertificate(Server *server, const char *filename,
|
void serverSetCertificate(Server *server, const char *filename,
|
||||||
int autoGenerateMissing);
|
int autoGenerateMissing);
|
||||||
void serverSetCertificateFd(Server *server, int fd);
|
void serverSetCertificateFd(Server *server, int fd);
|
||||||
|
|
|
||||||
|
|
@ -1480,6 +1480,13 @@ int httpHandleConnection(struct ServerConnection *connection, void *http_,
|
||||||
*events |= POLLIN;
|
*events |= POLLIN;
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
if (http->ssl && http->ssl->enabled && http->ssl->force) {
|
||||||
|
debug("[http] Non-SSL connections not allowed!");
|
||||||
|
httpCloseRead(http);
|
||||||
|
bytes = 0;
|
||||||
|
eof = 1;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -670,11 +670,12 @@ void serverLoop(struct Server *server) {
|
||||||
server->looping = loopDepth - 1;
|
server->looping = loopDepth - 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
void serverEnableSSL(struct Server *server, int flag) {
|
void serverSetupSSL(struct Server *server, int enable, int force) {
|
||||||
if (flag) {
|
if (enable) {
|
||||||
check(serverSupportsSSL());
|
check(serverSupportsSSL());
|
||||||
}
|
}
|
||||||
sslEnable(&server->ssl, flag);
|
sslEnable(&server->ssl, enable);
|
||||||
|
sslForce(&server->ssl, force);
|
||||||
}
|
}
|
||||||
|
|
||||||
void serverSetCertificate(struct Server *server, const char *filename,
|
void serverSetCertificate(struct Server *server, const char *filename,
|
||||||
|
|
|
||||||
|
|
@ -118,7 +118,7 @@ short serverConnectionSetEvents(struct Server *server,
|
||||||
short events);
|
short events);
|
||||||
void serverExitLoop(struct Server *server, int exitAll);
|
void serverExitLoop(struct Server *server, int exitAll);
|
||||||
void serverLoop(struct Server *server);
|
void serverLoop(struct Server *server);
|
||||||
void serverEnableSSL(struct Server *server, int flag);
|
void serverSetupSSL(struct Server *server, int enable, int force);
|
||||||
void serverSetCertificate(struct Server *server, const char *filename,
|
void serverSetCertificate(struct Server *server, const char *filename,
|
||||||
int autoGenerateMissing);
|
int autoGenerateMissing);
|
||||||
void serverSetCertificateFd(struct Server *server, int fd);
|
void serverSetCertificateFd(struct Server *server, int fd);
|
||||||
|
|
|
||||||
|
|
@ -167,6 +167,7 @@ struct SSLSupport *newSSL(void) {
|
||||||
|
|
||||||
void initSSL(struct SSLSupport *ssl) {
|
void initSSL(struct SSLSupport *ssl) {
|
||||||
ssl->enabled = serverSupportsSSL();
|
ssl->enabled = serverSupportsSSL();
|
||||||
|
ssl->force = 0;
|
||||||
ssl->sslContext = NULL;
|
ssl->sslContext = NULL;
|
||||||
ssl->sniCertificatePattern = NULL;
|
ssl->sniCertificatePattern = NULL;
|
||||||
ssl->generateMissing = 0;
|
ssl->generateMissing = 0;
|
||||||
|
|
@ -894,6 +895,12 @@ int sslEnable(struct SSLSupport *ssl, int enabled) {
|
||||||
return old;
|
return old;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int sslForce(struct SSLSupport *ssl, int force) {
|
||||||
|
int old = ssl->force;
|
||||||
|
ssl->force = force;
|
||||||
|
return old;
|
||||||
|
}
|
||||||
|
|
||||||
void sslBlockSigPipe(void) {
|
void sslBlockSigPipe(void) {
|
||||||
sigset_t set;
|
sigset_t set;
|
||||||
sigemptyset(&set);
|
sigemptyset(&set);
|
||||||
|
|
|
||||||
|
|
@ -198,6 +198,7 @@ extern void *(*x_SSL_COMP_get_compression_methods)(void);
|
||||||
|
|
||||||
struct SSLSupport {
|
struct SSLSupport {
|
||||||
int enabled;
|
int enabled;
|
||||||
|
int force;
|
||||||
SSL_CTX *sslContext;
|
SSL_CTX *sslContext;
|
||||||
char *sniCertificatePattern;
|
char *sniCertificatePattern;
|
||||||
int generateMissing;
|
int generateMissing;
|
||||||
|
|
@ -214,6 +215,7 @@ void sslSetCertificate(struct SSLSupport *ssl, const char *filename,
|
||||||
int autoGenerateMissing);
|
int autoGenerateMissing);
|
||||||
void sslSetCertificateFd(struct SSLSupport *ssl, int fd);
|
void sslSetCertificateFd(struct SSLSupport *ssl, int fd);
|
||||||
int sslEnable(struct SSLSupport *ssl, int enabled);
|
int sslEnable(struct SSLSupport *ssl, int enabled);
|
||||||
|
int sslForce(struct SSLSupport *ssl, int force);
|
||||||
void sslBlockSigPipe();
|
void sslBlockSigPipe();
|
||||||
int sslUnblockSigPipe();
|
int sslUnblockSigPipe();
|
||||||
int sslPromoteToSSL(struct SSLSupport *ssl, SSL **sslHndl, int fd,
|
int sslPromoteToSSL(struct SSLSupport *ssl, SSL **sslHndl, int fd,
|
||||||
|
|
|
||||||
|
|
@ -112,6 +112,7 @@ static int noBeep = 0;
|
||||||
static int numericHosts = 0;
|
static int numericHosts = 0;
|
||||||
static int enableSSL = 1;
|
static int enableSSL = 1;
|
||||||
static int enableSSLMenu = 1;
|
static int enableSSLMenu = 1;
|
||||||
|
static int forceSSL = 1; // TODO enable http fallback with commandline option
|
||||||
int enableUtmpLogging = 1;
|
int enableUtmpLogging = 1;
|
||||||
static char *messagesOrigin = NULL;
|
static char *messagesOrigin = NULL;
|
||||||
static int linkifyURLs = 1;
|
static int linkifyURLs = 1;
|
||||||
|
|
@ -1302,7 +1303,8 @@ static void removeLimits() {
|
||||||
}
|
}
|
||||||
|
|
||||||
static void setUpSSL(Server *server) {
|
static void setUpSSL(Server *server) {
|
||||||
serverEnableSSL(server, enableSSL);
|
|
||||||
|
serverSetupSSL(server, enableSSL, forceSSL);
|
||||||
|
|
||||||
// Enable SSL support (if available)
|
// Enable SSL support (if available)
|
||||||
if (enableSSL) {
|
if (enableSSL) {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue