Set SSL options for increased security
Disable SSLv2, SSLv3, and compression; generate new DH or ECDH keys during each handshake; always start a new session on server renegotiation; set a strong cipher list. Signed-off-by: Anders Kaseorg <andersk@mit.edu> [ Patch from https://code.google.com/p/shellinabox/issues/detail?id=215 ]
This commit is contained in:
Anders Kaseorg
KLuka
parent
4f0b949081
commit
b06b1f15ac
1 changed files with 24 additions and 3 deletions
|
|
@ -583,6 +583,27 @@ static int sslSetCertificateFromFile(SSL_CTX *context,
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
static SSL_CTX *sslMakeContext(void) {
|
||||||
|
SSL_CTX *context;
|
||||||
|
check(context = SSL_CTX_new(SSLv23_server_method()));
|
||||||
|
SSL_CTX_set_options(context, SSL_OP_ALL);
|
||||||
|
SSL_CTX_set_options(context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
|
||||||
|
#ifdef SSL_OP_NO_COMPRESSION
|
||||||
|
SSL_CTX_set_options(context, SSL_OP_NO_COMPRESSION);
|
||||||
|
#elif OPENSSL_VERSION_NUMBER >= 0x00908000L
|
||||||
|
sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
|
||||||
|
#endif
|
||||||
|
SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);
|
||||||
|
#ifdef SSL_OP_SINGLE_ECDH_USE
|
||||||
|
SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE);
|
||||||
|
#endif
|
||||||
|
#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
|
||||||
|
SSL_CTX_set_options(context, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
|
||||||
|
#endif
|
||||||
|
check(SSL_CTX_set_cipher_list(context, "HIGH:MEDIUM:!aNULL:!MD5"));
|
||||||
|
return context;
|
||||||
|
}
|
||||||
|
|
||||||
#ifdef HAVE_TLSEXT
|
#ifdef HAVE_TLSEXT
|
||||||
static int sslSNICallback(SSL *sslHndl, int *al ATTR_UNUSED,
|
static int sslSNICallback(SSL *sslHndl, int *al ATTR_UNUSED,
|
||||||
struct SSLSupport *ssl) {
|
struct SSLSupport *ssl) {
|
||||||
|
|
@ -619,7 +640,7 @@ static int sslSNICallback(SSL *sslHndl, int *al ATTR_UNUSED,
|
||||||
serverName+1,
|
serverName+1,
|
||||||
NULL);
|
NULL);
|
||||||
if (context == NULL) {
|
if (context == NULL) {
|
||||||
check(context = SSL_CTX_new(SSLv23_server_method()));
|
context = sslMakeContext();
|
||||||
check(ssl->sniCertificatePattern);
|
check(ssl->sniCertificatePattern);
|
||||||
char *certificate = stringPrintfUnchecked(NULL,
|
char *certificate = stringPrintfUnchecked(NULL,
|
||||||
ssl->sniCertificatePattern,
|
ssl->sniCertificatePattern,
|
||||||
|
|
@ -697,7 +718,7 @@ void sslSetCertificate(struct SSLSupport *ssl, const char *filename,
|
||||||
}
|
}
|
||||||
|
|
||||||
// Try to set the default certificate. If necessary, (re-)generate it.
|
// Try to set the default certificate. If necessary, (re-)generate it.
|
||||||
check(ssl->sslContext = SSL_CTX_new(SSLv23_server_method()));
|
ssl->sslContext = sslMakeContext();
|
||||||
if (autoGenerateMissing) {
|
if (autoGenerateMissing) {
|
||||||
if (sslSetCertificateFromFile(ssl->sslContext, defaultCertificate) < 0) {
|
if (sslSetCertificateFromFile(ssl->sslContext, defaultCertificate) < 0) {
|
||||||
char hostname[256], buf[4096];
|
char hostname[256], buf[4096];
|
||||||
|
|
@ -781,7 +802,7 @@ static char *sslFdToFilename(int fd) {
|
||||||
|
|
||||||
void sslSetCertificateFd(struct SSLSupport *ssl, int fd) {
|
void sslSetCertificateFd(struct SSLSupport *ssl, int fd) {
|
||||||
#ifdef HAVE_OPENSSL
|
#ifdef HAVE_OPENSSL
|
||||||
check(ssl->sslContext = SSL_CTX_new(SSLv23_server_method()));
|
ssl->sslContext = sslMakeContext();
|
||||||
char *filename = sslFdToFilename(fd);
|
char *filename = sslFdToFilename(fd);
|
||||||
if (!sslSetCertificateFromFd(ssl->sslContext, fd)) {
|
if (!sslSetCertificateFromFd(ssl->sslContext, fd)) {
|
||||||
fatal("Cannot read valid certificate from %s. Check file format.",
|
fatal("Cannot read valid certificate from %s. Check file format.",
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue