RFC 6176 compliance

... prohibits use of SSLv2.
https://tools.ietf.org/html/rfc6176

Remove the documentation and support for configuring Squid with
SSLv2-only.

Explicitly enable the SSL_NO_SSLv2 option when provided by the library
to prevent implicit fallback.

Remove support for ssloptions= values which are for SSLv2-specific bugs.

Due to the way they are implemented with atoi() sslversion=N
configuration will still accept the values for SSLv2-only. But the
context creation will now unconditionally produce "SSLv2 not
supported" errors if the now undocumented values are attempted.

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 0bb4e8c528d5ff780b1e5928a5b74562061f0298..09c037d3bbd349d5a49a5f76e9c447a07ca90a4e 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1749,7 +1749,6 @@ DOC_START
 
           version=     The version of SSL/TLS supported
                            1   automatic (default)
-                           2   SSLv2 only
                            3   SSLv3 only
                            4   TLSv1.0 only
                            5   TLSv1.1 only
@@ -1763,7 +1762,6 @@ DOC_START
 
           options=     Various SSL implementation options. The most important
                        being:
-                           NO_SSLv2    Disallow the use of SSLv2
                            NO_SSLv3    Disallow the use of SSLv3
                            NO_TLSv1    Disallow the use of TLSv1.0
                            NO_TLSv1_1  Disallow the use of TLSv1.1
@@ -1923,7 +1921,6 @@ DOC_START
 
           version=     The version of SSL/TLS supported
                            1   automatic (default)
-                           2   SSLv2 only
                            3   SSLv3 only
                            4   TLSv1 only
 
@@ -1931,7 +1928,6 @@ DOC_START
 
           options=     Various SSL engine options. The most important
                        being:
-                           NO_SSLv2  Disallow the use of SSLv2
                            NO_SSLv3  Disallow the use of SSLv3
                            NO_TLSv1  Disallow the use of TLSv1
                            SINGLE_DH_USE Always create a new key when using
@@ -2428,7 +2424,6 @@ DOC_START
        The versions of SSL/TLS supported:
 
            1   automatic (default)
-           2   SSLv2 only
            3   SSLv3 only
            4   TLSv1.0 only
            5   TLSv1.1 only
@@ -2445,7 +2440,6 @@ DOC_START
        
        The most important being:
 
-           NO_SSLv2    Disallow the use of SSLv2
            NO_SSLv3    Disallow the use of SSLv3
            NO_TLSv1    Disallow the use of TLSv1.0
            NO_TLSv1_1  Disallow the use of TLSv1.1
@@ -3172,7 +3166,6 @@ DOC_START
        
        ssloptions=...  Specify various SSL implementation options:
 
-                           NO_SSLv2    Disallow the use of SSLv2
                            NO_SSLv3    Disallow the use of SSLv3
                            NO_TLSv1    Disallow the use of TLSv1.0
                            NO_TLSv1_1  Disallow the use of TLSv1.1

diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index b6a4f38618cac17cd95603b0b8c80ff5b0813ecb..550c093c5934e1d75e6320b9d72a831cc13e4706 100644 (file)
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -354,16 +354,6 @@ static struct ssl_option {
 
 ssl_options[] = {
 
-#if SSL_OP_MICROSOFT_SESS_ID_BUG
-    {
-        "MICROSOFT_SESS_ID_BUG", SSL_OP_MICROSOFT_SESS_ID_BUG
-    },
-#endif
-#if SSL_OP_NETSCAPE_CHALLENGE_BUG
-    {
-        "NETSCAPE_CHALLENGE_BUG", SSL_OP_NETSCAPE_CHALLENGE_BUG
-    },
-#endif
 #if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
     {
         "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
@@ -379,11 +369,6 @@ ssl_options[] = {
         "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
     },
 #endif
-#if SSL_OP_MSIE_SSLV2_RSA_PADDING
-    {
-        "MSIE_SSLV2_RSA_PADDING", SSL_OP_MSIE_SSLV2_RSA_PADDING
-    },
-#endif
 #if SSL_OP_SSLEAY_080_CLIENT_DH_BUG
     {
         "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG
@@ -449,11 +434,6 @@ ssl_options[] = {
         "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
     },
 #endif
-#if SSL_OP_NO_SSLv2
-    {
-        "NO_SSLv2", SSL_OP_NO_SSLv2
-    },
-#endif
 #if SSL_OP_NO_SSLv3
     {
         "NO_SSLv3", SSL_OP_NO_SSLv3
@@ -563,6 +543,10 @@ Ssl::parse_options(const char *options)
     safe_free(tmp);
 
 no_options:
+#if SSL_OP_NO_SSLv2
+    // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0
+    op = op | SSL_OP_NO_SSLv2;
+#endif
     return op;
 }
 
@@ -1017,13 +1001,8 @@ Ssl::method(int version)
     switch (version) {
 
     case 2:
-#if !defined(OPENSSL_NO_SSL2)
-        debugs(83, 5, "Using SSLv2.");
-        return SSLv2_client_method();
-#else
         debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy.");
         return NULL;
-#endif
         break;
 
     case 3:
@@ -1074,13 +1053,8 @@ Ssl::serverMethod(int version)
     switch (version) {
 
     case 2:
-#ifndef OPENSSL_NO_SSL2
-        debugs(83, 5, "Using SSLv2.");
-        return SSLv2_server_method();
-#else
         debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy.");
         return NULL;
-#endif
         break;
 
     case 3:
@@ -1482,13 +1456,8 @@ Ssl::contextMethod(int version)
     switch (version) {
 
     case 2:
-#ifndef OPENSSL_NO_SSL2
-        debugs(83, 5, "Using SSLv2.");
-        method = SSLv2_server_method();
-#else
         debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy.");
         return NULL;
-#endif
         break;
 
     case 3: