From: Amos Jeffries Date: Mon, 10 Nov 2014 07:47:13 +0000 (-0800) Subject: RFC 6176 compliance X-Git-Tag: merge-candidate-3-v1~499 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=47901e848f83cec92340bfc25df48ddc51326f3a;p=thirdparty%2Fsquid.git RFC 6176 compliance ... prohibits use of SSLv2. https://tools.ietf.org/html/rfc6176 Remove the documentation and support for configuring Squid with SSLv2-only. Explicitly enable the SSL_NO_SSLv2 option when provided by the library to prevent implicit fallback. Remove support for ssloptions= values which are for SSLv2-specific bugs. Due to the way they are implemented with atoi() sslversion=N configuration will still accept the values for SSLv2-only. But the context creation will now unconditionally produce "SSLv2 not supported" errors if the now undocumented values are attempted. --- diff --git a/src/cf.data.pre b/src/cf.data.pre index 0bb4e8c528..09c037d3bb 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1749,7 +1749,6 @@ DOC_START version= The version of SSL/TLS supported 1 automatic (default) - 2 SSLv2 only 3 SSLv3 only 4 TLSv1.0 only 5 TLSv1.1 only @@ -1763,7 +1762,6 @@ DOC_START options= Various SSL implementation options. The most important being: - NO_SSLv2 Disallow the use of SSLv2 NO_SSLv3 Disallow the use of SSLv3 NO_TLSv1 Disallow the use of TLSv1.0 NO_TLSv1_1 Disallow the use of TLSv1.1 @@ -1923,7 +1921,6 @@ DOC_START version= The version of SSL/TLS supported 1 automatic (default) - 2 SSLv2 only 3 SSLv3 only 4 TLSv1 only @@ -1931,7 +1928,6 @@ DOC_START options= Various SSL engine options. The most important being: - NO_SSLv2 Disallow the use of SSLv2 NO_SSLv3 Disallow the use of SSLv3 NO_TLSv1 Disallow the use of TLSv1 SINGLE_DH_USE Always create a new key when using @@ -2428,7 +2424,6 @@ DOC_START The versions of SSL/TLS supported: 1 automatic (default) - 2 SSLv2 only 3 SSLv3 only 4 TLSv1.0 only 5 TLSv1.1 only @@ -2445,7 +2440,6 @@ DOC_START The most important being: - NO_SSLv2 Disallow the use of SSLv2 NO_SSLv3 Disallow the use of SSLv3 NO_TLSv1 Disallow the use of TLSv1.0 NO_TLSv1_1 Disallow the use of TLSv1.1 @@ -3172,7 +3166,6 @@ DOC_START ssloptions=... Specify various SSL implementation options: - NO_SSLv2 Disallow the use of SSLv2 NO_SSLv3 Disallow the use of SSLv3 NO_TLSv1 Disallow the use of TLSv1.0 NO_TLSv1_1 Disallow the use of TLSv1.1 diff --git a/src/ssl/support.cc b/src/ssl/support.cc index b6a4f38618..550c093c59 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -354,16 +354,6 @@ static struct ssl_option { ssl_options[] = { -#if SSL_OP_MICROSOFT_SESS_ID_BUG - { - "MICROSOFT_SESS_ID_BUG", SSL_OP_MICROSOFT_SESS_ID_BUG - }, -#endif -#if SSL_OP_NETSCAPE_CHALLENGE_BUG - { - "NETSCAPE_CHALLENGE_BUG", SSL_OP_NETSCAPE_CHALLENGE_BUG - }, -#endif #if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG { "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG @@ -379,11 +369,6 @@ ssl_options[] = { "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER }, #endif -#if SSL_OP_MSIE_SSLV2_RSA_PADDING - { - "MSIE_SSLV2_RSA_PADDING", SSL_OP_MSIE_SSLV2_RSA_PADDING - }, -#endif #if SSL_OP_SSLEAY_080_CLIENT_DH_BUG { "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG @@ -449,11 +434,6 @@ ssl_options[] = { "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG }, #endif -#if SSL_OP_NO_SSLv2 - { - "NO_SSLv2", SSL_OP_NO_SSLv2 - }, -#endif #if SSL_OP_NO_SSLv3 { "NO_SSLv3", SSL_OP_NO_SSLv3 @@ -563,6 +543,10 @@ Ssl::parse_options(const char *options) safe_free(tmp); no_options: +#if SSL_OP_NO_SSLv2 + // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0 + op = op | SSL_OP_NO_SSLv2; +#endif return op; } @@ -1017,13 +1001,8 @@ Ssl::method(int version) switch (version) { case 2: -#if !defined(OPENSSL_NO_SSL2) - debugs(83, 5, "Using SSLv2."); - return SSLv2_client_method(); -#else debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy."); return NULL; -#endif break; case 3: @@ -1074,13 +1053,8 @@ Ssl::serverMethod(int version) switch (version) { case 2: -#ifndef OPENSSL_NO_SSL2 - debugs(83, 5, "Using SSLv2."); - return SSLv2_server_method(); -#else debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy."); return NULL; -#endif break; case 3: @@ -1482,13 +1456,8 @@ Ssl::contextMethod(int version) switch (version) { case 2: -#ifndef OPENSSL_NO_SSL2 - debugs(83, 5, "Using SSLv2."); - method = SSLv2_server_method(); -#else debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy."); return NULL; -#endif break; case 3: