- Disabled use of SSLv3 in remote-control and ssl-upstream.

author Wouter Wijngaards <wouter@nlnetlabs.nl>

Mon, 27 Oct 2014 09:26:48 +0000 (09:26 +0000)

committer Wouter Wijngaards <wouter@nlnetlabs.nl>

Mon, 27 Oct 2014 09:26:48 +0000 (09:26 +0000)
author Wouter Wijngaards <wouter@nlnetlabs.nl>
Mon, 27 Oct 2014 09:26:48 +0000 (09:26 +0000)
committer Wouter Wijngaards <wouter@nlnetlabs.nl>
Mon, 27 Oct 2014 09:26:48 +0000 (09:26 +0000)
diff --git a/daemon/remote.c b/daemon/remote.c

index e56572048d4f6246026e3c242558491b1e27f082..c59807b27d91b3e839050d55fee98a7620d6d3dc 100644 (file)
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -154,12 +154,17 @@ daemon_remote_create(struct config_file* cfg)
                 free(rc);
                 return NULL;
         }
-       /* no SSLv2 because has defects */
+       /* no SSLv2, SSLv3 because has defects */
         if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
                 log_crypto_err("could not set SSL_OP_NO_SSLv2");
                 daemon_remote_delete(rc);
                 return NULL;
         }
+       if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){
+               log_crypto_err("could not set SSL_OP_NO_SSLv3");
+               daemon_remote_delete(rc);
+               return NULL;
+       }
         s_cert = fname_after_chroot(cfg->server_cert_file, cfg, 1);
         s_key = fname_after_chroot(cfg->server_key_file, cfg, 1);
         if(!s_cert || !s_key) {
diff --git a/doc/Changelog b/doc/Changelog

index c57f3b0c9793c5982d096cbdcbe0b024f855e066..c89437deef7687ae62b127d25a69f08784eddb36 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+27 October 2014: Wouter
+       - Disabled use of SSLv3 in remote-control and ssl-upstream.
+
  16 October 2014: Wouter
         - Documented dns64 configuration in unbound.conf man page.
  
diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c

index 9b78cef940e1013cb3dabc78d1e832a64b79f221..ff86184a81621d60d07e5e8976c724cd0bc429a7 100644 (file)
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@@ -149,6 +149,8 @@ setup_ctx(struct config_file* cfg)
                 ssl_err("could not allocate SSL_CTX pointer");
          if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2))
                 ssl_err("could not set SSL_OP_NO_SSLv2");
+        if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3))
+               ssl_err("could not set SSL_OP_NO_SSLv3");
         if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) ||
                 !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
                 || !SSL_CTX_check_private_key(ctx))
diff --git a/testcode/petal.c b/testcode/petal.c

index 0bdcc4190e0182531ece2a6d34a9f46be8cf41f5..964735b39ddc8b4cc867495ef3bd73a2d39505f3 100644 (file)
--- a/testcode/petal.c
+++ b/testcode/petal.c
@@ -235,6 +235,7 @@ setup_ctx(char* key, char* cert)
         SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
         if(!ctx) print_exit("out of memory");
         (void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+       (void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
         if(!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM))
                 print_exit("cannot read cert");
         if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM))
diff --git a/util/net_help.c b/util/net_help.c

index 30d543e00197f5cb8001587524657509d88bbe97..49ce677f4aa06c5f3bf06230e393ed1b3836876b 100644 (file)
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -613,12 +613,17 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
                 log_crypto_err("could not SSL_CTX_new");
                 return NULL;
         }
-       /* no SSLv2 because has defects */
+       /* no SSLv2, SSLv3 because has defects */
         if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
                 log_crypto_err("could not set SSL_OP_NO_SSLv2");
                 SSL_CTX_free(ctx);
                 return NULL;
         }
+       if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){
+               log_crypto_err("could not set SSL_OP_NO_SSLv3");
+               SSL_CTX_free(ctx);
+               return NULL;
+       }
         if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
                 log_err("error for cert file: %s", pem);
                 log_crypto_err("error in SSL_CTX use_certificate_file");
@@ -668,6 +673,11 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem)
                 SSL_CTX_free(ctx);
                 return NULL;
         }
+       if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)) {
+               log_crypto_err("could not set SSL_OP_NO_SSLv3");
+               SSL_CTX_free(ctx);
+               return NULL;
+       }
         if(key && key[0]) {
                 if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
                         log_err("error in client certificate %s", pem);
author	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Mon, 27 Oct 2014 09:26:48 +0000 (09:26 +0000)
committer	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Mon, 27 Oct 2014 09:26:48 +0000 (09:26 +0000)
daemon/remote.c		patch \| blob \| blame \| history
doc/Changelog		patch \| blob \| blame \| history
smallapp/unbound-control.c		patch \| blob \| blame \| history
testcode/petal.c		patch \| blob \| blame \| history
util/net_help.c		patch \| blob \| blame \| history