From: Henrik Nordstrom Date: Fri, 27 Jan 2012 12:52:44 +0000 (-0700) Subject: Disable OpenSSL SSL/TLS bug workarounds by default X-Git-Tag: SQUID_3_2_0_15~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f7c7f02d133a2a92ee64bcc9c80867ceb624661;p=thirdparty%2Fsquid.git Disable OpenSSL SSL/TLS bug workarounds by default On a closer inspection the set of "harmless" SSL/TLS bug workarounds set by SSL_OP_ALL is not all of them harmless and reduces the SSL/TLS strength to some attacks. To revert to the older mode the ALL option can be set explicitly, but it's better to understand which bug is encountered and enable only that specific workaround if needed. --- diff --git a/src/cf.data.pre b/src/cf.data.pre index 52a0551227..14d34453bb 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1409,13 +1409,17 @@ DOC_START omitted the ciphers may be silently ignored by the OpenSSL library. - options= Various SSL engine options. The most important + options= Various SSL implementation options. The most important being: NO_SSLv2 Disallow the use of SSLv2 NO_SSLv3 Disallow the use of SSLv3 NO_TLSv1 Disallow the use of TLSv1 SINGLE_DH_USE Always create a new key when using temporary/ephemeral DH key exchanges + ALL Enable various bug workarounds + suggested as "harmless" by OpenSSL + Be warned that this reduces SSL/TLS + strength to some attacks. See OpenSSL SSL_CTX_set_options documentation for a complete list of options. @@ -1846,18 +1850,24 @@ DEFAULT: none LOC: Config.ssl_client.options TYPE: string DOC_START - SSL engine options to use when proxying https:// URLs + SSL implementation options to use when proxying https:// URLs The most important being: - NO_SSLv2 Disallow the use of SSLv2 - NO_SSLv3 Disallow the use of SSLv3 - NO_TLSv1 Disallow the use of TLSv1 - SINGLE_DH_USE - Always create a new key when using - temporary/ephemeral DH key exchanges + NO_SSLv2 Disallow the use of SSLv2 + NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1 + SINGLE_DH_USE + Always create a new key when using temporary/ephemeral + DH key exchanges + SSL_OP_NO_TICKET + Disable use of RFC5077 session tickets. Some servers + may have problems understanding the TLS extension due + to ambiguous specification in RFC4507. + ALL Enable various bug workarounds suggested as "harmless" + by OpenSSL. Be warned that this may reduce SSL/TLS + strength to some attacks. - These options vary depending on your SSL engine. See the OpenSSL SSL_CTX_set_options documentation for a complete list of possible options. DOC_END @@ -2307,12 +2317,21 @@ DOC_START sslcipher=... The list of valid SSL ciphers to use when connecting to this peer. - ssloptions=... Specify various SSL engine options: - NO_SSLv2 Disallow the use of SSLv2 - NO_SSLv3 Disallow the use of SSLv3 - NO_TLSv1 Disallow the use of TLSv1 - See src/ssl_support.c or the OpenSSL documentation for - a more complete list. + ssloptions=... Specify various SSL implementation options: + + NO_SSLv2 Disallow the use of SSLv2 + NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1 + SINGLE_DH_USE + Always create a new key when using + temporary/ephemeral DH key exchanges + ALL Enable various bug workarounds + suggested as "harmless" by OpenSSL + Be warned that this reduces SSL/TLS + strength to some attacks. + + See the OpenSSL SSL_CTX_set_options documentation for a + more complete list. sslcafile=... A file containing additional CA certificates to use when verifying the peer certificate. diff --git a/src/ssl/support.cc b/src/ssl/support.cc index 03dd48b883..68a3217927 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -403,7 +403,7 @@ ssl_options[] = { static long ssl_parse_options(const char *options) { - long op = SSL_OP_ALL; + long op = 0; char *tmp; char *option;