From: Wouter Wijngaards Date: Mon, 27 Oct 2014 09:26:48 +0000 (+0000) Subject: - Disabled use of SSLv3 in remote-control and ssl-upstream. X-Git-Tag: release-1.5.0rc1~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7084c20f88b8cbe11015e6ece45b520f502c2485;p=thirdparty%2Funbound.git - Disabled use of SSLv3 in remote-control and ssl-upstream. git-svn-id: file:///svn/unbound/trunk@3248 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/daemon/remote.c b/daemon/remote.c index e56572048..c59807b27 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -154,12 +154,17 @@ daemon_remote_create(struct config_file* cfg) free(rc); return NULL; } - /* no SSLv2 because has defects */ + /* no SSLv2, SSLv3 because has defects */ if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){ log_crypto_err("could not set SSL_OP_NO_SSLv2"); daemon_remote_delete(rc); return NULL; } + if(!(SSL_CTX_set_options(rc->ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){ + log_crypto_err("could not set SSL_OP_NO_SSLv3"); + daemon_remote_delete(rc); + return NULL; + } s_cert = fname_after_chroot(cfg->server_cert_file, cfg, 1); s_key = fname_after_chroot(cfg->server_key_file, cfg, 1); if(!s_cert || !s_key) { diff --git a/doc/Changelog b/doc/Changelog index c57f3b0c9..c89437dee 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +27 October 2014: Wouter + - Disabled use of SSLv3 in remote-control and ssl-upstream. + 16 October 2014: Wouter - Documented dns64 configuration in unbound.conf man page. diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c index 9b78cef94..ff86184a8 100644 --- a/smallapp/unbound-control.c +++ b/smallapp/unbound-control.c @@ -149,6 +149,8 @@ setup_ctx(struct config_file* cfg) ssl_err("could not allocate SSL_CTX pointer"); if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)) ssl_err("could not set SSL_OP_NO_SSLv2"); + if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)) + ssl_err("could not set SSL_OP_NO_SSLv3"); if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM) || !SSL_CTX_check_private_key(ctx)) diff --git a/testcode/petal.c b/testcode/petal.c index 0bdcc4190..964735b39 100644 --- a/testcode/petal.c +++ b/testcode/petal.c @@ -235,6 +235,7 @@ setup_ctx(char* key, char* cert) SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method()); if(!ctx) print_exit("out of memory"); (void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); + (void)SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); if(!SSL_CTX_use_certificate_file(ctx, cert, SSL_FILETYPE_PEM)) print_exit("cannot read cert"); if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) diff --git a/util/net_help.c b/util/net_help.c index 30d543e00..49ce677f4 100644 --- a/util/net_help.c +++ b/util/net_help.c @@ -613,12 +613,17 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem) log_crypto_err("could not SSL_CTX_new"); return NULL; } - /* no SSLv2 because has defects */ + /* no SSLv2, SSLv3 because has defects */ if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){ log_crypto_err("could not set SSL_OP_NO_SSLv2"); SSL_CTX_free(ctx); return NULL; } + if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)){ + log_crypto_err("could not set SSL_OP_NO_SSLv3"); + SSL_CTX_free(ctx); + return NULL; + } if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) { log_err("error for cert file: %s", pem); log_crypto_err("error in SSL_CTX use_certificate_file"); @@ -668,6 +673,11 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem) SSL_CTX_free(ctx); return NULL; } + if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)) { + log_crypto_err("could not set SSL_OP_NO_SSLv3"); + SSL_CTX_free(ctx); + return NULL; + } if(key && key[0]) { if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) { log_err("error in client certificate %s", pem);