From dc38ca1386e2022d1cd7503782f9d9b7ba71fda5 Mon Sep 17 00:00:00 2001 From: des Date: Sat, 20 Feb 2016 13:36:24 +0000 Subject: [PATCH] MFH (r273114, r273124): turn SSLv3 off by default MFH (r294326): fall back to standard / configured CA store MFH (r295536): fix double-free when SSL connection fails PR: 193871 206774 git-svn-id: svn://svn.freebsd.org/base/stable/9@295840 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- lib/libfetch/common.c | 19 +++++++++++++------ lib/libfetch/fetch.3 | 18 +++++++++++------- lib/libfetch/http.c | 1 - 3 files changed, 24 insertions(+), 14 deletions(-) diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c index 997a6cdb6..c9fb7c776 100644 --- a/lib/libfetch/common.c +++ b/lib/libfetch/common.c @@ -674,7 +674,7 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose) long ssl_ctx_options; ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_TICKET; - if (getenv("SSL_NO_SSL3") != NULL) + if (getenv("SSL_ALLOW_SSL3") == NULL) ssl_ctx_options |= SSL_OP_NO_SSLv3; if (getenv("SSL_NO_TLS1") != NULL) ssl_ctx_options |= SSL_OP_NO_TLSv1; @@ -701,7 +701,8 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) if (ca_cert_file == NULL && access(LOCAL_CERT_FILE, R_OK) == 0) ca_cert_file = LOCAL_CERT_FILE; - if (ca_cert_file == NULL) + if (ca_cert_file == NULL && + access(BASE_CERT_FILE, R_OK) == 0) ca_cert_file = BASE_CERT_FILE; ca_cert_path = getenv("SSL_CA_CERT_PATH"); if (verbose) { @@ -712,11 +713,17 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) if (ca_cert_path != NULL) fetch_info("Using CA cert path: %s", ca_cert_path); + if (ca_cert_file == NULL && ca_cert_path == NULL) + fetch_info("Using OpenSSL default " + "CA cert file and path"); } SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, fetch_ssl_cb_verify_crt); - SSL_CTX_load_verify_locations(ctx, ca_cert_file, - ca_cert_path); + if (ca_cert_file != NULL || ca_cert_path != NULL) + SSL_CTX_load_verify_locations(ctx, ca_cert_file, + ca_cert_path); + else + SSL_CTX_set_default_verify_paths(ctx); if ((crl_file = getenv("SSL_CRL_FILE")) != NULL) { if (verbose) fetch_info("Using CRL file: %s", crl_file); @@ -872,8 +879,8 @@ fetch_ssl(conn_t *conn, const struct url *URL, int verbose) } if (verbose) { - fetch_info("SSL connection established using %s", - SSL_get_cipher(conn->ssl)); + fetch_info("%s connection established using %s", + SSL_get_version(conn->ssl), SSL_get_cipher(conn->ssl)); name = X509_get_subject_name(conn->ssl_cert); str = X509_NAME_oneline(name, 0, 0); fetch_info("Certificate subject: %s", str); diff --git a/lib/libfetch/fetch.3 b/lib/libfetch/fetch.3 index b4e5c94d6..0476405fc 100644 --- a/lib/libfetch/fetch.3 +++ b/lib/libfetch/fetch.3 @@ -438,13 +438,13 @@ input (see .Pp By default .Nm libfetch -allows SSLv3 and TLSv1 when negotiating the connecting with the remote +allows TLSv1 when negotiating the connecting with the remote peer. You can change this behavior by setting the -.Ev SSL_NO_SSL3 -or +.Ev SSL_ALLOW_SSL3 +environment variable to allow SSLv3 and .Ev SSL_NO_TLS1 -environment variables to disable the respective methods. +to disable TLS 1.0. .Sh AUTHENTICATION Apart from setting the appropriate environment variables and specifying the user name and password in the URL or the @@ -642,6 +642,8 @@ which proxies should not be used. Same as .Ev NO_PROXY , for compatibility. +.It Ev SSL_ALLOW_SSL3 +Allow SSL version 3 when negotiating the connection (not recommended). .It Ev SSL_CA_CERT_FILE CA certificate bundle containing trusted CA certificates. Default value: @@ -656,10 +658,12 @@ PEM encoded client key in case key and client certificate are stored separately. .It Ev SSL_CRL_FILE File containing certificate revocation list. -.It Ev SSL_NO_SSL3 -Don't allow SSL version 3 when negotiating the connection. .It Ev SSL_NO_TLS1 -Don't allow TLV version 1 when negotiating the connection. +Do not allow TLS version 1.0 when negotiating the connection. +.It Ev SSL_NO_TLS1_1 +Do not allow TLS version 1.1 when negotiating the connection. +.It Ev SSL_NO_TLS1_2 +Do not allow TLS version 1.2 when negotiating the connection. .It Ev SSL_NO_VERIFY_HOSTNAME If set, do not verify that the hostname matches the subject of the certificate presented by the server. diff --git a/lib/libfetch/http.c b/lib/libfetch/http.c index 206648dd4..ca522a6bc 100644 --- a/lib/libfetch/http.c +++ b/lib/libfetch/http.c @@ -1435,7 +1435,6 @@ http_connect(struct url *URL, struct url *purl, const char *flags) } if (strcasecmp(URL->scheme, SCHEME_HTTPS) == 0 && fetch_ssl(conn, URL, verbose) == -1) { - fetch_close(conn); /* grrr */ errno = EAUTH; fetch_syserr(); -- 2.45.0