You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
41 lines
1.6 KiB
41 lines
1.6 KiB
From a6869520061696cb115afb7de0021556068d1134 Mon Sep 17 00:00:00 2001
|
|
From: Timothy Redaelli <tredaelli@redhat.com>
|
|
Date: Fri, 27 Jul 2018 16:29:40 +0200
|
|
Subject: [PATCH 1/2] stream-ssl: Don't enable new TLS versions by default
|
|
|
|
Currently protocol_flags is populated by the list of SSL and TLS
|
|
protocols by hand. This means that when a new TLS version is added to
|
|
openssl (in this case TLS v1.3 is added to openssl 1.1.1 beta)
|
|
ovsdb-server automatically enable support to it with the default ciphers.
|
|
This can be a security problem (since other ciphers can be enabled) and it
|
|
also makes a test (SSL db: implementation) to fail.
|
|
|
|
This commit changes the 'protocol_flags' to use the list of all protocol
|
|
flags as provided by openssl library (SSL_OP_NO_SSL_MASK) so there is no
|
|
need to keep the list updated by hand.
|
|
|
|
Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
|
|
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
|
(cherry picked from commit ab16d2c2871b82d1f71c652657791acd9ca51161)
|
|
---
|
|
lib/stream-ssl.c | 3 +--
|
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
|
|
|
diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
|
|
index 278468083..95b0f106e 100644
|
|
--- a/lib/stream-ssl.c
|
|
+++ b/lib/stream-ssl.c
|
|
@@ -1186,8 +1186,7 @@ stream_ssl_set_protocols(const char *arg)
|
|
}
|
|
|
|
/* Start with all the flags off and turn them on as requested. */
|
|
- long protocol_flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1;
|
|
- protocol_flags |= SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
|
|
+ long protocol_flags = SSL_OP_NO_SSL_MASK;
|
|
|
|
char *s = xstrdup(arg);
|
|
char *save_ptr = NULL;
|
|
--
|
|
2.17.1
|
|
|