summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorReyk Floeter <reyk@cvs.openbsd.org>2007-02-24 15:48:55 +0000
committerReyk Floeter <reyk@cvs.openbsd.org>2007-02-24 15:48:55 +0000
commitdea580a9986dc2431d84eb0bc9d0d21ad14781cf (patch)
treeb55cf3fb10f00f1c04c3a75abad663e7980161da
parent008c5403bf676c8c15de14562f346b2408425e99 (diff)
disable SSLv2 and use "HIGH" crypto cipher suites by default.
suggested by dlg@
-rw-r--r--usr.sbin/hoststated/hoststated.conf.518
-rw-r--r--usr.sbin/hoststated/hoststated.h6
-rw-r--r--usr.sbin/hoststated/relay.c14
-rw-r--r--usr.sbin/relayd/relay.c14
-rw-r--r--usr.sbin/relayd/relayd.conf.518
-rw-r--r--usr.sbin/relayd/relayd.h6
6 files changed, 42 insertions, 34 deletions
diff --git a/usr.sbin/hoststated/hoststated.conf.5 b/usr.sbin/hoststated/hoststated.conf.5
index 71afb2f1d9a..2576c5a39e6 100644
--- a/usr.sbin/hoststated/hoststated.conf.5
+++ b/usr.sbin/hoststated/hoststated.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: hoststated.conf.5,v 1.24 2007/02/24 00:22:32 reyk Exp $
+.\" $OpenBSD: hoststated.conf.5,v 1.25 2007/02/24 15:48:54 reyk Exp $
.\"
.\" Copyright (c) 2006 Pierre-Yves Ritschard <pyr@spootnik.org>
.\"
@@ -517,8 +517,9 @@ Valid options are:
.Bl -tag -width Ds
.It Ic ciphers Ar string
Set the string defining the SSL cipher suite.
-If not specified, the default suite defined by the SSL library will be
-used.
+If not specified, the default value
+.Ar HIGH
+to force strong crypto cipher suites will be used.
See the
.Sx CIPHERS
section of
@@ -536,17 +537,20 @@ will disable the SSL session cache.
.Op Ic no
.Ic sslv2
.Xc
-Enable the SSLv2 protocol.
+Enable the SSLv2 protocol,
+disabled by default.
.It Xo
.Op Ic no
.Ic sslv3
.Xc
-Enable the SSLv3 protocol.
+Disable the SSLv3 protocol,
+enabled by default.
.It Xo
.Op Ic no
.Ic tlsv1
.Xc
-Enable the TLSv1/SSLv3.1 protocol.
+Disable the TLSv1/SSLv3.1 protocol,
+enabled by default.
.El
.El
.Pp
@@ -647,7 +651,7 @@ protocol http_ssl {
change "Keep-Alive" to "$TIMEOUT"
url hash "sessid"
- ssl { no sslv2, ciphers "HIGH" }
+ ssl { sslv2, ciphers "MEDIUM:HIGH" }
}
relay sslaccel {
diff --git a/usr.sbin/hoststated/hoststated.h b/usr.sbin/hoststated/hoststated.h
index a6fc7127336..977a22b8c2a 100644
--- a/usr.sbin/hoststated/hoststated.h
+++ b/usr.sbin/hoststated/hoststated.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: hoststated.h,v 1.28 2007/02/24 00:22:32 reyk Exp $ */
+/* $OpenBSD: hoststated.h,v 1.29 2007/02/24 15:48:54 reyk Exp $ */
/*
* Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@spootnik.org>
@@ -396,7 +396,9 @@ enum prototype {
#define SSLFLAG_SSLV3 0x02
#define SSLFLAG_TLSV1 0x04
#define SSLFLAG_VERSION 0x07
-#define SSLFLAG_DEFAULT (SSLFLAG_SSLV2|SSLFLAG_SSLV3|SSLFLAG_TLSV1)
+#define SSLFLAG_DEFAULT (SSLFLAG_SSLV3|SSLFLAG_TLSV1)
+
+#define SSLCIPHERS_DEFAULT "HIGH"
struct protocol {
objid_t id;
diff --git a/usr.sbin/hoststated/relay.c b/usr.sbin/hoststated/relay.c
index 6078d36d891..00d82e90b2f 100644
--- a/usr.sbin/hoststated/relay.c
+++ b/usr.sbin/hoststated/relay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: relay.c,v 1.3 2007/02/24 00:22:32 reyk Exp $ */
+/* $OpenBSD: relay.c,v 1.4 2007/02/24 15:48:54 reyk Exp $ */
/*
* Copyright (c) 2006, 2007 Reyk Floeter <reyk@openbsd.org>
@@ -1589,7 +1589,7 @@ relay_ssl_ctx_create(struct relay *rlay)
{
struct protocol *proto = rlay->proto;
SSL_CTX *ctx;
- char certfile[PATH_MAX], hbuf[128];
+ char certfile[PATH_MAX], hbuf[128], *ciphers = NULL;
ctx = SSL_CTX_new(SSLv23_method());
if (ctx == NULL)
@@ -1619,12 +1619,10 @@ relay_ssl_ctx_create(struct relay *rlay)
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
/* Change the default SSL cipher suite, if specified */
- if (proto->sslciphers != NULL) {
- log_debug("relay_ssl_ctx_create: ciphers '%s'",
- proto->sslciphers);
- if (!SSL_CTX_set_cipher_list(ctx, proto->sslciphers))
- goto err;
- }
+ if ((ciphers = proto->sslciphers) == NULL)
+ ciphers = SSLCIPHERS_DEFAULT;
+ if (!SSL_CTX_set_cipher_list(ctx, ciphers))
+ goto err;
if (relay_host(&rlay->ss, hbuf, sizeof(hbuf)) == NULL)
goto err;
diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c
index 6078d36d891..00d82e90b2f 100644
--- a/usr.sbin/relayd/relay.c
+++ b/usr.sbin/relayd/relay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: relay.c,v 1.3 2007/02/24 00:22:32 reyk Exp $ */
+/* $OpenBSD: relay.c,v 1.4 2007/02/24 15:48:54 reyk Exp $ */
/*
* Copyright (c) 2006, 2007 Reyk Floeter <reyk@openbsd.org>
@@ -1589,7 +1589,7 @@ relay_ssl_ctx_create(struct relay *rlay)
{
struct protocol *proto = rlay->proto;
SSL_CTX *ctx;
- char certfile[PATH_MAX], hbuf[128];
+ char certfile[PATH_MAX], hbuf[128], *ciphers = NULL;
ctx = SSL_CTX_new(SSLv23_method());
if (ctx == NULL)
@@ -1619,12 +1619,10 @@ relay_ssl_ctx_create(struct relay *rlay)
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
/* Change the default SSL cipher suite, if specified */
- if (proto->sslciphers != NULL) {
- log_debug("relay_ssl_ctx_create: ciphers '%s'",
- proto->sslciphers);
- if (!SSL_CTX_set_cipher_list(ctx, proto->sslciphers))
- goto err;
- }
+ if ((ciphers = proto->sslciphers) == NULL)
+ ciphers = SSLCIPHERS_DEFAULT;
+ if (!SSL_CTX_set_cipher_list(ctx, ciphers))
+ goto err;
if (relay_host(&rlay->ss, hbuf, sizeof(hbuf)) == NULL)
goto err;
diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5
index 4741ad1ed17..67dc4cbb859 100644
--- a/usr.sbin/relayd/relayd.conf.5
+++ b/usr.sbin/relayd/relayd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: relayd.conf.5,v 1.24 2007/02/24 00:22:32 reyk Exp $
+.\" $OpenBSD: relayd.conf.5,v 1.25 2007/02/24 15:48:54 reyk Exp $
.\"
.\" Copyright (c) 2006 Pierre-Yves Ritschard <pyr@spootnik.org>
.\"
@@ -517,8 +517,9 @@ Valid options are:
.Bl -tag -width Ds
.It Ic ciphers Ar string
Set the string defining the SSL cipher suite.
-If not specified, the default suite defined by the SSL library will be
-used.
+If not specified, the default value
+.Ar HIGH
+to force strong crypto cipher suites will be used.
See the
.Sx CIPHERS
section of
@@ -536,17 +537,20 @@ will disable the SSL session cache.
.Op Ic no
.Ic sslv2
.Xc
-Enable the SSLv2 protocol.
+Enable the SSLv2 protocol,
+disabled by default.
.It Xo
.Op Ic no
.Ic sslv3
.Xc
-Enable the SSLv3 protocol.
+Disable the SSLv3 protocol,
+enabled by default.
.It Xo
.Op Ic no
.Ic tlsv1
.Xc
-Enable the TLSv1/SSLv3.1 protocol.
+Disable the TLSv1/SSLv3.1 protocol,
+enabled by default.
.El
.El
.Pp
@@ -647,7 +651,7 @@ protocol http_ssl {
change "Keep-Alive" to "$TIMEOUT"
url hash "sessid"
- ssl { no sslv2, ciphers "HIGH" }
+ ssl { sslv2, ciphers "MEDIUM:HIGH" }
}
relay sslaccel {
diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h
index 1cbf33b45d7..205a1af9027 100644
--- a/usr.sbin/relayd/relayd.h
+++ b/usr.sbin/relayd/relayd.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: relayd.h,v 1.28 2007/02/24 00:22:32 reyk Exp $ */
+/* $OpenBSD: relayd.h,v 1.29 2007/02/24 15:48:54 reyk Exp $ */
/*
* Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@spootnik.org>
@@ -396,7 +396,9 @@ enum prototype {
#define SSLFLAG_SSLV3 0x02
#define SSLFLAG_TLSV1 0x04
#define SSLFLAG_VERSION 0x07
-#define SSLFLAG_DEFAULT (SSLFLAG_SSLV2|SSLFLAG_SSLV3|SSLFLAG_TLSV1)
+#define SSLFLAG_DEFAULT (SSLFLAG_SSLV3|SSLFLAG_TLSV1)
+
+#define SSLCIPHERS_DEFAULT "HIGH"
struct protocol {
objid_t id;