diff options
author | Reyk Floeter <reyk@cvs.openbsd.org> | 2007-02-24 15:48:55 +0000 |
---|---|---|
committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2007-02-24 15:48:55 +0000 |
commit | dea580a9986dc2431d84eb0bc9d0d21ad14781cf (patch) | |
tree | b55cf3fb10f00f1c04c3a75abad663e7980161da | |
parent | 008c5403bf676c8c15de14562f346b2408425e99 (diff) |
disable SSLv2 and use "HIGH" crypto cipher suites by default.
suggested by dlg@
-rw-r--r-- | usr.sbin/hoststated/hoststated.conf.5 | 18 | ||||
-rw-r--r-- | usr.sbin/hoststated/hoststated.h | 6 | ||||
-rw-r--r-- | usr.sbin/hoststated/relay.c | 14 | ||||
-rw-r--r-- | usr.sbin/relayd/relay.c | 14 | ||||
-rw-r--r-- | usr.sbin/relayd/relayd.conf.5 | 18 | ||||
-rw-r--r-- | usr.sbin/relayd/relayd.h | 6 |
6 files changed, 42 insertions, 34 deletions
diff --git a/usr.sbin/hoststated/hoststated.conf.5 b/usr.sbin/hoststated/hoststated.conf.5 index 71afb2f1d9a..2576c5a39e6 100644 --- a/usr.sbin/hoststated/hoststated.conf.5 +++ b/usr.sbin/hoststated/hoststated.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: hoststated.conf.5,v 1.24 2007/02/24 00:22:32 reyk Exp $ +.\" $OpenBSD: hoststated.conf.5,v 1.25 2007/02/24 15:48:54 reyk Exp $ .\" .\" Copyright (c) 2006 Pierre-Yves Ritschard <pyr@spootnik.org> .\" @@ -517,8 +517,9 @@ Valid options are: .Bl -tag -width Ds .It Ic ciphers Ar string Set the string defining the SSL cipher suite. -If not specified, the default suite defined by the SSL library will be -used. +If not specified, the default value +.Ar HIGH +to force strong crypto cipher suites will be used. See the .Sx CIPHERS section of @@ -536,17 +537,20 @@ will disable the SSL session cache. .Op Ic no .Ic sslv2 .Xc -Enable the SSLv2 protocol. +Enable the SSLv2 protocol, +disabled by default. .It Xo .Op Ic no .Ic sslv3 .Xc -Enable the SSLv3 protocol. +Disable the SSLv3 protocol, +enabled by default. .It Xo .Op Ic no .Ic tlsv1 .Xc -Enable the TLSv1/SSLv3.1 protocol. +Disable the TLSv1/SSLv3.1 protocol, +enabled by default. .El .El .Pp @@ -647,7 +651,7 @@ protocol http_ssl { change "Keep-Alive" to "$TIMEOUT" url hash "sessid" - ssl { no sslv2, ciphers "HIGH" } + ssl { sslv2, ciphers "MEDIUM:HIGH" } } relay sslaccel { diff --git a/usr.sbin/hoststated/hoststated.h b/usr.sbin/hoststated/hoststated.h index a6fc7127336..977a22b8c2a 100644 --- a/usr.sbin/hoststated/hoststated.h +++ b/usr.sbin/hoststated/hoststated.h @@ -1,4 +1,4 @@ -/* $OpenBSD: hoststated.h,v 1.28 2007/02/24 00:22:32 reyk Exp $ */ +/* $OpenBSD: hoststated.h,v 1.29 2007/02/24 15:48:54 reyk Exp $ */ /* * Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@spootnik.org> @@ -396,7 +396,9 @@ enum prototype { #define SSLFLAG_SSLV3 0x02 #define SSLFLAG_TLSV1 0x04 #define SSLFLAG_VERSION 0x07 -#define SSLFLAG_DEFAULT (SSLFLAG_SSLV2|SSLFLAG_SSLV3|SSLFLAG_TLSV1) +#define SSLFLAG_DEFAULT (SSLFLAG_SSLV3|SSLFLAG_TLSV1) + +#define SSLCIPHERS_DEFAULT "HIGH" struct protocol { objid_t id; diff --git a/usr.sbin/hoststated/relay.c b/usr.sbin/hoststated/relay.c index 6078d36d891..00d82e90b2f 100644 --- a/usr.sbin/hoststated/relay.c +++ b/usr.sbin/hoststated/relay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay.c,v 1.3 2007/02/24 00:22:32 reyk Exp $ */ +/* $OpenBSD: relay.c,v 1.4 2007/02/24 15:48:54 reyk Exp $ */ /* * Copyright (c) 2006, 2007 Reyk Floeter <reyk@openbsd.org> @@ -1589,7 +1589,7 @@ relay_ssl_ctx_create(struct relay *rlay) { struct protocol *proto = rlay->proto; SSL_CTX *ctx; - char certfile[PATH_MAX], hbuf[128]; + char certfile[PATH_MAX], hbuf[128], *ciphers = NULL; ctx = SSL_CTX_new(SSLv23_method()); if (ctx == NULL) @@ -1619,12 +1619,10 @@ relay_ssl_ctx_create(struct relay *rlay) SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); /* Change the default SSL cipher suite, if specified */ - if (proto->sslciphers != NULL) { - log_debug("relay_ssl_ctx_create: ciphers '%s'", - proto->sslciphers); - if (!SSL_CTX_set_cipher_list(ctx, proto->sslciphers)) - goto err; - } + if ((ciphers = proto->sslciphers) == NULL) + ciphers = SSLCIPHERS_DEFAULT; + if (!SSL_CTX_set_cipher_list(ctx, ciphers)) + goto err; if (relay_host(&rlay->ss, hbuf, sizeof(hbuf)) == NULL) goto err; diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c index 6078d36d891..00d82e90b2f 100644 --- a/usr.sbin/relayd/relay.c +++ b/usr.sbin/relayd/relay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay.c,v 1.3 2007/02/24 00:22:32 reyk Exp $ */ +/* $OpenBSD: relay.c,v 1.4 2007/02/24 15:48:54 reyk Exp $ */ /* * Copyright (c) 2006, 2007 Reyk Floeter <reyk@openbsd.org> @@ -1589,7 +1589,7 @@ relay_ssl_ctx_create(struct relay *rlay) { struct protocol *proto = rlay->proto; SSL_CTX *ctx; - char certfile[PATH_MAX], hbuf[128]; + char certfile[PATH_MAX], hbuf[128], *ciphers = NULL; ctx = SSL_CTX_new(SSLv23_method()); if (ctx == NULL) @@ -1619,12 +1619,10 @@ relay_ssl_ctx_create(struct relay *rlay) SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); /* Change the default SSL cipher suite, if specified */ - if (proto->sslciphers != NULL) { - log_debug("relay_ssl_ctx_create: ciphers '%s'", - proto->sslciphers); - if (!SSL_CTX_set_cipher_list(ctx, proto->sslciphers)) - goto err; - } + if ((ciphers = proto->sslciphers) == NULL) + ciphers = SSLCIPHERS_DEFAULT; + if (!SSL_CTX_set_cipher_list(ctx, ciphers)) + goto err; if (relay_host(&rlay->ss, hbuf, sizeof(hbuf)) == NULL) goto err; diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5 index 4741ad1ed17..67dc4cbb859 100644 --- a/usr.sbin/relayd/relayd.conf.5 +++ b/usr.sbin/relayd/relayd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: relayd.conf.5,v 1.24 2007/02/24 00:22:32 reyk Exp $ +.\" $OpenBSD: relayd.conf.5,v 1.25 2007/02/24 15:48:54 reyk Exp $ .\" .\" Copyright (c) 2006 Pierre-Yves Ritschard <pyr@spootnik.org> .\" @@ -517,8 +517,9 @@ Valid options are: .Bl -tag -width Ds .It Ic ciphers Ar string Set the string defining the SSL cipher suite. -If not specified, the default suite defined by the SSL library will be -used. +If not specified, the default value +.Ar HIGH +to force strong crypto cipher suites will be used. See the .Sx CIPHERS section of @@ -536,17 +537,20 @@ will disable the SSL session cache. .Op Ic no .Ic sslv2 .Xc -Enable the SSLv2 protocol. +Enable the SSLv2 protocol, +disabled by default. .It Xo .Op Ic no .Ic sslv3 .Xc -Enable the SSLv3 protocol. +Disable the SSLv3 protocol, +enabled by default. .It Xo .Op Ic no .Ic tlsv1 .Xc -Enable the TLSv1/SSLv3.1 protocol. +Disable the TLSv1/SSLv3.1 protocol, +enabled by default. .El .El .Pp @@ -647,7 +651,7 @@ protocol http_ssl { change "Keep-Alive" to "$TIMEOUT" url hash "sessid" - ssl { no sslv2, ciphers "HIGH" } + ssl { sslv2, ciphers "MEDIUM:HIGH" } } relay sslaccel { diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h index 1cbf33b45d7..205a1af9027 100644 --- a/usr.sbin/relayd/relayd.h +++ b/usr.sbin/relayd/relayd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: relayd.h,v 1.28 2007/02/24 00:22:32 reyk Exp $ */ +/* $OpenBSD: relayd.h,v 1.29 2007/02/24 15:48:54 reyk Exp $ */ /* * Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@spootnik.org> @@ -396,7 +396,9 @@ enum prototype { #define SSLFLAG_SSLV3 0x02 #define SSLFLAG_TLSV1 0x04 #define SSLFLAG_VERSION 0x07 -#define SSLFLAG_DEFAULT (SSLFLAG_SSLV2|SSLFLAG_SSLV3|SSLFLAG_TLSV1) +#define SSLFLAG_DEFAULT (SSLFLAG_SSLV3|SSLFLAG_TLSV1) + +#define SSLCIPHERS_DEFAULT "HIGH" struct protocol { objid_t id; |