diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2015-02-12 04:23:18 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2015-02-12 04:23:18 +0000 |
| commit | e3213d47a875fe9ed6557bf4728158ae27445eec (patch) | |
| tree | a21f2f90bbc069c7db9439dab321edc762ffafc2 | |
| parent | d1e3221766c47552c8a90ce9ce84ec6e354acfb1 (diff) | |
Change TLS_PROTOCOLS_DEFAULT to be TLSv1.2 only. Add a TLS_PROTOCOLS_ALL
that includes all currently supported protocols (TLSv1.0, TLSv1.1 and
TLSv1.2). Change all users of libtls to use TLS_PROTOCOLS_ALL so that they
maintain existing behaviour.
Discussed with tedu@ and reyk@.
| -rw-r--r-- | lib/libtls/tls.h | 6 | ||||
| -rw-r--r-- | libexec/spamd/spamd.c | 4 | ||||
| -rw-r--r-- | usr.bin/ftp/main.c | 4 | ||||
| -rw-r--r-- | usr.sbin/httpd/server.c | 4 | ||||
| -rw-r--r-- | usr.sbin/syslogd/syslogd.c | 4 |
5 files changed, 16 insertions, 6 deletions
diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h index 0a6f8d72584..0fafcc6e23f 100644 --- a/lib/libtls/tls.h +++ b/lib/libtls/tls.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.h,v 1.7 2015/02/11 07:01:10 jsing Exp $ */ +/* $OpenBSD: tls.h,v 1.8 2015/02/12 04:23:17 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -25,7 +25,9 @@ #define TLS_PROTOCOL_TLSv1_2 (1 << 3) #define TLS_PROTOCOL_TLSv1 \ (TLS_PROTOCOL_TLSv1_0|TLS_PROTOCOL_TLSv1_1|TLS_PROTOCOL_TLSv1_2) -#define TLS_PROTOCOLS_DEFAULT TLS_PROTOCOL_TLSv1 + +#define TLS_PROTOCOLS_ALL TLS_PROTOCOL_TLSv1 +#define TLS_PROTOCOLS_DEFAULT TLS_PROTOCOL_TLSv1_2 #define TLS_READ_AGAIN -2 #define TLS_WRITE_AGAIN -3 diff --git a/libexec/spamd/spamd.c b/libexec/spamd/spamd.c index 52a25e03417..1b0e185808a 100644 --- a/libexec/spamd/spamd.c +++ b/libexec/spamd/spamd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: spamd.c,v 1.123 2015/02/07 10:45:19 henning Exp $ */ +/* $OpenBSD: spamd.c,v 1.124 2015/02/12 04:23:17 jsing Exp $ */ /* * Copyright (c) 2015 Henning Brauer <henning@openbsd.org> @@ -442,6 +442,8 @@ spamd_tls_init(char *keyfile, char *certfile) errx(1, "failed to get tls server"); /* might need user-specified ciphers, tls_config_set_ciphers */ + tls_config_set_protocols(tlscfg, TLS_PROTOCOLS_ALL); + if (tls_config_set_cert_file(tlscfg, certfile) != 0) err(1, "could not load certificate %s", certfile); if (tls_config_set_key_file(tlscfg, keyfile) != 0) diff --git a/usr.bin/ftp/main.c b/usr.bin/ftp/main.c index 5e2595d4dbf..ae333c0479f 100644 --- a/usr.bin/ftp/main.c +++ b/usr.bin/ftp/main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.97 2015/02/09 08:24:21 tedu Exp $ */ +/* $OpenBSD: main.c,v 1.98 2015/02/12 04:23:17 jsing Exp $ */ /* $NetBSD: main.c,v 1.24 1997/08/18 10:20:26 lukem Exp $ */ /* @@ -312,6 +312,8 @@ main(volatile int argc, char *argv[]) tls_config = tls_config_new(); if (tls_config == NULL) errx(1, "tls config failed"); + tls_config_set_protocols(tls_config, + TLS_PROTOCOLS_ALL); } cp = optarg; diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c index 6e63120b95f..504195b47c8 100644 --- a/usr.sbin/httpd/server.c +++ b/usr.sbin/httpd/server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server.c,v 1.57 2015/02/07 23:56:02 reyk Exp $ */ +/* $OpenBSD: server.c,v 1.58 2015/02/12 04:23:17 jsing Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -175,6 +175,8 @@ server_tls_init(struct server *srv) return (-1); } + tls_config_set_protocols(srv->srv_tls_config, TLS_PROTOCOLS_ALL); + if (tls_config_set_ciphers(srv->srv_tls_config, srv->srv_conf.tls_ciphers) != 0) { log_warn("%s: failed to set tls ciphers", __func__); diff --git a/usr.sbin/syslogd/syslogd.c b/usr.sbin/syslogd/syslogd.c index abf67e89e14..591fe2beb8e 100644 --- a/usr.sbin/syslogd/syslogd.c +++ b/usr.sbin/syslogd/syslogd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: syslogd.c,v 1.153 2015/02/10 18:30:20 bluhm Exp $ */ +/* $OpenBSD: syslogd.c,v 1.154 2015/02/12 04:23:17 jsing Exp $ */ /* * Copyright (c) 1983, 1988, 1993, 1994 @@ -526,6 +526,8 @@ main(int argc, char *argv[]) } else { struct stat sb; + tls_config_set_protocols(tlsconfig, TLS_PROTOCOLS_ALL); + fd = -1; p = NULL; errno = 0; |