diff options
author | Joel Sing <jsing@cvs.openbsd.org> | 2014-11-07 13:48:07 +0000 |
---|---|---|
committer | Joel Sing <jsing@cvs.openbsd.org> | 2014-11-07 13:48:07 +0000 |
commit | f7a9764f365f980562c4cb7323052a2ac6ce883c (patch) | |
tree | adaeb5abfd98b8eb16cbdb88efc21ee2a8caec7b | |
parent | c0a09fa0dca93ad873e0fae8cf9dd154c8508f11 (diff) |
Remove the sslv2 option since LibreSSL has no SSLv2 support (however retain
SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform
with another SSL library). Also fix the SSLv3 handling so that 'no sslv3'
actually works as intended.
ok reyk@
-rw-r--r-- | usr.sbin/relayd/parse.y | 6 | ||||
-rw-r--r-- | usr.sbin/relayd/relay.c | 9 | ||||
-rw-r--r-- | usr.sbin/relayd/relayd.conf.5 | 10 | ||||
-rw-r--r-- | usr.sbin/relayd/relayd.h | 15 |
4 files changed, 17 insertions, 23 deletions
diff --git a/usr.sbin/relayd/parse.y b/usr.sbin/relayd/parse.y index f8575c93633..fcb91f9d1d6 100644 --- a/usr.sbin/relayd/parse.y +++ b/usr.sbin/relayd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.192 2014/11/02 13:59:40 bluhm Exp $ */ +/* $OpenBSD: parse.y,v 1.193 2014/11/07 13:48:06 jsing Exp $ */ /* * Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org> @@ -1059,9 +1059,7 @@ sslflags : SESSION CACHE sslcache { proto->cache = $3; } ; flag : STRING { - if (strcmp("sslv2", $1) == 0) - $$ = SSLFLAG_SSLV2; - else if (strcmp("sslv3", $1) == 0) + if (strcmp("sslv3", $1) == 0) $$ = SSLFLAG_SSLV3; else if (strcmp("tlsv1", $1) == 0) $$ = SSLFLAG_TLSV1; diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c index 59426161538..ee6d99aba1a 100644 --- a/usr.sbin/relayd/relay.c +++ b/usr.sbin/relayd/relay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay.c,v 1.179 2014/10/25 03:23:49 lteo Exp $ */ +/* $OpenBSD: relay.c,v 1.180 2014/11/07 13:48:06 jsing Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org> @@ -1983,14 +1983,17 @@ relay_ssl_ctx_create(struct relay *rlay) SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); /* Set the allowed SSL protocols */ - if ((proto->sslflags & SSLFLAG_SSLV2) == 0) - SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); + SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); if ((proto->sslflags & SSLFLAG_SSLV3) == 0) SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); + SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1); if ((proto->sslflags & SSLFLAG_TLSV1_0) == 0) SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); + SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_1); if ((proto->sslflags & SSLFLAG_TLSV1_1) == 0) SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1); + SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_2); if ((proto->sslflags & SSLFLAG_TLSV1_2) == 0) SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2); diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5 index ffac08b1175..c983660146d 100644 --- a/usr.sbin/relayd/relayd.conf.5 +++ b/usr.sbin/relayd/relayd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: relayd.conf.5,v 1.151 2014/10/21 02:29:54 lteo Exp $ +.\" $OpenBSD: relayd.conf.5,v 1.152 2014/11/07 13:48:06 jsing Exp $ .\" .\" Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org> .\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: October 21 2014 $ +.Dd $Mdocdate: November 7 2014 $ .Dt RELAYD.CONF 5 .Os .Sh NAME @@ -922,12 +922,6 @@ A positive number will set the maximum size in bytes and the keyword will disable the SSL session cache. .It Xo .Op Ic no -.Ic sslv2 -.Xc -Enable the SSLv2 protocol; -disabled by default. -.It Xo -.Op Ic no .Ic sslv3 .Xc Enable the SSLv3 protocol; diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h index ac192e0cdae..6ed2c4bcdec 100644 --- a/usr.sbin/relayd/relayd.h +++ b/usr.sbin/relayd/relayd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: relayd.h,v 1.195 2014/11/02 13:59:40 bluhm Exp $ */ +/* $OpenBSD: relayd.h,v 1.196 2014/11/07 13:48:06 jsing Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org> @@ -635,12 +635,11 @@ TAILQ_HEAD(relay_rules, relay_rule); "\10\01NODELAY\02NO_NODELAY\03SACK\04NO_SACK" \ "\05SOCKET_BUFFER_SIZE\06IP_TTL\07IP_MINTTL\10NO_SPLICE" -#define SSLFLAG_SSLV2 0x01 -#define SSLFLAG_SSLV3 0x02 -#define SSLFLAG_TLSV1_0 0x04 -#define SSLFLAG_TLSV1_1 0x08 -#define SSLFLAG_TLSV1_2 0x10 -#define SSLFLAG_TLSV1 0x1c +#define SSLFLAG_SSLV3 0x01 +#define SSLFLAG_TLSV1_0 0x02 +#define SSLFLAG_TLSV1_1 0x04 +#define SSLFLAG_TLSV1_2 0x08 +#define SSLFLAG_TLSV1 0x0e #define SSLFLAG_VERSION 0x1f #define SSLFLAG_CIPHER_SERVER_PREF 0x20 #define SSLFLAG_CLIENT_RENEG 0x40 @@ -648,7 +647,7 @@ TAILQ_HEAD(relay_rules, relay_rule); (SSLFLAG_TLSV1|SSLFLAG_CLIENT_RENEG) #define SSLFLAG_BITS \ - "\10\01sslv2\02sslv3\03tlsv1.0\04tlsv1.1\05tlsv1.2" \ + "\06\01sslv3\02tlsv1.0\03tlsv1.1\04tlsv1.2" \ "\06cipher-server-preference\07client-renegotiation" #define SSLCIPHERS_DEFAULT "HIGH:!aNULL" |