diff options
| author | Reyk Floeter <reyk@cvs.openbsd.org> | 2014-10-15 11:06:17 +0000 |
|---|---|---|
| committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2014-10-15 11:06:17 +0000 |
| commit | 74d02ae20fac0fb6a6187064848a292ba37ad83e (patch) | |
| tree | 5ab400070bfc8b4998aa7137b09b8ec292c62684 /usr.sbin | |
| parent | e221c748f78d80d41bd11b0dea188f6a49b17cd6 (diff) | |
Disable SSLv3 by default.
OK sthen@ jsing@
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/relayd/parse.y | 8 | ||||
| -rw-r--r-- | usr.sbin/relayd/relay.c | 8 | ||||
| -rw-r--r-- | usr.sbin/relayd/relayd.conf.5 | 33 | ||||
| -rw-r--r-- | usr.sbin/relayd/relayd.h | 19 |
4 files changed, 52 insertions, 16 deletions
diff --git a/usr.sbin/relayd/parse.y b/usr.sbin/relayd/parse.y index 5e7aa64ce32..a08b8b829e9 100644 --- a/usr.sbin/relayd/parse.y +++ b/usr.sbin/relayd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.189 2014/09/05 10:19:26 blambert Exp $ */ +/* $OpenBSD: parse.y,v 1.190 2014/10/15 11:06:16 reyk Exp $ */ /* * Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org> @@ -1065,6 +1065,12 @@ flag : STRING { $$ = SSLFLAG_SSLV3; else if (strcmp("tlsv1", $1) == 0) $$ = SSLFLAG_TLSV1; + else if (strcmp("tlsv1.0", $1) == 0) + $$ = SSLFLAG_TLSV1_0; + else if (strcmp("tlsv1.1", $1) == 0) + $$ = SSLFLAG_TLSV1_1; + else if (strcmp("tlsv1.2", $1) == 0) + $$ = SSLFLAG_TLSV1_2; else if (strcmp("cipher-server-preference", $1) == 0) $$ = SSLFLAG_CIPHER_SERVER_PREF; else if (strcmp("client-renegotiation", $1) == 0) diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c index 26d8d9a0f4f..ba8787a5aac 100644 --- a/usr.sbin/relayd/relay.c +++ b/usr.sbin/relayd/relay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay.c,v 1.177 2014/09/05 10:19:26 blambert Exp $ */ +/* $OpenBSD: relay.c,v 1.178 2014/10/15 11:06:16 reyk Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org> @@ -1988,8 +1988,12 @@ relay_ssl_ctx_create(struct relay *rlay) SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); if ((proto->sslflags & SSLFLAG_SSLV3) == 0) SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); - if ((proto->sslflags & SSLFLAG_TLSV1) == 0) + if ((proto->sslflags & SSLFLAG_TLSV1_0) == 0) SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); + if ((proto->sslflags & SSLFLAG_TLSV1_1) == 0) + SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1); + if ((proto->sslflags & SSLFLAG_TLSV1_2) == 0) + SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2); /* add the SSL info callback */ SSL_CTX_set_info_callback(ctx, relay_ssl_callback_info); diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5 index 5b3621ec3d8..6edc553a4f0 100644 --- a/usr.sbin/relayd/relayd.conf.5 +++ b/usr.sbin/relayd/relayd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: relayd.conf.5,v 1.149 2014/09/05 10:19:26 blambert Exp $ +.\" $OpenBSD: relayd.conf.5,v 1.150 2014/10/15 11:06:16 reyk Exp $ .\" .\" Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org> .\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: September 5 2014 $ +.Dd $Mdocdate: October 15 2014 $ .Dt RELAYD.CONF 5 .Os .Sh NAME @@ -930,13 +930,36 @@ disabled by default. .Op Ic no .Ic sslv3 .Xc -Disable the SSLv3 protocol; -enabled by default. +Enable the SSLv3 protocol; +disabled by default. .It Xo .Op Ic no .Ic tlsv1 .Xc -Disable the TLSv1/SSLv3.1 protocol; +Disable the TLSv1 protocols; +enabled by default. +This is an alias that includes +.Ic tlsv1.0 , +.Ic tlsv1.1 , +and +.Ic tlsv1.2 . +.It Xo +.Op Ic no +.Ic tlsv1.0 +.Xc +Disable the TLSv1.0 protocol; +enabled by default. +.It Xo +.Op Ic no +.Ic tlsv1.1 +.Xc +Disable the TLSv1.1 protocol; +enabled by default. +.It Xo +.Op Ic no +.Ic tlsv1.2 +.Xc +Disable the TLSv1.2 protocol; enabled by default. .El .It Ic tcp Ar option diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h index 2ce3c3091b8..ffd7a5dad98 100644 --- a/usr.sbin/relayd/relayd.h +++ b/usr.sbin/relayd/relayd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: relayd.h,v 1.192 2014/09/05 10:19:26 blambert Exp $ */ +/* $OpenBSD: relayd.h,v 1.193 2014/10/15 11:06:16 reyk Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org> @@ -637,16 +637,19 @@ TAILQ_HEAD(relay_rules, relay_rule); #define SSLFLAG_SSLV2 0x01 #define SSLFLAG_SSLV3 0x02 -#define SSLFLAG_TLSV1 0x04 -#define SSLFLAG_VERSION 0x07 -#define SSLFLAG_CIPHER_SERVER_PREF 0x08 -#define SSLFLAG_CLIENT_RENEG 0x10 +#define SSLFLAG_TLSV1_0 0x04 +#define SSLFLAG_TLSV1_1 0x08 +#define SSLFLAG_TLSV1_2 0x10 +#define SSLFLAG_TLSV1 0x1c +#define SSLFLAG_VERSION 0x1f +#define SSLFLAG_CIPHER_SERVER_PREF 0x20 +#define SSLFLAG_CLIENT_RENEG 0x40 #define SSLFLAG_DEFAULT \ - (SSLFLAG_SSLV3|SSLFLAG_TLSV1|SSLFLAG_CLIENT_RENEG) + (SSLFLAG_TLSV1|SSLFLAG_CLIENT_RENEG) #define SSLFLAG_BITS \ - "\10\01sslv2\02sslv3\03tlsv1" \ - "\04cipher-server-preference\05client-renegotiation" + "\10\01sslv2\02sslv3\03tlsv1.0\04tlsv1.1\05tlsv1.2" \ + "\06cipher-server-preference\07client-renegotiation" #define SSLCIPHERS_DEFAULT "HIGH:!aNULL" #define SSLECDHCURVE_DEFAULT NID_X9_62_prime256v1 |