From 007ee6d1abf347d37847d427dfffb765443bf525 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Ja=C5=A1a?= <djasa@redhat.com>
Date: Wed, 27 Nov 2013 17:24:46 +0100
Subject: [PATCH 1/3] Use TLS version 1.0 or better
When creating a TLS socket, both spice-server and spice-gtk currently
call SSL_CTX_new(TLSv1_method()). The TLSv1_method() function set the
protocol version to TLS 1.0 exclusively. The correct way to support
multiple protocol versions is to call SSLv23_method() in spite of its
scary name. This method will enable all SSL/TLS protocol versions. The
protocol suite may be further narrowed down by setting respective
SSL_OP_NO_<version_code> options of SSL context. This possibility is
used in this patch in order to block use of SSLv3 that is enabled by
default in openssl for client sockets as of now but spice has never used
it.
---
gtk/spice-channel.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
index e4683f8..f101c3a 100644
--- a/gtk/spice-channel.c
+++ b/gtk/spice-channel.c
@@ -2215,6 +2215,9 @@ static void *spice_channel_coroutine(void *data)
int rc, delay_val = 1;
gboolean switch_tls = FALSE;
gboolean switch_protocol = FALSE;
+ /* When some other SSL/TLS version becomes obsolete, add it to this
+ * variable. */
+ long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
CHANNEL_DEBUG(channel, "Started background coroutine %p", &c->coroutine);
@@ -2254,13 +2257,15 @@ reconnect:
c->has_error = FALSE;
if (c->tls) {
- c->ctx = SSL_CTX_new(TLSv1_method());
+ c->ctx = SSL_CTX_new(SSLv23_method());
if (c->ctx == NULL) {
g_critical("SSL_CTX_new failed");
emit_main_context(channel, SPICE_CHANNEL_EVENT, SPICE_CHANNEL_ERROR_TLS);
goto cleanup;
}
+ SSL_CTX_set_options(c->ctx, ssl_options);
+
verify = spice_session_get_verify(c->session);
if (verify &
(SPICE_SESSION_VERIFY_SUBJECT | SPICE_SESSION_VERIFY_HOSTNAME)) {
--
1.7.1