Blame SOURCES/0021-reds-Disable-TLS-1.0.patch

1bb5d1
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
1bb5d1
From: Frediano Ziglio <fziglio@redhat.com>
1bb5d1
Date: Sun, 11 Feb 2018 18:27:41 +0000
1bb5d1
Subject: [spice-server] reds: Disable TLS 1.0
1bb5d1
1bb5d1
TLS 1.0 is considered now insecure.
1bb5d1
TLS 1.1 was introduced in 2006.
1bb5d1
Our SPICE clients uses OpenSSL to use TLS and the support for TLS 1.1
1bb5d1
in OpenSSL was introduced in 2006 too so even in systems like
1bb5d1
Windows XP which are not officially supporting TLS 1.0 will work
1bb5d1
with SPICE and TLS 1.1.
1bb5d1
This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1521053.
1bb5d1
1bb5d1
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
1bb5d1
Acked-by: Victor Toso <victortoso@redhat.com>
1bb5d1
---
1bb5d1
 server/reds.c | 5 +++--
1bb5d1
 1 file changed, 3 insertions(+), 2 deletions(-)
1bb5d1
1bb5d1
diff --git a/server/reds.c b/server/reds.c
1bb5d1
index 401d242..0af5643 100644
1bb5d1
--- a/server/reds.c
1bb5d1
+++ b/server/reds.c
1bb5d1
@@ -2836,9 +2836,10 @@ static int reds_init_ssl(RedsState *reds)
1bb5d1
     SSL_METHOD *ssl_method;
1bb5d1
 #endif
1bb5d1
     int return_code;
1bb5d1
-    /* When some other SSL/TLS version becomes obsolete, add it to this
1bb5d1
+    /* Limit connection to TLSv1.1 or newer.
1bb5d1
+     * When some other SSL/TLS version becomes obsolete, add it to this
1bb5d1
      * variable. */
1bb5d1
-    long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
1bb5d1
+    long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1;
1bb5d1
 
1bb5d1
     /* Global system initialization*/
1bb5d1
     g_once(&openssl_once, openssl_global_init, NULL);