|
 |
7bbc9c |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
7bbc9c |
From: Frediano Ziglio <fziglio@redhat.com>
|
|
|
7bbc9c |
Date: Sun, 11 Feb 2018 18:27:41 +0000
|
|
|
7bbc9c |
Subject: [spice-server] reds: Disable TLS 1.0
|
|
|
7bbc9c |
|
|
|
7bbc9c |
TLS 1.0 is considered now insecure.
|
|
|
7bbc9c |
TLS 1.1 was introduced in 2006.
|
|
|
7bbc9c |
Our SPICE clients uses OpenSSL to use TLS and the support for TLS 1.1
|
|
|
7bbc9c |
in OpenSSL was introduced in 2006 too so even in systems like
|
|
|
7bbc9c |
Windows XP which are not officially supporting TLS 1.0 will work
|
|
|
7bbc9c |
with SPICE and TLS 1.1.
|
|
|
7bbc9c |
This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1521053.
|
|
|
7bbc9c |
|
|
|
7bbc9c |
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
|
|
7bbc9c |
Acked-by: Victor Toso <victortoso@redhat.com>
|
|
|
7bbc9c |
---
|
|
|
7bbc9c |
server/reds.c | 5 +++--
|
|
|
7bbc9c |
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
7bbc9c |
|
|
|
7bbc9c |
diff --git a/server/reds.c b/server/reds.c
|
|
|
7bbc9c |
index 401d242..0af5643 100644
|
|
|
7bbc9c |
--- a/server/reds.c
|
|
|
7bbc9c |
+++ b/server/reds.c
|
|
|
7bbc9c |
@@ -2836,9 +2836,10 @@ static int reds_init_ssl(RedsState *reds)
|
|
|
7bbc9c |
SSL_METHOD *ssl_method;
|
|
|
7bbc9c |
#endif
|
|
|
7bbc9c |
int return_code;
|
|
|
7bbc9c |
- /* When some other SSL/TLS version becomes obsolete, add it to this
|
|
|
7bbc9c |
+ /* Limit connection to TLSv1.1 or newer.
|
|
|
7bbc9c |
+ * When some other SSL/TLS version becomes obsolete, add it to this
|
|
|
7bbc9c |
* variable. */
|
|
|
7bbc9c |
- long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
|
|
|
7bbc9c |
+ long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1;
|
|
|
7bbc9c |
|
|
|
7bbc9c |
/* Global system initialization*/
|
|
|
7bbc9c |
g_once(&openssl_once, openssl_global_init, NULL);
|