|
|
fce154 |
From 4fc9ba5f27dd4c04441d38c893ee962da01baf80 Mon Sep 17 00:00:00 2001
|
|
|
fce154 |
From: =?UTF-8?q?David=20Ja=C5=A1a?= <djasa@redhat.com>
|
|
|
fce154 |
Date: Wed, 27 Nov 2013 17:45:49 +0100
|
|
|
fce154 |
Subject: [PATCH spice] Use TLS version 1.0 or better
|
|
|
fce154 |
|
|
|
fce154 |
When creating a TLS socket, both spice-server and spice-gtk currently
|
|
|
fce154 |
call SSL_CTX_new(TLSv1_method()). The TLSv1_method() function set the
|
|
|
fce154 |
protocol version to TLS 1.0 exclusively. The correct way to support
|
|
|
fce154 |
multiple protocol versions is to call SSLv23_method() in spite of its
|
|
|
fce154 |
scary name. This method will enable all SSL/TLS protocol versions. The
|
|
|
fce154 |
protocol suite may be further narrowed down by setting respective
|
|
|
fce154 |
SSL_OP_NO_<version_code> options of SSL context. This possibility is
|
|
|
fce154 |
used in this patch in order to block use of SSLv3 that is enabled by
|
|
|
fce154 |
default in openssl for client sockets as of now but spice has never used
|
|
|
fce154 |
it.
|
|
|
fce154 |
---
|
|
|
fce154 |
server/reds.c | 5 ++++-
|
|
|
fce154 |
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
fce154 |
|
|
|
fce154 |
diff --git a/server/reds.c b/server/reds.c
|
|
|
fce154 |
index 2a0002b..d79732c 100644
|
|
|
fce154 |
--- a/server/reds.c
|
|
|
fce154 |
+++ b/server/reds.c
|
|
|
fce154 |
@@ -3221,6 +3221,8 @@ static int reds_init_ssl(void)
|
|
|
fce154 |
SSL_METHOD *ssl_method;
|
|
|
fce154 |
#endif
|
|
|
fce154 |
int return_code;
|
|
|
fce154 |
+ /* When some other SSL/TLS version becomes obsolete, add it to this
|
|
|
fce154 |
+ * variable. */
|
|
|
fce154 |
long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
|
|
|
fce154 |
|
|
|
fce154 |
/* Global system initialization*/
|
|
|
fce154 |
@@ -3228,7 +3230,8 @@ static int reds_init_ssl(void)
|
|
|
fce154 |
SSL_load_error_strings();
|
|
|
fce154 |
|
|
|
fce154 |
/* Create our context*/
|
|
|
fce154 |
- ssl_method = TLSv1_method();
|
|
|
fce154 |
+ /* SSLv23_method() handles TLSv1.x in addition to SSLv2/v3 */
|
|
|
fce154 |
+ ssl_method = SSLv23_method();
|
|
|
fce154 |
reds->ctx = SSL_CTX_new(ssl_method);
|
|
|
fce154 |
if (!reds->ctx) {
|
|
|
fce154 |
spice_warning("Could not allocate new SSL context");
|
|
|
fce154 |
--
|
|
|
fce154 |
2.1.0
|
|
|
fce154 |
|