Date: Sat, 20 Feb 2016 13:36:24 +0000 (UTC) From: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r295840 - stable/9/lib/libfetch Message-ID: <201602201336.u1KDaOAS026115@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: des Date: Sat Feb 20 13:36:24 2016 New Revision: 295840 URL: https://svnweb.freebsd.org/changeset/base/295840 Log: MFH (r273114, r273124): turn SSLv3 off by default MFH (r294326): fall back to standard / configured CA store MFH (r295536): fix double-free when SSL connection fails PR: 193871 206774 Modified: stable/9/lib/libfetch/common.c stable/9/lib/libfetch/fetch.3 stable/9/lib/libfetch/http.c Directory Properties: stable/9/ (props changed) stable/9/lib/ (props changed) stable/9/lib/libfetch/ (props changed) stable/9/usr.bin/ (props changed) stable/9/usr.bin/fetch/ (props changed) Modified: stable/9/lib/libfetch/common.c ============================================================================== --- stable/9/lib/libfetch/common.c Sat Feb 20 13:21:59 2016 (r295839) +++ stable/9/lib/libfetch/common.c Sat Feb 20 13:36:24 2016 (r295840) @@ -674,7 +674,7 @@ fetch_ssl_setup_transport_layer(SSL_CTX long ssl_ctx_options; ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_TICKET; - if (getenv("SSL_NO_SSL3") != NULL) + if (getenv("SSL_ALLOW_SSL3") == NULL) ssl_ctx_options |= SSL_OP_NO_SSLv3; if (getenv("SSL_NO_TLS1") != NULL) ssl_ctx_options |= SSL_OP_NO_TLSv1; @@ -701,7 +701,8 @@ fetch_ssl_setup_peer_verification(SSL_CT if (ca_cert_file == NULL && access(LOCAL_CERT_FILE, R_OK) == 0) ca_cert_file = LOCAL_CERT_FILE; - if (ca_cert_file == NULL) + if (ca_cert_file == NULL && + access(BASE_CERT_FILE, R_OK) == 0) ca_cert_file = BASE_CERT_FILE; ca_cert_path = getenv("SSL_CA_CERT_PATH"); if (verbose) { @@ -712,11 +713,17 @@ fetch_ssl_setup_peer_verification(SSL_CT if (ca_cert_path != NULL) fetch_info("Using CA cert path: %s", ca_cert_path); + if (ca_cert_file == NULL && ca_cert_path == NULL) + fetch_info("Using OpenSSL default " + "CA cert file and path"); } SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, fetch_ssl_cb_verify_crt); - SSL_CTX_load_verify_locations(ctx, ca_cert_file, - ca_cert_path); + if (ca_cert_file != NULL || ca_cert_path != NULL) + SSL_CTX_load_verify_locations(ctx, ca_cert_file, + ca_cert_path); + else + SSL_CTX_set_default_verify_paths(ctx); if ((crl_file = getenv("SSL_CRL_FILE")) != NULL) { if (verbose) fetch_info("Using CRL file: %s", crl_file); @@ -872,8 +879,8 @@ fetch_ssl(conn_t *conn, const struct url } if (verbose) { - fetch_info("SSL connection established using %s", - SSL_get_cipher(conn->ssl)); + fetch_info("%s connection established using %s", + SSL_get_version(conn->ssl), SSL_get_cipher(conn->ssl)); name = X509_get_subject_name(conn->ssl_cert); str = X509_NAME_oneline(name, 0, 0); fetch_info("Certificate subject: %s", str); Modified: stable/9/lib/libfetch/fetch.3 ============================================================================== --- stable/9/lib/libfetch/fetch.3 Sat Feb 20 13:21:59 2016 (r295839) +++ stable/9/lib/libfetch/fetch.3 Sat Feb 20 13:36:24 2016 (r295840) @@ -438,13 +438,13 @@ input (see .Pp By default .Nm libfetch -allows SSLv3 and TLSv1 when negotiating the connecting with the remote +allows TLSv1 when negotiating the connecting with the remote peer. You can change this behavior by setting the -.Ev SSL_NO_SSL3 -or +.Ev SSL_ALLOW_SSL3 +environment variable to allow SSLv3 and .Ev SSL_NO_TLS1 -environment variables to disable the respective methods. +to disable TLS 1.0. .Sh AUTHENTICATION Apart from setting the appropriate environment variables and specifying the user name and password in the URL or the @@ -642,6 +642,8 @@ which proxies should not be used. Same as .Ev NO_PROXY , for compatibility. +.It Ev SSL_ALLOW_SSL3 +Allow SSL version 3 when negotiating the connection (not recommended). .It Ev SSL_CA_CERT_FILE CA certificate bundle containing trusted CA certificates. Default value: @@ -656,10 +658,12 @@ PEM encoded client key in case key and c are stored separately. .It Ev SSL_CRL_FILE File containing certificate revocation list. -.It Ev SSL_NO_SSL3 -Don't allow SSL version 3 when negotiating the connection. .It Ev SSL_NO_TLS1 -Don't allow TLV version 1 when negotiating the connection. +Do not allow TLS version 1.0 when negotiating the connection. +.It Ev SSL_NO_TLS1_1 +Do not allow TLS version 1.1 when negotiating the connection. +.It Ev SSL_NO_TLS1_2 +Do not allow TLS version 1.2 when negotiating the connection. .It Ev SSL_NO_VERIFY_HOSTNAME If set, do not verify that the hostname matches the subject of the certificate presented by the server. Modified: stable/9/lib/libfetch/http.c ============================================================================== --- stable/9/lib/libfetch/http.c Sat Feb 20 13:21:59 2016 (r295839) +++ stable/9/lib/libfetch/http.c Sat Feb 20 13:36:24 2016 (r295840) @@ -1435,7 +1435,6 @@ http_connect(struct url *URL, struct url } if (strcasecmp(URL->scheme, SCHEME_HTTPS) == 0 && fetch_ssl(conn, URL, verbose) == -1) { - fetch_close(conn); /* grrr */ errno = EAUTH; fetch_syserr();
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201602201336.u1KDaOAS026115>