From owner-svn-src-head@freebsd.org Tue Nov 24 22:10:33 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E30C546C14C; Tue, 24 Nov 2020 22:10:33 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CgdWF68Yfz3NWP; Tue, 24 Nov 2020 22:10:33 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C607225D7D; Tue, 24 Nov 2020 22:10:33 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0AOMAX9a083213; Tue, 24 Nov 2020 22:10:33 GMT (envelope-from jkim@FreeBSD.org) Received: (from jkim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0AOMAXrK083211; Tue, 24 Nov 2020 22:10:33 GMT (envelope-from jkim@FreeBSD.org) Message-Id: <202011242210.0AOMAXrK083211@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jkim set sender to jkim@FreeBSD.org using -f From: Jung-uk Kim Date: Tue, 24 Nov 2020 22:10:33 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r368000 - head/lib/libfetch X-SVN-Group: head X-SVN-Commit-Author: jkim X-SVN-Commit-Paths: head/lib/libfetch X-SVN-Commit-Revision: 368000 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Nov 2020 22:10:34 -0000 Author: jkim Date: Tue Nov 24 22:10:33 2020 New Revision: 368000 URL: https://svnweb.freebsd.org/changeset/base/368000 Log: Remove support for SSLv3 from fetch(3). Support for SSLv3 was already removed from OpenSSL (r361392). Differential Revision: https://reviews.freebsd.org/D24947 Modified: head/lib/libfetch/common.c head/lib/libfetch/fetch.3 Modified: head/lib/libfetch/common.c ============================================================================== --- head/lib/libfetch/common.c Tue Nov 24 21:45:38 2020 (r367999) +++ head/lib/libfetch/common.c Tue Nov 24 22:10:33 2020 (r368000) @@ -1054,9 +1054,7 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verb { long ssl_ctx_options; - ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_TICKET; - if (getenv("SSL_ALLOW_SSL3") == NULL) - ssl_ctx_options |= SSL_OP_NO_SSLv3; + ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_SSLv3 | SSL_OP_NO_TICKET; if (getenv("SSL_NO_TLS1") != NULL) ssl_ctx_options |= SSL_OP_NO_TLSv1; if (getenv("SSL_NO_TLS1_1") != NULL) Modified: head/lib/libfetch/fetch.3 ============================================================================== --- head/lib/libfetch/fetch.3 Tue Nov 24 21:45:38 2020 (r367999) +++ head/lib/libfetch/fetch.3 Tue Nov 24 22:10:33 2020 (r368000) @@ -26,7 +26,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 28, 2019 +.Dd November 24, 2020 .Dt FETCH 3 .Os .Sh NAME @@ -465,12 +465,10 @@ By default allows TLSv1 and newer when negotiating the connecting with the remote peer. You can change this behavior by setting the -.Ev SSL_ALLOW_SSL3 -environment variable to allow SSLv3 and .Ev SSL_NO_TLS1 , .Ev SSL_NO_TLS1_1 and .Ev SSL_NO_TLS1_2 -to disable TLS 1.0, 1.1 and 1.2 respectively. +environment variables to disable TLS 1.0, 1.1 and 1.2 respectively. .Sh AUTHENTICATION Apart from setting the appropriate environment variables and specifying the user name and password in the URL or the @@ -675,8 +673,6 @@ IPv6 addresses must enclose the address in brackets. If no port is specified, the default is 1080. This setting will supercede a connection to an .Ev HTTP_PROXY . -.It Ev SSL_ALLOW_SSL3 -Allow SSL version 3 when negotiating the connection (not recommended). .It Ev SSL_CA_CERT_FILE CA certificate bundle containing trusted CA certificates. Default value: See HTTPS SCHEME above.