From owner-svn-src-all@FreeBSD.ORG Wed Oct 15 07:35:51 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C062614B; Wed, 15 Oct 2014 07:35:51 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AC467BDA; Wed, 15 Oct 2014 07:35:51 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9F7ZpQU076203; Wed, 15 Oct 2014 07:35:51 GMT (envelope-from des@FreeBSD.org) Received: (from des@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9F7ZpjW076201; Wed, 15 Oct 2014 07:35:51 GMT (envelope-from des@FreeBSD.org) Message-Id: <201410150735.s9F7ZpjW076201@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: des set sender to des@FreeBSD.org using -f From: Dag-Erling Smørgrav Date: Wed, 15 Oct 2014 07:35:51 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r273124 - head/lib/libfetch X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Oct 2014 07:35:51 -0000 Author: des Date: Wed Oct 15 07:35:50 2014 New Revision: 273124 URL: https://svnweb.freebsd.org/changeset/base/273124 Log: As pointed out by several people, r273114 was incorrect: it unconditionally disabled everything except TLS 1.0. Replace it with a more carefully wrought patch: - Switch the default for SSLv3 from on to off - Add environment variables to control TLS 1.1 and 1.2 - In verbose mode, report which version is used - Update the man page to reflect these changes. MFC after: 1 week Modified: head/lib/libfetch/common.c head/lib/libfetch/fetch.3 Modified: head/lib/libfetch/common.c ============================================================================== --- head/lib/libfetch/common.c Wed Oct 15 07:09:45 2014 (r273123) +++ head/lib/libfetch/common.c Wed Oct 15 07:35:50 2014 (r273124) @@ -675,10 +675,14 @@ fetch_ssl_setup_transport_layer(SSL_CTX ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_TICKET; if (getenv("SSL_ALLOW_SSL2") == NULL) ssl_ctx_options |= SSL_OP_NO_SSLv2; - if (getenv("SSL_NO_SSL3") != NULL) + if (getenv("SSL_ALLOW_SSL3") == NULL) ssl_ctx_options |= SSL_OP_NO_SSLv3; if (getenv("SSL_NO_TLS1") != NULL) ssl_ctx_options |= SSL_OP_NO_TLSv1; + if (getenv("SSL_NO_TLS1_1") != NULL) + ssl_ctx_options |= SSL_OP_NO_TLSv1_1; + if (getenv("SSL_NO_TLS1_2") != NULL) + ssl_ctx_options |= SSL_OP_NO_TLSv1_2; if (verbose) fetch_info("SSL options: %lx", ssl_ctx_options); SSL_CTX_set_options(ctx, ssl_ctx_options); @@ -820,7 +824,7 @@ fetch_ssl(conn_t *conn, const struct url SSL_load_error_strings(); - conn->ssl_meth = TLSv1_client_method(); + conn->ssl_meth = SSLv23_client_method(); conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth); SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY); @@ -873,8 +877,8 @@ fetch_ssl(conn_t *conn, const struct url } if (verbose) { - fetch_info("SSL connection established using %s", - SSL_get_cipher(conn->ssl)); + fetch_info("%s connection established using %s", + SSL_get_version(conn->ssl), SSL_get_cipher(conn->ssl)); name = X509_get_subject_name(conn->ssl_cert); str = X509_NAME_oneline(name, 0, 0); fetch_info("Certificate subject: %s", str); Modified: head/lib/libfetch/fetch.3 ============================================================================== --- head/lib/libfetch/fetch.3 Wed Oct 15 07:09:45 2014 (r273123) +++ head/lib/libfetch/fetch.3 Wed Oct 15 07:35:50 2014 (r273124) @@ -26,7 +26,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 30, 2013 +.Dd October 15, 2014 .Dt FETCH 3 .Os .Sh NAME @@ -438,15 +438,17 @@ input (see .Pp By default .Nm libfetch -allows SSLv3 and TLSv1 when negotiating the connecting with the remote +allows TLSv1 and newer when negotiating the connecting with the remote peer. -You can change this behavior by setting the environment variable +You can change this behavior by setting the .Ev SSL_ALLOW_SSL2 -to allow SSLv2 (not recommended) and -.Ev SSL_NO_SSL3 -or -.Ev SSL_NO_TLS1 -to disable the respective methods. +and +.Ev SSL_ALLOW_SSL3 +environment variables to allow SSLv2 and SSLv3, respectively, and +.Ev SSL_NO_TLS1 , +.Ev SSL_NO_TLS1_1 and +.Ev SSL_NO_TLS1_2 +to disable TLS 1.0, 1.1 and 1.2 respectively. .Sh AUTHENTICATION Apart from setting the appropriate environment variables and specifying the user name and password in the URL or the @@ -646,6 +648,8 @@ Same as for compatibility. .It Ev SSL_ALLOW_SSL2 Allow SSL version 2 when negotiating the connection (not recommended). +.It Ev SSL_ALLOW_SSL3 +Allow SSL version 3 when negotiating the connection (not recommended). .It Ev SSL_CA_CERT_FILE CA certificate bundle containing trusted CA certificates. Default value: @@ -660,10 +664,12 @@ PEM encoded client key in case key and c are stored separately. .It Ev SSL_CRL_FILE File containing certificate revocation list. -.It Ev SSL_NO_SSL3 -Don't allow SSL version 3 when negotiating the connection. .It Ev SSL_NO_TLS1 -Don't allow TLV version 1 when negotiating the connection. +Do not allow TLS version 1.0 when negotiating the connection. +.It Ev SSL_NO_TLS1_1 +Do not allow TLS version 1.1 when negotiating the connection. +.It Ev SSL_NO_TLS1_2 +Do not allow TLS version 1.2 when negotiating the connection. .It Ev SSL_NO_VERIFY_HOSTNAME If set, do not verify that the hostname matches the subject of the certificate presented by the server.