diff --git a/src/Cedar/Command.c b/src/Cedar/Command.c index c11455cc..372baa54 100644 --- a/src/Cedar/Command.c +++ b/src/Cedar/Command.c @@ -67,26 +67,13 @@ void CheckNetworkListenThread(THREAD *thread, void *param) { CHECK_NETWORK_1 *c = (CHECK_NETWORK_1 *)param; SOCK *s; - UINT i, rsa_bits = 1024; + UINT i; K *pub, *pri; X *x; LIST *o = NewList(NULL); NAME *name = NewName(L"Test", L"Test", L"Test", L"JP", L"Ibaraki", L"Tsukuba"); - // Set RSA bits considering OpenSSL security Level - // Security level 4 needs 7680 bits - switch (GetOSSecurityLevel()) - { - case 2: - rsa_bits = 2048; - break; - case 3: - rsa_bits = 4096; - break; - default: - break; - } - RsaGen(&pri, &pub, rsa_bits); + RsaGen(&pri, &pub, 1024); x = NewRootX(pub, pri, name, 1000, NULL); FreeName(name); diff --git a/src/Cedar/Server.c b/src/Cedar/Server.c index f606fd29..fcd0c2bd 100644 --- a/src/Cedar/Server.c +++ b/src/Cedar/Server.c @@ -5931,8 +5931,6 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f) c->SslAcceptSettings.Tls_Disable1_1 = CfgGetBool(f, "Tls_Disable1_1"); c->SslAcceptSettings.Tls_Disable1_2 = CfgGetBool(f, "Tls_Disable1_2"); c->SslAcceptSettings.Tls_Disable1_3 = CfgGetBool(f, "Tls_Disable1_3"); - c->SslAcceptSettings.Override_Security_Level = CfgGetBool(f, "Override_Security_Level"); - c->SslAcceptSettings.Override_Security_Level_Value = CfgGetInt(f, "Override_Security_Level_Value"); s->StrictSyslogDatetimeFormat = CfgGetBool(f, "StrictSyslogDatetimeFormat"); @@ -6258,8 +6256,6 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s) CfgAddBool(f, "Tls_Disable1_1", c->SslAcceptSettings.Tls_Disable1_1); CfgAddBool(f, "Tls_Disable1_2", c->SslAcceptSettings.Tls_Disable1_2); CfgAddBool(f, "Tls_Disable1_3", c->SslAcceptSettings.Tls_Disable1_3); - CfgAddBool(f, "Override_Security_Level", c->SslAcceptSettings.Override_Security_Level); - CfgAddInt(f, "Override_Security_Level_Value", c->SslAcceptSettings.Override_Security_Level_Value); CfgAddInt(f, "DhParamBits", c->DhParamBits); // Disable session reconnect diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index ed1e1c9a..bbe4b1ad 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -5737,6 +5737,12 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee { if (server_mode) { + SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_server_method()); + +#ifdef SSL_OP_NO_SSLv3 + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); +#endif // SSL_OP_NO_SSLv3 + #ifdef SSL_OP_NO_TLSv1_3 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_3); // For some reason pppd under linux doesn't like it #endif @@ -5747,16 +5753,10 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee { SSL_CTX_set_tmp_dh(ssl_ctx, dh->dh); } - -#if 0 - // Cannot get config -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - if (sock->SslAcceptSettings.Override_Security_Level) - { - SSL_CTX_set_security_level(ssl_ctx, sock->SslAcceptSettings.Override_Security_Level_Value); - } -#endif -#endif + } + else + { + SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method()); } if (verify_peer) @@ -12120,6 +12120,12 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname) { if (sock->ServerMode) { + SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_server_method()); + +#ifdef SSL_OP_NO_SSLv3 + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); +#endif // SSL_OP_NO_SSLv3 + #ifdef SSL_OP_NO_TLSv1 if (sock->SslAcceptSettings.Tls_Disable1_0) { @@ -12148,17 +12154,18 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname) } #endif // SSL_OP_NO_TLSv1_3 -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - if (sock->SslAcceptSettings.Override_Security_Level) - { - SSL_CTX_set_security_level(ssl_ctx, sock->SslAcceptSettings.Override_Security_Level_Value); - } -#endif - Unlock(openssl_lock); AddChainSslCertOnDirectory(ssl_ctx); Lock(openssl_lock); } + else + { + SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method()); + +#ifdef SSL_OP_NO_SSLv3 + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); +#endif // SSL_OP_NO_SSLv3 + } sock->ssl = SSL_new(ssl_ctx); SSL_set_fd(sock->ssl, (int)sock->socket); @@ -16812,20 +16819,6 @@ struct ssl_ctx_st *NewSSLCtx(bool server_mode) { struct ssl_ctx_st *ctx = SSL_CTX_new(SSLv23_method()); - // It resets some parameters. - if (server_mode) - { - SSL_CTX_set_ssl_version(ctx, SSLv23_server_method()); - } - else - { - SSL_CTX_set_ssl_version(ctx, SSLv23_client_method()); - } - -#ifdef SSL_OP_NO_SSLv3 - SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); -#endif // SSL_OP_NO_SSLv3 - #ifdef SSL_OP_NO_TICKET SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET); #endif // SSL_OP_NO_TICKET @@ -16858,28 +16851,6 @@ void FreeSSLCtx(struct ssl_ctx_st *ctx) SSL_CTX_free(ctx); } -// Get OS (maximum) Security Level -UINT GetOSSecurityLevel() -{ - UINT security_level_new = 0, security_level_set_ssl_version = 0; - struct ssl_ctx_st *ctx = SSL_CTX_new(SSLv23_method()); - -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - security_level_new = SSL_CTX_get_security_level(ctx); -#endif - - security_level_set_ssl_version = SSL_CTX_set_ssl_version(ctx, SSLv23_server_method()); - - FreeSSLCtx(ctx); - - if(security_level_new >= security_level_set_ssl_version) - { - return security_level_new; - } - - return security_level_set_ssl_version; -} - // The number of get ip threads void SetGetIpThreadMaxNum(UINT num) { @@ -16995,6 +16966,12 @@ TOKEN_LIST *GetCipherList() return ciphers; } + SSL_CTX_set_ssl_version(ctx, SSLv23_server_method()); + +#ifdef SSL_OP_NO_SSLv3 + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); +#endif + ssl = SSL_new(ctx); if (ssl == NULL) { diff --git a/src/Mayaqua/Network.h b/src/Mayaqua/Network.h index 1c9d0e6e..8f1a44f2 100644 --- a/src/Mayaqua/Network.h +++ b/src/Mayaqua/Network.h @@ -148,8 +148,6 @@ struct SSL_ACCEPT_SETTINGS bool Tls_Disable1_1; bool Tls_Disable1_2; bool Tls_Disable1_3; - bool Override_Security_Level; - UINT32 Override_Security_Level_Value; }; // Socket @@ -1450,7 +1448,6 @@ void RefreshLocalMacAddressList(); struct ssl_ctx_st *NewSSLCtx(bool server_mode); void FreeSSLCtx(struct ssl_ctx_st *ctx); -UINT GetOSSecurityLevel(); void SetCurrentDDnsFqdn(char *name); void GetCurrentDDnsFqdn(char *name, UINT size);