1
0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-12-26 01:59:53 +03:00

Manage OpenSSL security level

Add SslAcceptSettings option Override_Security_Level and Override_Security_Level_Value
to allow user to choose.
This commit is contained in:
Takuho NAKANO 2020-10-31 20:19:10 +01:00 committed by Davide Beatrici
parent 190672bd84
commit 7fdacec2a6
3 changed files with 23 additions and 0 deletions

View File

@ -5931,6 +5931,8 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
c->SslAcceptSettings.Tls_Disable1_1 = CfgGetBool(f, "Tls_Disable1_1");
c->SslAcceptSettings.Tls_Disable1_2 = CfgGetBool(f, "Tls_Disable1_2");
c->SslAcceptSettings.Tls_Disable1_3 = CfgGetBool(f, "Tls_Disable1_3");
c->SslAcceptSettings.Override_Security_Level = CfgGetBool(f, "Override_Security_Level");
c->SslAcceptSettings.Override_Security_Level_Value = CfgGetInt(f, "Override_Security_Level_Value");
s->StrictSyslogDatetimeFormat = CfgGetBool(f, "StrictSyslogDatetimeFormat");
@ -6256,6 +6258,8 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)
CfgAddBool(f, "Tls_Disable1_1", c->SslAcceptSettings.Tls_Disable1_1);
CfgAddBool(f, "Tls_Disable1_2", c->SslAcceptSettings.Tls_Disable1_2);
CfgAddBool(f, "Tls_Disable1_3", c->SslAcceptSettings.Tls_Disable1_3);
CfgAddBool(f, "Override_Security_Level", c->SslAcceptSettings.Override_Security_Level);
CfgAddInt(f, "Override_Security_Level_Value", c->SslAcceptSettings.Override_Security_Level_Value);
CfgAddInt(f, "DhParamBits", c->DhParamBits);
// Disable session reconnect

View File

@ -5747,6 +5747,16 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee
{
SSL_CTX_set_tmp_dh(ssl_ctx, dh->dh);
}
#if 0
// Cannot get config
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
if (sock->SslAcceptSettings.Override_Security_Level)
{
SSL_CTX_set_security_level(ssl_ctx, sock->SslAcceptSettings.Override_Security_Level_Value);
}
#endif
#endif
}
if (verify_peer)
@ -12138,6 +12148,13 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname)
}
#endif // SSL_OP_NO_TLSv1_3
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
if (sock->SslAcceptSettings.Override_Security_Level)
{
SSL_CTX_set_security_level(ssl_ctx, sock->SslAcceptSettings.Override_Security_Level_Value);
}
#endif
Unlock(openssl_lock);
AddChainSslCertOnDirectory(ssl_ctx);
Lock(openssl_lock);

View File

@ -148,6 +148,8 @@ struct SSL_ACCEPT_SETTINGS
bool Tls_Disable1_1;
bool Tls_Disable1_2;
bool Tls_Disable1_3;
bool Override_Security_Level;
UINT Override_Security_Level_Value;
};
// Socket