Introduce DisableSslVersions.

The SSL Versions specified will be disabled on server context.
2024-11-22 17:39:53 +03:00 · 2015-11-10 00:55:24 +08:00 · 2015-11-10 00:55:24 +08:00 · 8b1b67faed
commit 8b1b67faed
parent d3a1b26413
5 changed files with 67 additions and 11 deletions
--- a/src/Cedar/Cedar.h
+++ b/src/Cedar/Cedar.h
@ -404,7 +404,19 @@
 #define	KEEP_ALIVE_MAGIC				0xffffffff
 #define	MAX_KEEPALIVE_SIZE				512

+// SSL/TLS Versions
+#define SSL_VERSION_SSL_V2	0x01	// SSLv2
+#define SSL_VERSION_SSL_V3	0x02	// SSLv3
+#define SSL_VERSION_TLS_V1_0	0x04	// TLS v1.0
+#define SSL_VERSION_TLS_V1_1	0x08	// TLS v1.1
+#define SSL_VERSION_TLS_V1_2	0x10	// TLS v1.2

+// SSL/TLS Version Names
+#define NAME_SSL_VERSION_SSL_V2	"SSL_V2"	// SSLv2
+#define NAME_SSL_VERSION_SSL_V3	"SSL_V3"	// SSLv3
+#define NAME_SSL_VERSION_TLS_V1_0	"TLS_V1_0"	// TLS v1.0
+#define NAME_SSL_VERSION_TLS_V1_0	"TLS_V1_1"	// TLS v1.1
+#define NAME_SSL_VERSION_TLS_V1_0	"TLS_V1_2"	// TLS v1.2

 //////////////////////////////////////////////////////////////////////
 // 
@ -1053,6 +1065,7 @@ typedef struct CEDAR
 	LOCK *FifoBudgetLock;			// Fifo budget lock
 	UINT FifoBudget;				// Fifo budget
 	bool AcceptOnlyTls;				// Accept only TLS (Disable SSL)
+	UINT DisableSslVersions = 0x0;	// Bitmap of SSL Version to disable
 	char OpenVPNDefaultClientOption[MAX_SIZE];	// OpenVPN Default Client Option String
 } CEDAR;

--- a/src/Cedar/Connection.c
+++ b/src/Cedar/Connection.c
@ -3137,10 +3137,8 @@ void ConnectionAccept(CONNECTION *c)

 	// Start the SSL communication
 	Debug("StartSSL()\n");
-	if (c->Cedar->AcceptOnlyTls)
-	{
-		s->AcceptOnlyTls = true;
-	}
+	s->DisableSslVersions = c->Cedar->DisableSslVersions;
+
 	if (StartSSL(s, x, k) == false)
 	{
 		// Failed
--- a/src/Cedar/Server.c
+++ b/src/Cedar/Server.c
@ -6157,6 +6157,39 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)

 		// AcceptOnlyTls
 		c->AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls");
+		if (c->AcceptOnlyTls) {
+			c->DisableSslVersions |= SSL_VERSION_SSL_V2;
+			c->DisableSslVersions |= SSL_VERSION_SSL_V3;
+		}
+
+		if (CfgGetStr(f, "DisableSslVersions", tmp, sizeof(tmp))) {
+			TOKEN_LIST *sslVersions= ParseToken(tmp, ", ");
+			UINT i;		
+			for (i = 0;i < sslVersions->NumTokens;i++)
+			{
+				if (strcmp(tmp, NAME_SSL_VERSION_SSL_V2)) 
+					c->DisableSslVersions |= SSL_VERSION_SSL_V2;
+					continue;
+				}
+				if (strcmp(tmp, NAME_SSL_VERSION_SSL_V3)) 
+					c->DisableSslVersions |= SSL_VERSION_SSL_V3;
+					continue;
+				}
+				if (strcmp(tmp, NAME_SSL_VERSION_TLS_V1_0)) 
+					c->DisableSslVersions |= SSL_VERSION_TLS_V1_0;
+					continue;
+				}
+				if (strcmp(tmp, NAME_SSL_VERSION_TLS_V1_1)) 
+					c->DisableSslVersions |= SSL_VERSION_TLS_V1_1;
+					continue;
+				}
+				if (strcmp(tmp, NAME_SSL_VERSION_TLS_V1_2)) 
+					c->DisableSslVersions |= SSL_VERSION_TLS_V1_2;
+					continue;
+				}
+			}
+			FreeToken(sslVersions);
+		}
 	}
 	Unlock(c->lock);

@ -6467,6 +6500,8 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)

 		CfgAddBool(f, "AcceptOnlyTls", c->AcceptOnlyTls);

+		CfgAddStr(f, "DisableSslVersions", c->DisableSslVersions);
+
 		// Disable session reconnect
 		CfgAddBool(f, "DisableSessionReconnect", GetGlobalServerFlag(GSF_DISABLE_SESSION_RECONNECT));
 	}
--- a/src/Mayaqua/Network.c
+++ b/src/Mayaqua/Network.c
@ -12966,15 +12966,24 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch
 	{
 		if (sock->ServerMode)
 		{
-			if (sock->AcceptOnlyTls == false)
-			{
-				SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());
+			SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());
+			long ssl_opt_flags=0x0L;
+			if (sock->DisableSslVersions & SSL_VERSION_SSL_V2) {
+				ssl_opt_flags |= SSL_OP_NO_SSLv2;
 			}
-			else
-			{
-				SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_method());
+			if (sock->DisableSslVersions & SSL_VERSION_SSL_V3) {
+				ssl_opt_flags |= SSL_OP_NO_SSLv3;
 			}
-
+			if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_0) {
+				ssl_opt_flags |= SSL_OP_NO_TLSv1;
+			}
+			if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_1) {
+				ssl_opt_flags |= SSL_OP_NO_TLSv1_1;
+			}
+			if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_2) {
+				ssl_opt_flags |= SSL_OP_NO_TLSv1_2;
+			}
+			SSL_CTX_set_options(ssl_ctx, ssl_opt_flags);
 			Unlock(openssl_lock);
 			AddChainSslCertOnDirectory(ssl_ctx);
 			Lock(openssl_lock);
--- a/src/Mayaqua/Network.h
+++ b/src/Mayaqua/Network.h
@ -313,6 +313,7 @@ struct SOCK
 	UINT Reverse_MyServerPort;		// Self port number when using the reverse socket
 	UCHAR Ssl_Init_Async_SendAlert[2];	// Initial state of SSL send_alert
 	bool AcceptOnlyTls;			// Accept only TLS (disable SSLv3)
+	UINT DisableSslVersions;	// Bitmap of SSL Version to disable
 	bool RawIP_HeaderIncludeFlag;

 #ifdef	ENABLE_SSL_LOGGING