From 8b1b67faedaac1c84c54874aa50a1e89952915af Mon Sep 17 00:00:00 2001
From: Raymond Tau <raymondtau@gmail.com>
Date: Tue, 10 Nov 2015 00:55:24 +0800
Subject: [PATCH] Introduce DisableSslVersions.

The SSL Versions specified will be disabled on server context.
---
 src/Cedar/Cedar.h      | 13 +++++++++++++
 src/Cedar/Connection.c |  6 ++----
 src/Cedar/Server.c     | 35 +++++++++++++++++++++++++++++++++++
 src/Mayaqua/Network.c  | 23 ++++++++++++++++-------
 src/Mayaqua/Network.h  |  1 +
 5 files changed, 67 insertions(+), 11 deletions(-)

diff --git a/src/Cedar/Cedar.h b/src/Cedar/Cedar.h
index e7ae9dc0..4618c9c5 100644
--- a/src/Cedar/Cedar.h
+++ b/src/Cedar/Cedar.h
@@ -404,7 +404,19 @@
 #define	KEEP_ALIVE_MAGIC				0xffffffff
 #define	MAX_KEEPALIVE_SIZE				512
 
+// SSL/TLS Versions
+#define SSL_VERSION_SSL_V2	0x01	// SSLv2
+#define SSL_VERSION_SSL_V3	0x02	// SSLv3
+#define SSL_VERSION_TLS_V1_0	0x04	// TLS v1.0
+#define SSL_VERSION_TLS_V1_1	0x08	// TLS v1.1
+#define SSL_VERSION_TLS_V1_2	0x10	// TLS v1.2
 
+// SSL/TLS Version Names
+#define NAME_SSL_VERSION_SSL_V2	"SSL_V2"	// SSLv2
+#define NAME_SSL_VERSION_SSL_V3	"SSL_V3"	// SSLv3
+#define NAME_SSL_VERSION_TLS_V1_0	"TLS_V1_0"	// TLS v1.0
+#define NAME_SSL_VERSION_TLS_V1_0	"TLS_V1_1"	// TLS v1.1
+#define NAME_SSL_VERSION_TLS_V1_0	"TLS_V1_2"	// TLS v1.2
 
 //////////////////////////////////////////////////////////////////////
 // 
@@ -1053,6 +1065,7 @@ typedef struct CEDAR
 	LOCK *FifoBudgetLock;			// Fifo budget lock
 	UINT FifoBudget;				// Fifo budget
 	bool AcceptOnlyTls;				// Accept only TLS (Disable SSL)
+	UINT DisableSslVersions = 0x0;	// Bitmap of SSL Version to disable
 	char OpenVPNDefaultClientOption[MAX_SIZE];	// OpenVPN Default Client Option String
 } CEDAR;
 
diff --git a/src/Cedar/Connection.c b/src/Cedar/Connection.c
index 224afb37..6ec6cee6 100644
--- a/src/Cedar/Connection.c
+++ b/src/Cedar/Connection.c
@@ -3137,10 +3137,8 @@ void ConnectionAccept(CONNECTION *c)
 
 	// Start the SSL communication
 	Debug("StartSSL()\n");
-	if (c->Cedar->AcceptOnlyTls)
-	{
-		s->AcceptOnlyTls = true;
-	}
+	s->DisableSslVersions = c->Cedar->DisableSslVersions;
+
 	if (StartSSL(s, x, k) == false)
 	{
 		// Failed
diff --git a/src/Cedar/Server.c b/src/Cedar/Server.c
index e5e2aff5..bfd14338 100644
--- a/src/Cedar/Server.c
+++ b/src/Cedar/Server.c
@@ -6157,6 +6157,39 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
 
 		// AcceptOnlyTls
 		c->AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls");
+		if (c->AcceptOnlyTls) {
+			c->DisableSslVersions |= SSL_VERSION_SSL_V2;
+			c->DisableSslVersions |= SSL_VERSION_SSL_V3;
+		}
+
+		if (CfgGetStr(f, "DisableSslVersions", tmp, sizeof(tmp))) {
+			TOKEN_LIST *sslVersions= ParseToken(tmp, ", ");
+			UINT i;		
+			for (i = 0;i < sslVersions->NumTokens;i++)
+			{
+				if (strcmp(tmp, NAME_SSL_VERSION_SSL_V2)) 
+					c->DisableSslVersions |= SSL_VERSION_SSL_V2;
+					continue;
+				}
+				if (strcmp(tmp, NAME_SSL_VERSION_SSL_V3)) 
+					c->DisableSslVersions |= SSL_VERSION_SSL_V3;
+					continue;
+				}
+				if (strcmp(tmp, NAME_SSL_VERSION_TLS_V1_0)) 
+					c->DisableSslVersions |= SSL_VERSION_TLS_V1_0;
+					continue;
+				}
+				if (strcmp(tmp, NAME_SSL_VERSION_TLS_V1_1)) 
+					c->DisableSslVersions |= SSL_VERSION_TLS_V1_1;
+					continue;
+				}
+				if (strcmp(tmp, NAME_SSL_VERSION_TLS_V1_2)) 
+					c->DisableSslVersions |= SSL_VERSION_TLS_V1_2;
+					continue;
+				}
+			}
+			FreeToken(sslVersions);
+		}
 	}
 	Unlock(c->lock);
 
@@ -6467,6 +6500,8 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)
 
 		CfgAddBool(f, "AcceptOnlyTls", c->AcceptOnlyTls);
 
+		CfgAddStr(f, "DisableSslVersions", c->DisableSslVersions);
+
 		// Disable session reconnect
 		CfgAddBool(f, "DisableSessionReconnect", GetGlobalServerFlag(GSF_DISABLE_SESSION_RECONNECT));
 	}
diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c
index def2f45e..e0395aa4 100644
--- a/src/Mayaqua/Network.c
+++ b/src/Mayaqua/Network.c
@@ -12966,15 +12966,24 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch
 	{
 		if (sock->ServerMode)
 		{
-			if (sock->AcceptOnlyTls == false)
-			{
-				SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());
+			SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());
+			long ssl_opt_flags=0x0L;
+			if (sock->DisableSslVersions & SSL_VERSION_SSL_V2) {
+				ssl_opt_flags |= SSL_OP_NO_SSLv2;
 			}
-			else
-			{
-				SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_method());
+			if (sock->DisableSslVersions & SSL_VERSION_SSL_V3) {
+				ssl_opt_flags |= SSL_OP_NO_SSLv3;
 			}
-
+			if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_0) {
+				ssl_opt_flags |= SSL_OP_NO_TLSv1;
+			}
+			if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_1) {
+				ssl_opt_flags |= SSL_OP_NO_TLSv1_1;
+			}
+			if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_2) {
+				ssl_opt_flags |= SSL_OP_NO_TLSv1_2;
+			}
+			SSL_CTX_set_options(ssl_ctx, ssl_opt_flags);
 			Unlock(openssl_lock);
 			AddChainSslCertOnDirectory(ssl_ctx);
 			Lock(openssl_lock);
diff --git a/src/Mayaqua/Network.h b/src/Mayaqua/Network.h
index 6f51bedf..18024c4b 100644
--- a/src/Mayaqua/Network.h
+++ b/src/Mayaqua/Network.h
@@ -313,6 +313,7 @@ struct SOCK
 	UINT Reverse_MyServerPort;		// Self port number when using the reverse socket
 	UCHAR Ssl_Init_Async_SendAlert[2];	// Initial state of SSL send_alert
 	bool AcceptOnlyTls;			// Accept only TLS (disable SSLv3)
+	UINT DisableSslVersions;	// Bitmap of SSL Version to disable
 	bool RawIP_HeaderIncludeFlag;
 
 #ifdef	ENABLE_SSL_LOGGING