From a51895b2c5a5f338daca07d50a7327e742575817 Mon Sep 17 00:00:00 2001 From: Takuho NAKANO Date: Wed, 6 May 2020 17:10:52 +0900 Subject: [PATCH] Manage OpenSSL security level Add SslAcceptSettings option Override_Security_Level and Override_Security_Level_Value to allow user to choose. --- src/Cedar/Server.c | 4 ++++ src/Mayaqua/Network.c | 17 +++++++++++++++++ src/Mayaqua/Network.h | 2 ++ 3 files changed, 23 insertions(+) diff --git a/src/Cedar/Server.c b/src/Cedar/Server.c index 4b5ae418..151d0720 100644 --- a/src/Cedar/Server.c +++ b/src/Cedar/Server.c @@ -6044,6 +6044,8 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f) c->SslAcceptSettings.Tls_Disable1_1 = CfgGetBool(f, "Tls_Disable1_1"); c->SslAcceptSettings.Tls_Disable1_2 = CfgGetBool(f, "Tls_Disable1_2"); c->SslAcceptSettings.Tls_Disable1_3 = CfgGetBool(f, "Tls_Disable1_3"); + c->SslAcceptSettings.Override_Security_Level = CfgGetBool(f, "Override_Security_Level"); + c->SslAcceptSettings.Override_Security_Level_Value = CfgGetInt(f, "Override_Security_Level_Value"); s->StrictSyslogDatetimeFormat = CfgGetBool(f, "StrictSyslogDatetimeFormat"); @@ -6379,6 +6381,8 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s) CfgAddBool(f, "Tls_Disable1_1", c->SslAcceptSettings.Tls_Disable1_1); CfgAddBool(f, "Tls_Disable1_2", c->SslAcceptSettings.Tls_Disable1_2); CfgAddBool(f, "Tls_Disable1_3", c->SslAcceptSettings.Tls_Disable1_3); + CfgAddBool(f, "Override_Security_Level", c->SslAcceptSettings.Override_Security_Level); + CfgAddInt(f, "Override_Security_Level_Value", c->SslAcceptSettings.Override_Security_Level_Value); CfgAddInt(f, "DhParamBits", c->DhParamBits); // Disable session reconnect diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index 56ae9cfe..907c190b 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -5747,6 +5747,16 @@ SSL_PIPE *NewSslPipeEx(bool server_mode, X *x, K *k, DH_CTX *dh, bool verify_pee { SSL_CTX_set_tmp_dh(ssl_ctx, dh->dh); } + +#if 0 + // Cannot get config +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + if (sock->SslAcceptSettings.Override_Security_Level) + { + SSL_CTX_set_security_level(ssl_ctx, sock->SslAcceptSettings.Override_Security_Level_Value); + } +#endif +#endif } if (verify_peer) @@ -12138,6 +12148,13 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname) } #endif // SSL_OP_NO_TLSv1_3 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + if (sock->SslAcceptSettings.Override_Security_Level) + { + SSL_CTX_set_security_level(ssl_ctx, sock->SslAcceptSettings.Override_Security_Level_Value); + } +#endif + Unlock(openssl_lock); AddChainSslCertOnDirectory(ssl_ctx); Lock(openssl_lock); diff --git a/src/Mayaqua/Network.h b/src/Mayaqua/Network.h index 362882e4..1c9d0e6e 100644 --- a/src/Mayaqua/Network.h +++ b/src/Mayaqua/Network.h @@ -148,6 +148,8 @@ struct SSL_ACCEPT_SETTINGS bool Tls_Disable1_1; bool Tls_Disable1_2; bool Tls_Disable1_3; + bool Override_Security_Level; + UINT32 Override_Security_Level_Value; }; // Socket