[ovs-dev] [PATCH] stream-ssl: Don't enable new TLS versions by default

Timothy Redaelli tredaelli at redhat.com
Fri Jul 27 14:29:40 UTC 2018


Currently protocol_flags is populated by the list of SSL and TLS
protocols by hand. This means that when a new TLS version is added to
openssl (in this case TLS v1.3 is added to openssl 1.1.1 beta)
ovsdb-server automatically enable support to it with the default ciphers.
This can be a security problem (since other ciphers can be enabled) and it
also makes a test (SSL db: implementation) to fail.

This commit changes the 'protocol_flags' to use the list of all protocol
flags as provided by openssl library (SSL_OP_NO_SSL_MASK) so there is no
need to keep the list updated by hand.

Signed-off-by: Timothy Redaelli <tredaelli at redhat.com>
---
 lib/stream-ssl.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index c7443470f..f3d623c03 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -1188,8 +1188,7 @@ stream_ssl_set_protocols(const char *arg)
     }
 
     /* Start with all the flags off and turn them on as requested. */
-    long protocol_flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1;
-    protocol_flags |= SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
+    long protocol_flags = SSL_OP_NO_SSL_MASK;
 
     char *s = xstrdup(arg);
     char *save_ptr = NULL;
-- 
2.17.1



More information about the dev mailing list