[ovs-dev] [PATCH] stream-ssl: Don't enable new TLS versions by default
Timothy Redaelli
tredaelli at redhat.com
Fri Jul 27 14:29:40 UTC 2018
Currently protocol_flags is populated by the list of SSL and TLS
protocols by hand. This means that when a new TLS version is added to
openssl (in this case TLS v1.3 is added to openssl 1.1.1 beta)
ovsdb-server automatically enable support to it with the default ciphers.
This can be a security problem (since other ciphers can be enabled) and it
also makes a test (SSL db: implementation) to fail.
This commit changes the 'protocol_flags' to use the list of all protocol
flags as provided by openssl library (SSL_OP_NO_SSL_MASK) so there is no
need to keep the list updated by hand.
Signed-off-by: Timothy Redaelli <tredaelli at redhat.com>
---
lib/stream-ssl.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index c7443470f..f3d623c03 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -1188,8 +1188,7 @@ stream_ssl_set_protocols(const char *arg)
}
/* Start with all the flags off and turn them on as requested. */
- long protocol_flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1;
- protocol_flags |= SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
+ long protocol_flags = SSL_OP_NO_SSL_MASK;
char *s = xstrdup(arg);
char *save_ptr = NULL;
--
2.17.1
More information about the dev
mailing list