From 645900c7a345ae54e896c558b82d7bed4556e77d Mon Sep 17 00:00:00 2001 From: Christophe Fergeau Date: Thu, 29 Mar 2018 11:31:18 +0200 Subject: Use SSL_CTX_set_min_proto_version with newer openssl --- configure.ac | 14 ++++++++++++++ server/reds.c | 15 ++++++++++----- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/configure.ac b/configure.ac index 2443ccf3..12dee0be 100644 --- a/configure.ac +++ b/configure.ac @@ -196,6 +196,20 @@ AC_SUBST(SSL_CFLAGS) AC_SUBST(SSL_LIBS) AS_VAR_APPEND([SPICE_REQUIRES], [" openssl"]) +save_CFLAGS=$CFLAGS +save_LIBS=$LIBS +CFLAGS=$SSL_FLAGS +LIBS=$SSL_LIBS +AC_LINK_IFELSE([AC_LANG_SOURCE([ +#include +int main () { SSL_CTX_set_min_proto_version(NULL, 0); } +])], have_openssl_min_proto_version="yes", have_openssl_min_proto_version="no") +AS_IF([test "$have_openssl_min_proto_version" = "yes"], + [AC_DEFINE([HAVE_SSL_CTX_SET_MIN_PROTO_VERSION], [1], [openssl provides SSL_CTX_set_min_proto_version])]) +CFLAGS=$save_CFLAGS +LIBS=$save_LIBS + + AC_CHECK_LIB(jpeg, jpeg_destroy_decompress, AC_MSG_CHECKING([for jpeglib.h]) AC_TRY_CPP( diff --git a/server/reds.c b/server/reds.c index 998f2ffa..474e36e2 100644 --- a/server/reds.c +++ b/server/reds.c @@ -2766,11 +2766,6 @@ static int reds_init_ssl(RedsState *reds) static GOnce openssl_once = G_ONCE_INIT; const SSL_METHOD *ssl_method; int return_code; - /* Limit connection to TLSv1.1 or newer. - * When some other SSL/TLS version becomes obsolete, add it to this - * variable. */ - long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | SSL_OP_NO_TLSv1; - /* Global system initialization*/ g_once(&openssl_once, openssl_global_init, NULL); @@ -2783,7 +2778,17 @@ static int reds_init_ssl(RedsState *reds) return -1; } + /* Limit connection to TLSv1.1 or newer. */ +#ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION + SSL_CTX_set_min_proto_version(reds->ctx, TLS1_1_VERSION); + /* This should be set by default with OpenSSL 1.1.0, which is also the + * version which introduced SSL_CTX_set_min_proto_version + */ + SSL_CTX_set_options(reds->ctx, SSL_OP_NO_COMPRESSION); +#else + long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | SSL_OP_NO_TLSv1; SSL_CTX_set_options(reds->ctx, ssl_options); +#endif /* Load our keys and certificates*/ return_code = SSL_CTX_use_certificate_chain_file(reds->ctx, reds->config->ssl_parameters.certs_file); -- cgit v1.2.3