Allow specific SSL/TLS versions to be disabled #208

Merged
merged 3 commits into from Nov 27, 2016

Conversation

Projects
None yet
3 participants
@rtau
Contributor

rtau commented Dec 9, 2015

Here is a patch to disable a specific SSL/TLS version to be used on server. The AcceptOnlyTls setting had also been changed to use the same mechanism to disable SSL versions 2 and 3.

@dnobori

This comment has been minimized.

Show comment
Hide comment
@dnobori

dnobori May 26, 2016

Member

Your great patch is much appreciated. We are considering to apply your patch into the SoftEther VPN main tree.

SoftEther VPN Patch Acceptance Policy:
http://www.softether.org/5-download/src/9.patch

You have two options which are described on the above policy.
Could you please choose either option 1 or 2, and specify it clearly on the reply?

Member

dnobori commented May 26, 2016

Your great patch is much appreciated. We are considering to apply your patch into the SoftEther VPN main tree.

SoftEther VPN Patch Acceptance Policy:
http://www.softether.org/5-download/src/9.patch

You have two options which are described on the above policy.
Could you please choose either option 1 or 2, and specify it clearly on the reply?

@rtau

This comment has been minimized.

Show comment
Hide comment
@rtau

rtau May 28, 2016

Contributor

I would opt for option 2. Thanks.

Contributor

rtau commented May 28, 2016

I would opt for option 2. Thanks.

@blakesteel

This comment has been minimized.

Show comment
Hide comment
@blakesteel

blakesteel Jul 30, 2016

I recommend instead of the #208 patch which adds a lot of unnecessary code which needs to be maintained and complicates the design, to instead simply disable all older protocols by default. More code means more potential for exploit. And, these older protocols should never be used by anyone, they are no longer safe.

Also, the SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2 options have been deprecated since OpenSSL 1.1.0 and should be replaced by SSL_CTX_set_min_proto_version and SSL_CTX_set_max_proto_version instead. Reference: https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html

My proposed code change:

Do not modify the Cedar.c, Cedar.h or Network.h files. And, in Cedar/Connection.c and Cedar/Server.c, remove any code involving AcceptOnlyTls, it is no longer needed.

In the StartSSLEx method in src/Mayaqua/Network.c, remove the code for the AcceptOnlyTls setting completely and add the following. Note: 0 in the max proto setting means up to the highest version supported:

SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_2_VERSION);
SSL_CTX_set_max_proto_version(ssl_ctx, 0);

if (sock->ServerMode)
{
    Unlock(openssl_lock);
    AddChainSslCertOnDirectory(ssl_ctx);
    Lock(openssl_lock);
}

If you would like, you could add a define somewhere in the header for providing the default minimum and maximum TLS versions and/or retrieve it via a user provided setting. But, I leave that up to you.

My code can be provided to both the commercial and GPL versions under Option 1. I hope this decision will help provide the needed security, privacy and safety to everyone equally.

Thanks.

Edit: I changed max to 0 so that we take advantage of the next protocol that is released after TLS 1.2 automatically.

blakesteel commented Jul 30, 2016

I recommend instead of the #208 patch which adds a lot of unnecessary code which needs to be maintained and complicates the design, to instead simply disable all older protocols by default. More code means more potential for exploit. And, these older protocols should never be used by anyone, they are no longer safe.

Also, the SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2 options have been deprecated since OpenSSL 1.1.0 and should be replaced by SSL_CTX_set_min_proto_version and SSL_CTX_set_max_proto_version instead. Reference: https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html

My proposed code change:

Do not modify the Cedar.c, Cedar.h or Network.h files. And, in Cedar/Connection.c and Cedar/Server.c, remove any code involving AcceptOnlyTls, it is no longer needed.

In the StartSSLEx method in src/Mayaqua/Network.c, remove the code for the AcceptOnlyTls setting completely and add the following. Note: 0 in the max proto setting means up to the highest version supported:

SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_2_VERSION);
SSL_CTX_set_max_proto_version(ssl_ctx, 0);

if (sock->ServerMode)
{
    Unlock(openssl_lock);
    AddChainSslCertOnDirectory(ssl_ctx);
    Lock(openssl_lock);
}

If you would like, you could add a define somewhere in the header for providing the default minimum and maximum TLS versions and/or retrieve it via a user provided setting. But, I leave that up to you.

My code can be provided to both the commercial and GPL versions under Option 1. I hope this decision will help provide the needed security, privacy and safety to everyone equally.

Thanks.

Edit: I changed max to 0 so that we take advantage of the next protocol that is released after TLS 1.2 automatically.

@w1bsb w1bsb referenced this pull request Nov 16, 2016

Closed

Is this project DEAD? #268

@dnobori dnobori merged commit 311ab9e into SoftEtherVPN:master Nov 27, 2016

@dnobori

This comment has been minimized.

Show comment
Hide comment
@dnobori

dnobori Nov 27, 2016

Member

Thank you so much for your contribution to enrich the SoftEther VPN source code.

Your patch has been merged on the main source-tree of SoftEther VPN.

As a token of our gratitude, your GitHub username has been added on the AUTHORS.TXT file and on the header of the related source file.
Please see: https://github.com/SoftEtherVPN/SoftEtherVPN/blob/master/AUTHORS.TXT

Thanks again for your contribution.

Member

dnobori commented Nov 27, 2016

Thank you so much for your contribution to enrich the SoftEther VPN source code.

Your patch has been merged on the main source-tree of SoftEther VPN.

As a token of our gratitude, your GitHub username has been added on the AUTHORS.TXT file and on the header of the related source file.
Please see: https://github.com/SoftEtherVPN/SoftEtherVPN/blob/master/AUTHORS.TXT

Thanks again for your contribution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment