Implement the needs of @AnonSphere and the stuff he did not request y…

…et and fix #1115
cherokee · Feb 6, 2014 · f81858b · f81858b
1 parent 263aac2
commit f81858b
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 2 deletions.
diff --git a/admin/PageAdvanced.py b/admin/PageAdvanced.py
@@ -54,6 +54,10 @@
     ("server!iocache!lasting_stat",   validations.is_positive_int),
     ("server!iocache!lasting_mmap",   validations.is_positive_int),
     ("server!tls!protocol!SSLv2",     validations.is_boolean),
+    ("server!tls!protocol!SSLv3",     validations.is_boolean),
+    ("server!tls!protocol!TLSv1",     validations.is_boolean),
+    ("server!tls!protocol!TLSv1_1",   validations.is_boolean),
+    ("server!tls!protocol!TLSv1_2",   validations.is_boolean),
     ("server!tls!timeout_handshake",  validations.is_positive_int),
     ("server!tls!dh_param512",        validations.is_local_file_exists),
     ("server!tls!dh_param1024",       validations.is_local_file_exists),
@@ -92,7 +96,10 @@
 NOTE_DH4096       = N_('Path to a Diffie Hellman (DH) parameters PEM file: 4096 bits.')
 NOTE_TLS_TIMEOUT  = N_('Timeout for the TLS/SSL handshake. Default: 15 seconds.')
 NOTE_TLS_SSLv2    = N_('Allow clients to use SSL version 2 - Beware: it is vulnerable. (Default: No)')
-
+NOTE_TLS_SSLv3    = N_('Allow clients to use SSL version 3 (Default: Yes)')
+NOTE_TLS_TLSv1    = N_('Allow clients to use TLS version 1 (Default: Yes)')
+NOTE_TLS_TLSv1_1  = N_('Allow clients to use TLS version 1.1 (Default: Yes)')
+NOTE_TLS_TLSv1_2  = N_('Allow clients to use TLS version 1.2 (Default: Yes)')
 
 HELPS = [('config_advanced', N_('Advanced'))]
 
@@ -173,7 +180,11 @@ def __init__ (self):
         CTK.Container.__init__ (self)
 
         table = CTK.PropsAuto(URL_APPLY)
-        table.Add (_('Allow SSL v2'),             CTK.CheckCfgText('server!tls!protocol!SSLv2', False, _("Allow")), _(NOTE_TLS_SSLv2))
+        table.Add (_('SSL version 2'),            CTK.CheckCfgText('server!tls!protocol!SSLv2',  False, _("Allow")), _(NOTE_TLS_SSLv2))
+        table.Add (_('SSL version 3'),            CTK.CheckCfgText('server!tls!protocol!SSLv3',   True, _("Allow")), _(NOTE_TLS_SSLv3))
+        table.Add (_('TLS version 1'),            CTK.CheckCfgText('server!tls!protocol!TLSv1',   True, _("Allow")), _(NOTE_TLS_TLSv1))
+        table.Add (_('TLS version 1.1'),          CTK.CheckCfgText('server!tls!protocol!TLSv1_1', True, _("Allow")), _(NOTE_TLS_TLSv1_1))
+        table.Add (_('TLS version 1.2'),          CTK.CheckCfgText('server!tls!protocol!TLSv1_2', True, _("Allow")), _(NOTE_TLS_TLSv1_2))
         table.Add (_('Handshake Timeout'),        CTK.TextCfg('server!tls!timeout_handshake', True), _(NOTE_TLS_TIMEOUT))
         table.Add (_('DH parameters: 512 bits'),  CTK.TextCfg('server!tls!dh_param512',  True), _(NOTE_DH512))
         table.Add (_('DH parameters: 1024 bits'), CTK.TextCfg('server!tls!dh_param1024', True), _(NOTE_DH1024))

diff --git a/cherokee/cryptor.c b/cherokee/cryptor.c
@@ -49,6 +49,10 @@ cherokee_cryptor_init_base (cherokee_cryptor_t      *cryp,
 	 */
 	cryp->timeout_handshake = TIMEOUT_DEFAULT;
 	cryp->allow_SSLv2       = false;
+	cryp->allow_SSLv3       = true;
+	cryp->allow_TLSv1       = true;
+	cryp->allow_TLSv1_1     = true;
+	cryp->allow_TLSv1_2     = true;
 
 	return ret_ok;
 }
@@ -83,6 +87,10 @@ cherokee_cryptor_configure (cherokee_cryptor_t     *cryp,
 	 */
 	cherokee_config_node_read_int  (conf, "timeout_handshake", &cryp->timeout_handshake);
 	cherokee_config_node_read_bool (conf, "protocol!SSLv2",    &cryp->allow_SSLv2);
+	cherokee_config_node_read_bool (conf, "protocol!SSLv3",    &cryp->allow_SSLv3);
+	cherokee_config_node_read_bool (conf, "protocol!TLSv1",    &cryp->allow_TLSv1);
+	cherokee_config_node_read_bool (conf, "protocol!TLSv1_1",  &cryp->allow_TLSv1_1);
+	cherokee_config_node_read_bool (conf, "protocol!TLSv1_2",  &cryp->allow_TLSv1_2);
 
 	/* Call the its virtual method
 	 */

diff --git a/cherokee/cryptor.h b/cherokee/cryptor.h
@@ -67,6 +67,10 @@ typedef struct {
 	cherokee_module_t          module;
 	cint_t                     timeout_handshake;
 	cherokee_boolean_t         allow_SSLv2;
+	cherokee_boolean_t         allow_SSLv3;
+	cherokee_boolean_t         allow_TLSv1;
+	cherokee_boolean_t         allow_TLSv1_1;
+	cherokee_boolean_t         allow_TLSv1_2;
 
 	/* Methods */
 	cryptor_func_configure_t   configure;

diff --git a/cherokee/cryptor_libssl.c b/cherokee/cryptor_libssl.c
@@ -460,6 +460,22 @@ _vserver_new (cherokee_cryptor_t          *cryp,
 		options |= SSL_OP_NO_SSLv2;
 	}
 
+	if (! cryp->allow_SSLv3) {
+		options |= SSL_OP_NO_SSLv3;
+	}
+
+	if (! cryp->allow_TLSv1) {
+		options |= SSL_OP_NO_TLSv1;
+	}
+
+	if (! cryp->allow_TLSv1_1) {
+		options |= SSL_OP_NO_TLSv1_1;
+	}
+
+	if (! cryp->allow_TLSv1_2) {
+		options |= SSL_OP_NO_TLSv1_2;
+	}
+
 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
 	if (vsrv->cipher_server_preference) {
 		options |= SSL_OP_CIPHER_SERVER_PREFERENCE;