Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

More tls options #1116

Closed
wants to merge 2 commits into from

1 participant

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 4, 2014
  1. @skinkie
Commits on Feb 6, 2014
  1. @skinkie
This page is out of date. Refresh to see the latest.
View
15 admin/PageAdvanced.py
@@ -54,6 +54,10 @@
("server!iocache!lasting_stat", validations.is_positive_int),
("server!iocache!lasting_mmap", validations.is_positive_int),
("server!tls!protocol!SSLv2", validations.is_boolean),
+ ("server!tls!protocol!SSLv3", validations.is_boolean),
+ ("server!tls!protocol!TLSv1", validations.is_boolean),
+ ("server!tls!protocol!TLSv1_1", validations.is_boolean),
+ ("server!tls!protocol!TLSv1_2", validations.is_boolean),
("server!tls!timeout_handshake", validations.is_positive_int),
("server!tls!dh_param512", validations.is_local_file_exists),
("server!tls!dh_param1024", validations.is_local_file_exists),
@@ -92,7 +96,10 @@
NOTE_DH4096 = N_('Path to a Diffie Hellman (DH) parameters PEM file: 4096 bits.')
NOTE_TLS_TIMEOUT = N_('Timeout for the TLS/SSL handshake. Default: 15 seconds.')
NOTE_TLS_SSLv2 = N_('Allow clients to use SSL version 2 - Beware: it is vulnerable. (Default: No)')
-
+NOTE_TLS_SSLv3 = N_('Allow clients to use SSL version 3 (Default: Yes)')
+NOTE_TLS_TLSv1 = N_('Allow clients to use TLS version 1 (Default: Yes)')
+NOTE_TLS_TLSv1_1 = N_('Allow clients to use TLS version 1.1 (Default: Yes)')
+NOTE_TLS_TLSv1_2 = N_('Allow clients to use TLS version 1.2 (Default: Yes)')
HELPS = [('config_advanced', N_('Advanced'))]
@@ -173,7 +180,11 @@ def __init__ (self):
CTK.Container.__init__ (self)
table = CTK.PropsAuto(URL_APPLY)
- table.Add (_('Allow SSL v2'), CTK.CheckCfgText('server!tls!protocol!SSLv2', False, _("Allow")), _(NOTE_TLS_SSLv2))
+ table.Add (_('SSL version 2'), CTK.CheckCfgText('server!tls!protocol!SSLv2', False, _("Allow")), _(NOTE_TLS_SSLv2))
+ table.Add (_('SSL version 3'), CTK.CheckCfgText('server!tls!protocol!SSLv3', True, _("Allow")), _(NOTE_TLS_SSLv3))
+ table.Add (_('TLS version 1'), CTK.CheckCfgText('server!tls!protocol!TLSv1', True, _("Allow")), _(NOTE_TLS_TLSv1))
+ table.Add (_('TLS version 1.1'), CTK.CheckCfgText('server!tls!protocol!TLSv1_1', True, _("Allow")), _(NOTE_TLS_TLSv1_1))
+ table.Add (_('TLS version 1.2'), CTK.CheckCfgText('server!tls!protocol!TLSv1_2', True, _("Allow")), _(NOTE_TLS_TLSv1_2))
table.Add (_('Handshake Timeout'), CTK.TextCfg('server!tls!timeout_handshake', True), _(NOTE_TLS_TIMEOUT))
table.Add (_('DH parameters: 512 bits'), CTK.TextCfg('server!tls!dh_param512', True), _(NOTE_DH512))
table.Add (_('DH parameters: 1024 bits'), CTK.TextCfg('server!tls!dh_param1024', True), _(NOTE_DH1024))
View
3  admin/consts.py
@@ -44,7 +44,8 @@
('minor', N_('Product + Minor version')),
('minimal', N_('Product + Minimal version')),
('os', N_('Product + Platform')),
- ('full', N_('Full Server string'))
+ ('full', N_('Full Server string')),
+ ('none', N_('No Server String'))
]
HANDLERS = [
View
8 cherokee/connection.c
@@ -856,9 +856,11 @@ build_response_header (cherokee_connection_t *conn,
/* Add the Server header
*/
- cherokee_buffer_add_str (buffer, "Server: ");
- cherokee_buffer_add_buffer (buffer, &CONN_BIND(conn)->server_string);
- cherokee_buffer_add_str (buffer, CRLF);
+ if (CONN_SRV(conn) > cherokee_version_none) {
+ cherokee_buffer_add_str (buffer, "Server: ");
+ cherokee_buffer_add_buffer (buffer, &CONN_BIND(conn)->server_string);
+ cherokee_buffer_add_str (buffer, CRLF);
+ }
/* Authentication
*/
View
8 cherokee/cryptor.c
@@ -49,6 +49,10 @@ cherokee_cryptor_init_base (cherokee_cryptor_t *cryp,
*/
cryp->timeout_handshake = TIMEOUT_DEFAULT;
cryp->allow_SSLv2 = false;
+ cryp->allow_SSLv3 = true;
+ cryp->allow_TLSv1 = true;
+ cryp->allow_TLSv1_1 = true;
+ cryp->allow_TLSv1_2 = true;
return ret_ok;
}
@@ -83,6 +87,10 @@ cherokee_cryptor_configure (cherokee_cryptor_t *cryp,
*/
cherokee_config_node_read_int (conf, "timeout_handshake", &cryp->timeout_handshake);
cherokee_config_node_read_bool (conf, "protocol!SSLv2", &cryp->allow_SSLv2);
+ cherokee_config_node_read_bool (conf, "protocol!SSLv3", &cryp->allow_SSLv3);
+ cherokee_config_node_read_bool (conf, "protocol!TLSv1", &cryp->allow_TLSv1);
+ cherokee_config_node_read_bool (conf, "protocol!TLSv1_1", &cryp->allow_TLSv1_1);
+ cherokee_config_node_read_bool (conf, "protocol!TLSv1_2", &cryp->allow_TLSv1_2);
/* Call the its virtual method
*/
View
4 cherokee/cryptor.h
@@ -67,6 +67,10 @@ typedef struct {
cherokee_module_t module;
cint_t timeout_handshake;
cherokee_boolean_t allow_SSLv2;
+ cherokee_boolean_t allow_SSLv3;
+ cherokee_boolean_t allow_TLSv1;
+ cherokee_boolean_t allow_TLSv1_1;
+ cherokee_boolean_t allow_TLSv1_2;
/* Methods */
cryptor_func_configure_t configure;
View
16 cherokee/cryptor_libssl.c
@@ -460,6 +460,22 @@ _vserver_new (cherokee_cryptor_t *cryp,
options |= SSL_OP_NO_SSLv2;
}
+ if (! cryp->allow_SSLv3) {
+ options |= SSL_OP_NO_SSLv3;
+ }
+
+ if (! cryp->allow_TLSv1) {
+ options |= SSL_OP_NO_TLSv1;
+ }
+
+ if (! cryp->allow_TLSv1_1) {
+ options |= SSL_OP_NO_TLSv1_1;
+ }
+
+ if (! cryp->allow_TLSv1_2) {
+ options |= SSL_OP_NO_TLSv1_2;
+ }
+
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
if (vsrv->cipher_server_preference) {
options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
View
11 cherokee/handler_cgi_base.c
@@ -282,11 +282,14 @@ cherokee_handler_cgi_base_build_basic_env (
/* Set the basic variables
*/
- set_env (cgi, "SERVER_SOFTWARE",
- bind->server_string.buf,
- bind->server_string.len);
+ if (CONN_SRV(conn)->server_token > cherokee_version_none) {
+ set_env (cgi, "SERVER_SOFTWARE",
+ bind->server_string.buf,
+ bind->server_string.len);
+
+ set_env (cgi, "SERVER_SIGNATURE", "<address>Cherokee Web Server</address>", 38);
+ }
- set_env (cgi, "SERVER_SIGNATURE", "<address>Cherokee Web Server</address>", 38);
set_env (cgi, "GATEWAY_INTERFACE", "CGI/1.1", 7);
/* $PATH
View
4 cherokee/handler_proxy.c
@@ -1382,7 +1382,7 @@ parse_server_header (cherokee_handler_proxy_t *hdl,
} else if (strncasecmp (begin, "Server:", 7) == 0) {
added_server = true;
- if (! props->out_preserve_server) {
+ if (! props->out_preserve_server && CONN_SRV(conn)->server_token > cherokee_version_none) {
cherokee_buffer_add_str (buf_out, "Server: ");
cherokee_buffer_add_buffer (buf_out, &CONN_BIND(conn)->server_string);
cherokee_buffer_add_str (buf_out, CRLF);
@@ -1495,7 +1495,7 @@ parse_server_header (cherokee_handler_proxy_t *hdl,
/* 'Server' header
*/
- if (! added_server) {
+ if (! added_server && CONN_SRV(conn)->server_token > cherokee_version_none) {
cherokee_buffer_add_str (buf_out, "Server: ");
cherokee_buffer_add_buffer (buf_out, &CONN_BIND(conn)->server_string);
cherokee_buffer_add_str (buf_out, CRLF);
View
12 cherokee/server.c
@@ -1484,15 +1484,17 @@ configure_server_property (cherokee_config_node_t *conf, void *data)
}
} else if (equal_buf_str (&conf->key, "server_tokens")) {
- if (equal_buf_str (&conf->val, "Product")) {
+ if (equal_buf_str (&conf->val, "product")) {
srv->server_token = cherokee_version_product;
- } else if (equal_buf_str (&conf->val, "Minor")) {
+ } else if (equal_buf_str (&conf->val, "minor")) {
srv->server_token = cherokee_version_minor;
- } else if (equal_buf_str (&conf->val, "Minimal")) {
+ } else if (equal_buf_str (&conf->val, "minimal")) {
srv->server_token = cherokee_version_minimal;
- } else if (equal_buf_str (&conf->val, "OS")) {
+ } else if (equal_buf_str (&conf->val, "os")) {
srv->server_token = cherokee_version_os;
- } else if (equal_buf_str (&conf->val, "Full")) {
+ } else if (equal_buf_str (&conf->val, "none")) {
+ srv->server_token = cherokee_version_none;
+ } else if (equal_buf_str (&conf->val, "full")) {
srv->server_token = cherokee_version_full;
} else {
LOG_CRITICAL (CHEROKEE_ERROR_SERVER_TOKEN, conf->val.buf);
View
9 cherokee/version.c
@@ -32,6 +32,9 @@ cherokee_version_add (cherokee_buffer_t *buf, cherokee_server_token_t level)
ret_t ret;
switch (level) {
+ case cherokee_version_none:
+ ret = ret_ok;
+ break;
case cherokee_version_product:
ret = cherokee_buffer_add_str (buf, "Cherokee web server");
break;
@@ -62,6 +65,9 @@ cherokee_version_add_w_port (cherokee_buffer_t *buf, cherokee_server_token_t lev
ret_t ret;
switch (level) {
+ case cherokee_version_none:
+ ret = cherokee_buffer_add_va (buf, "Port %d", port);
+ break;
case cherokee_version_product:
ret = cherokee_buffer_add_va (buf, "Cherokee web server, Port %d", port);
break;
@@ -92,6 +98,9 @@ cherokee_version_add_simple (cherokee_buffer_t *buf, cherokee_server_token_t lev
ret_t ret;
switch (level) {
+ case cherokee_version_none:
+ ret = ret_ok;
+ break;
case cherokee_version_product:
ret = cherokee_buffer_add_str (buf, "Cherokee");
break;
View
1  cherokee/version.h
@@ -37,6 +37,7 @@ CHEROKEE_BEGIN_DECLS
typedef enum {
+ cherokee_version_none = 0,
cherokee_version_product,
cherokee_version_minor,
cherokee_version_minimal,
Something went wrong with that request. Please try again.