Permalink
Browse files

Rewrite protocol version macros and refactoring

Introduce HAVE_SSLV2, HAVE_SSLV3, HAVE_TLSV10, HAVE_TLSV11 and
HAVE_TLSV12 to indicate that support for the respective protocol is
available in OpenSSL.  This was necessary due to the increased
complexity of testing version support following the phasing out of SSLv2
and SSLv3 from OpenSSL implementations.  This fixes the build with
OpenSSL versions which have SSLv3 support removed.

While here, de-duplicate code for setting SSL_CTX options and do not set
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION anymore; it has no benefit
in the context of splitting SSL/TLS for analysis.

Reported by:	Jérémie Courrèges-Anglas
  • Loading branch information...
droe committed Jul 28, 2015
1 parent a08a723 commit 57a2ab85884e8bacec8b03aa5a3f935376f43a2d
Showing with 139 additions and 148 deletions.
  1. +4 −4 GNUmakefile
  2. +40 −40 opts.c
  3. +10 −10 opts.h
  4. +43 −79 pxyconn.c
  5. +42 −15 ssl.h
View
@@ -36,10 +36,10 @@
### OpenSSL tweaking
# Define to enable support for SSLv2.
-# Default since 0.4.9 is to disable SSLv2 entirely, since there are servers
-# that are not compatible with SSLv2 Client Hello messages. If you build in
-# SSLv2 support, you can disable it at runtime using -R ssl2 to get the same
-# result as not building in SSLv2 support at all.
+# Default since 0.4.9 is to disable SSLv2 entirely even if OpenSSL supports it,
+# since there are servers that are not compatible with SSLv2 Client Hello
+# messages. If you build in SSLv2 support, you can disable it at runtime using
+# -R ssl2 to get the same result as not building in SSLv2 support at all.
#FEATURES+= -DWITH_SSLV2
# Define to make SSLsplit set a session id context in server mode.
View
80 opts.c
@@ -143,31 +143,31 @@ opts_proto_force(opts_t *opts, const char *optarg, const char *argv0)
exit(EXIT_FAILURE);
}
-#if defined(SSL_OP_NO_SSLv2) && defined(WITH_SSLV2)
+#ifdef HAVE_SSLV2
if (!strcmp(optarg, "ssl2")) {
opts->sslmethod = SSLv2_method;
} else
-#endif /* SSL_OP_NO_SSLv2 && WITH_SSLV2 */
-#ifdef SSL_OP_NO_SSLv3
+#endif /* HAVE_SSLV2 */
+#ifdef HAVE_SSLV3
if (!strcmp(optarg, "ssl3")) {
opts->sslmethod = SSLv3_method;
} else
-#endif /* SSL_OP_NO_SSLv3 */
-#ifdef SSL_OP_NO_TLSv1
+#endif /* HAVE_SSLV3 */
+#ifdef HAVE_TLSV10
if (!strcmp(optarg, "tls10") || !strcmp(optarg, "tls1")) {
opts->sslmethod = TLSv1_method;
} else
-#endif /* SSL_OP_NO_TLSv1 */
-#ifdef SSL_OP_NO_TLSv1_1
+#endif /* HAVE_TLSV10 */
+#ifdef HAVE_TLSV11
if (!strcmp(optarg, "tls11")) {
opts->sslmethod = TLSv1_1_method;
} else
-#endif /* SSL_OP_NO_TLSv1_1 */
-#ifdef SSL_OP_NO_TLSv1_2
+#endif /* HAVE_TLSV11 */
+#ifdef HAVE_TLSV12
if (!strcmp(optarg, "tls12")) {
opts->sslmethod = TLSv1_2_method;
} else
-#endif /* SSL_OP_NO_TLSv1_2 */
+#endif /* HAVE_TLSV12 */
{
fprintf(stderr, "%s: Unsupported SSL/TLS protocol '%s'\n",
argv0, optarg);
@@ -182,31 +182,31 @@ opts_proto_force(opts_t *opts, const char *optarg, const char *argv0)
void
opts_proto_disable(opts_t *opts, const char *optarg, const char *argv0)
{
-#if defined(SSL_OP_NO_SSLv2) && defined(WITH_SSLV2)
+#ifdef HAVE_SSLV2
if (!strcmp(optarg, "ssl2")) {
opts->no_ssl2 = 1;
} else
-#endif /* SSL_OP_NO_SSLv2 && WITH_SSLV2 */
-#ifdef SSL_OP_NO_SSLv3
+#endif /* HAVE_SSLV2 */
+#ifdef HAVE_SSLV3
if (!strcmp(optarg, "ssl3")) {
opts->no_ssl3 = 1;
} else
-#endif /* SSL_OP_NO_SSLv3 */
-#ifdef SSL_OP_NO_TLSv1
+#endif /* HAVE_SSLV3 */
+#ifdef HAVE_TLSV10
if (!strcmp(optarg, "tls10") || !strcmp(optarg, "tls1")) {
opts->no_tls10 = 1;
} else
-#endif /* SSL_OP_NO_TLSv1 */
-#ifdef SSL_OP_NO_TLSv1_1
+#endif /* HAVE_TLSV10 */
+#ifdef HAVE_TLSV11
if (!strcmp(optarg, "tls11")) {
opts->no_tls11 = 1;
} else
-#endif /* SSL_OP_NO_TLSv1_1 */
-#ifdef SSL_OP_NO_TLSv1_2
+#endif /* HAVE_TLSV11 */
+#ifdef HAVE_TLSV12
if (!strcmp(optarg, "tls12")) {
opts->no_tls12 = 1;
} else
-#endif /* SSL_OP_NO_TLSv1_2 */
+#endif /* HAVE_TLSV12 */
{
fprintf(stderr, "%s: Unsupported SSL/TLS protocol '%s'\n",
argv0, optarg);
@@ -221,41 +221,41 @@ void
opts_proto_dbg_dump(opts_t *opts)
{
log_dbg_printf("SSL/TLS protocol: %s%s%s%s%s%s\n",
-#if defined(SSL_OP_NO_SSLv2) && defined(WITH_SSLV2)
+#ifdef HAVE_SSLV2
(opts->sslmethod == SSLv2_method) ? "nossl2" :
-#endif /* SSL_OP_NO_SSLv2 && WITH_SSLV2 */
-#ifdef SSL_OP_NO_SSLv3
+#endif /* HAVE_SSLV2 */
+#ifdef HAVE_SSLV3
(opts->sslmethod == SSLv3_method) ? "ssl3" :
-#endif /* SSL_OP_NO_SSLv3 */
-#ifdef SSL_OP_NO_TLSv1
+#endif /* HAVE_SSLV3 */
+#ifdef HAVE_TLSV10
(opts->sslmethod == TLSv1_method) ? "tls10" :
-#endif /* SSL_OP_NO_TLSv1 */
-#ifdef SSL_OP_NO_TLSv1_1
+#endif /* HAVE_TLSV10 */
+#ifdef HAVE_TLSV11
(opts->sslmethod == TLSv1_1_method) ? "tls11" :
-#endif /* SSL_OP_NO_TLSv1_1 */
-#ifdef SSL_OP_NO_TLSv1_2
+#endif /* HAVE_TLSV11 */
+#ifdef HAVE_TLSV12
(opts->sslmethod == TLSv1_2_method) ? "tls12" :
-#endif /* SSL_OP_NO_TLSv1_2 */
+#endif /* HAVE_TLSV12 */
"negotiate",
-#if defined(SSL_OP_NO_SSLv2) && defined(WITH_SSLV2)
+#ifdef HAVE_SSLV2
opts->no_ssl2 ? " -ssl2" :
-#endif /* SSL_OP_NO_SSLv2 && WITH_SSLV2 */
+#endif /* HAVE_SSLV2 */
"",
-#ifdef SSL_OP_NO_SSLv3
+#ifdef HAVE_SSLV3
opts->no_ssl3 ? " -ssl3" :
-#endif /* SSL_OP_NO_SSLv3 */
+#endif /* HAVE_SSLV3 */
"",
-#ifdef SSL_OP_NO_TLSv1
+#ifdef HAVE_TLSV10
opts->no_tls10 ? " -tls10" :
-#endif /* SSL_OP_NO_TLSv1 */
+#endif /* HAVE_TLSV10 */
"",
-#ifdef SSL_OP_NO_TLSv1_1
+#ifdef HAVE_TLSV11
opts->no_tls11 ? " -tls11" :
-#endif /* SSL_OP_NO_TLSv1_1 */
+#endif /* HAVE_TLSV11 */
"",
-#ifdef SSL_OP_NO_TLSv1_2
+#ifdef HAVE_TLSV12
opts->no_tls12 ? " -tls12" :
-#endif /* SSL_OP_NO_TLSv1_2 */
+#endif /* HAVE_TLSV12 */
"");
}
View
20 opts.h
@@ -57,21 +57,21 @@ typedef struct opts {
unsigned int debug : 1;
unsigned int detach : 1;
unsigned int sslcomp : 1;
-#if defined(SSL_OP_NO_SSLv2) && defined(WITH_SSLV2)
+#ifdef HAVE_SSLV2
unsigned int no_ssl2 : 1;
-#endif /* SSL_OP_NO_SSLv2 && WITH_SSLV2 */
-#ifdef SSL_OP_NO_SSLv3
+#endif /* HAVE_SSLV2 */
+#ifdef HAVE_SSLV3
unsigned int no_ssl3 : 1;
-#endif /* SSL_OP_NO_SSLv3 */
-#ifdef SSL_OP_NO_TLSv1
+#endif /* HAVE_SSLV3 */
+#ifdef HAVE_TLSV10
unsigned int no_tls10 : 1;
-#endif /* SSL_OP_NO_TLSv1 */
-#ifdef SSL_OP_NO_TLSv1_1
+#endif /* HAVE_TLSV10 */
+#ifdef HAVE_TLSV11
unsigned int no_tls11 : 1;
-#endif /* SSL_OP_NO_TLSv1_1 */
-#ifdef SSL_OP_NO_TLSv1_2
+#endif /* HAVE_TLSV11 */
+#ifdef HAVE_TLSV12
unsigned int no_tls12 : 1;
-#endif /* SSL_OP_NO_TLSv1_2 */
+#endif /* HAVE_TLSV12 */
unsigned int passthrough : 1;
unsigned int deny_ocsp : 1;
unsigned int contentlog_isdir : 1;
View
122 pxyconn.c
@@ -543,11 +543,11 @@ pxy_log_connect_http(pxy_conn_ctx_t *ctx)
* the refcount decrementing. In other words, return 0 if we did not
* keep a pointer to the object (which we never do here).
*/
-#ifdef WITH_SSLV2
+#ifdef HAVE_SSLV2
#define MAYBE_UNUSED
-#else /* !WITH_SSLV2 */
+#else /* !HAVE_SSLV2 */
#define MAYBE_UNUSED UNUSED
-#endif /* !WITH_SSLV2 */
+#endif /* !HAVE_SSLV2 */
static int
pxy_ossl_sessnew_cb(MAYBE_UNUSED SSL *ssl, SSL_SESSION *sess)
#undef MAYBE_UNUSED
@@ -560,15 +560,15 @@ pxy_ossl_sessnew_cb(MAYBE_UNUSED SSL *ssl, SSL_SESSION *sess)
log_dbg_printf("(null)\n");
}
#endif /* DEBUG_SESSION_CACHE */
-#ifdef WITH_SSLV2
+#ifdef HAVE_SSLV2
/* Session resumption seems to fail for SSLv2 with protocol
* parsing errors, so we disable caching for SSLv2. */
if (SSL_version(ssl) == SSL2_VERSION) {
log_err_printf("Warning: Session resumption denied to SSLv2"
"client.\n");
return 0;
}
-#endif /* WITH_SSLV2 */
+#endif /* HAVE_SSLV2 */
if (sess) {
cachemgr_ssess_set(sess);
}
@@ -622,16 +622,11 @@ pxy_ossl_sessget_cb(UNUSED SSL *ssl, unsigned char *id, int idlen, int *copy)
}
/*
- * Create and set up a new SSL_CTX instance for terminating SSL.
- * Set up all the necessary callbacks, the certificate, the cert chain and key.
+ * Set SSL_CTX options that are the same for incoming and outgoing SSL_CTX.
*/
-static SSL_CTX *
-pxy_srcsslctx_create(pxy_conn_ctx_t *ctx, X509 *crt, STACK_OF(X509) *chain,
- EVP_PKEY *key)
+static void
+pxy_sslctx_setoptions(SSL_CTX *sslctx, pxy_conn_ctx_t *ctx)
{
- SSL_CTX *sslctx = SSL_CTX_new(ctx->opts->sslmethod());
- if (!sslctx)
- return NULL;
SSL_CTX_set_options(sslctx, SSL_OP_ALL);
#ifdef SSL_OP_TLS_ROLLBACK_BUG
SSL_CTX_set_options(sslctx, SSL_OP_TLS_ROLLBACK_BUG);
@@ -645,16 +640,11 @@ pxy_srcsslctx_create(pxy_conn_ctx_t *ctx, X509 *crt, STACK_OF(X509) *chain,
#ifdef SSL_OP_NO_TICKET
SSL_CTX_set_options(sslctx, SSL_OP_NO_TICKET);
#endif /* SSL_OP_NO_TICKET */
-#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
- SSL_CTX_set_options(sslctx,
- SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
-#endif /* SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION */
-#ifdef SSL_OP_NO_COMPRESSION
- if (!ctx->opts->sslcomp) {
- SSL_CTX_set_options(sslctx, SSL_OP_NO_COMPRESSION);
- }
-#endif /* SSL_OP_NO_COMPRESSION */
+ /*
+ * Do not use HAVE_SSLV2 because we need to set SSL_OP_NO_SSLv2 if it
+ * is available and WITH_SSLV2 was not used.
+ */
#ifdef SSL_OP_NO_SSLv2
#ifdef WITH_SSLV2
if (ctx->opts->no_ssl2) {
@@ -664,28 +654,50 @@ pxy_srcsslctx_create(pxy_conn_ctx_t *ctx, X509 *crt, STACK_OF(X509) *chain,
}
#endif /* WITH_SSLV2 */
#endif /* !SSL_OP_NO_SSLv2 */
-#ifdef SSL_OP_NO_SSLv3
+#ifdef HAVE_SSLV3
if (ctx->opts->no_ssl3) {
SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv3);
}
-#endif /* SSL_OP_NO_SSLv3 */
-#ifdef SSL_OP_NO_TLSv1
+#endif /* HAVE_SSLV3 */
+#ifdef HAVE_TLSV10
if (ctx->opts->no_tls10) {
SSL_CTX_set_options(sslctx, SSL_OP_NO_TLSv1);
}
-#endif /* SSL_OP_NO_TLSv1 */
-#ifdef SSL_OP_NO_TLSv1_1
+#endif /* HAVE_TLSV10 */
+#ifdef HAVE_TLSV11
if (ctx->opts->no_tls11) {
SSL_CTX_set_options(sslctx, SSL_OP_NO_TLSv1_1);
}
-#endif /* SSL_OP_NO_TLSv1_1 */
-#ifdef SSL_OP_NO_TLSv1_2
+#endif /* HAVE_TLSV11 */
+#ifdef HAVE_TLSV12
if (ctx->opts->no_tls12) {
SSL_CTX_set_options(sslctx, SSL_OP_NO_TLSv1_2);
}
-#endif /* SSL_OP_NO_TLSv1_2 */
+#endif /* HAVE_TLSV12 */
+
+#ifdef SSL_OP_NO_COMPRESSION
+ if (!ctx->opts->sslcomp) {
+ SSL_CTX_set_options(sslctx, SSL_OP_NO_COMPRESSION);
+ }
+#endif /* SSL_OP_NO_COMPRESSION */
SSL_CTX_set_cipher_list(sslctx, ctx->opts->ciphers);
+}
+
+/*
+ * Create and set up a new SSL_CTX instance for terminating SSL.
+ * Set up all the necessary callbacks, the certificate, the cert chain and key.
+ */
+static SSL_CTX *
+pxy_srcsslctx_create(pxy_conn_ctx_t *ctx, X509 *crt, STACK_OF(X509) *chain,
+ EVP_PKEY *key)
+{
+ SSL_CTX *sslctx = SSL_CTX_new(ctx->opts->sslmethod());
+ if (!sslctx)
+ return NULL;
+
+ pxy_sslctx_setoptions(sslctx, ctx);
+
SSL_CTX_sess_set_new_cb(sslctx, pxy_ossl_sessnew_cb);
SSL_CTX_sess_set_remove_cb(sslctx, pxy_ossl_sessremove_cb);
SSL_CTX_sess_set_get_cb(sslctx, pxy_ossl_sessget_cb);
@@ -1058,56 +1070,8 @@ pxy_dstssl_create(pxy_conn_ctx_t *ctx)
return NULL;
}
- SSL_CTX_set_options(sslctx, SSL_OP_ALL);
-#ifdef SSL_OP_TLS_ROLLBACK_BUG
- SSL_CTX_set_options(sslctx, SSL_OP_TLS_ROLLBACK_BUG);
-#endif /* SSL_OP_TLS_ROLLBACK_BUG */
-#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
- SSL_CTX_set_options(sslctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
-#endif /* SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION */
-#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
- SSL_CTX_set_options(sslctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
-#endif /* SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS */
-#ifdef SSL_OP_NO_TICKET
- SSL_CTX_set_options(sslctx, SSL_OP_NO_TICKET);
-#endif /* SSL_OP_NO_TICKET */
-#ifdef SSL_OP_NO_COMPRESSION
- if (!ctx->opts->sslcomp) {
- SSL_CTX_set_options(sslctx, SSL_OP_NO_COMPRESSION);
- }
-#endif /* SSL_OP_NO_COMPRESSION */
-
-#ifdef SSL_OP_NO_SSLv2
-#ifdef WITH_SSLV2
- if (ctx->opts->no_ssl2) {
-#endif /* WITH_SSLV2 */
- SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv2);
-#ifdef WITH_SSLV2
- }
-#endif /* WITH_SSLV2 */
-#endif /* !SSL_OP_NO_SSLv2 */
-#ifdef SSL_OP_NO_SSLv3
- if (ctx->opts->no_ssl3) {
- SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv3);
- }
-#endif /* SSL_OP_NO_SSLv3 */
-#ifdef SSL_OP_NO_TLSv1
- if (ctx->opts->no_tls10) {
- SSL_CTX_set_options(sslctx, SSL_OP_NO_TLSv1);
- }
-#endif /* SSL_OP_NO_TLSv1 */
-#ifdef SSL_OP_NO_TLSv1_1
- if (ctx->opts->no_tls11) {
- SSL_CTX_set_options(sslctx, SSL_OP_NO_TLSv1_1);
- }
-#endif /* SSL_OP_NO_TLSv1_1 */
-#ifdef SSL_OP_NO_TLSv1_2
- if (ctx->opts->no_tls12) {
- SSL_CTX_set_options(sslctx, SSL_OP_NO_TLSv1_2);
- }
-#endif /* SSL_OP_NO_TLSv1_2 */
+ pxy_sslctx_setoptions(sslctx, ctx);
- SSL_CTX_set_cipher_list(sslctx, ctx->opts->ciphers);
SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, NULL);
ssl = SSL_new(sslctx);
Oops, something went wrong.

0 comments on commit 57a2ab8

Please sign in to comment.