From 5efde7440c26f2f3232c2614716f84b98d8df07b Mon Sep 17 00:00:00 2001 From: Vitezslav Crhonek Date: Jan 09 2017 15:31:54 +0000 Subject: Disable SSL protocols listed in config file --- diff --git a/openwsman-2.6.2-openssl-1.1-fix.patch b/openwsman-2.6.2-openssl-1.1-fix.patch index 59c1dc2..f0fa3c1 100644 --- a/openwsman-2.6.2-openssl-1.1-fix.patch +++ b/openwsman-2.6.2-openssl-1.1-fix.patch @@ -1,6 +1,6 @@ diff -up openwsman-2.6.2/src/lib/wsman-curl-client-transport.c.orig openwsman-2.6.2/src/lib/wsman-curl-client-transport.c --- openwsman-2.6.2/src/lib/wsman-curl-client-transport.c.orig 2015-10-19 15:27:46.000000000 +0200 -+++ openwsman-2.6.2/src/lib/wsman-curl-client-transport.c 2017-01-02 15:18:43.444990500 +0100 ++++ openwsman-2.6.2/src/lib/wsman-curl-client-transport.c 2017-01-09 15:12:40.823514921 +0100 @@ -239,12 +239,16 @@ write_handler( void *ptr, size_t size, s static int ssl_certificate_thumbprint_verify_callback(X509_STORE_CTX *ctx, void *arg) { @@ -21,16 +21,8 @@ diff -up openwsman-2.6.2/src/lib/wsman-curl-client-transport.c.orig openwsman-2. if(!memcmp(tempFingerprint, thumbprint, tempFingerprintLen)) diff -up openwsman-2.6.2/src/server/shttpd/config.c.orig openwsman-2.6.2/src/server/shttpd/config.c --- openwsman-2.6.2/src/server/shttpd/config.c.orig 2015-10-19 15:27:46.000000000 +0200 -+++ openwsman-2.6.2/src/server/shttpd/config.c 2017-01-03 14:21:57.925415734 +0100 -@@ -85,32 +85,24 @@ static void - set_ssl(struct shttpd_ctx *ctx, void *arg, const char *pem) - { - SSL_CTX *CTX; -+ SSL_CONF_CTX *CCTX; - void *lib; - struct ssl_func *fp; - char *ssl_disabled_protocols = wsmand_options_get_ssl_disabled_protocols(); -+ int ret; ++++ openwsman-2.6.2/src/server/shttpd/config.c 2017-01-09 15:13:03.561467272 +0100 +@@ -91,26 +91,16 @@ set_ssl(struct shttpd_ctx *ctx, void *ar arg = NULL; /* Unused */ @@ -62,72 +54,18 @@ diff -up openwsman-2.6.2/src/server/shttpd/config.c.orig openwsman-2.6.2/src/ser ssl_library_initialized = 1; } if ((CTX = SSL_CTX_new(SSLv23_server_method())) == NULL) { -@@ -126,17 +118,26 @@ set_ssl(struct shttpd_ctx *ctx, void *ar - SSL_CTX_free(CTX); - CTX = NULL; - } -+ if ((CCTX = SSL_CONF_CTX_new()) == NULL) { -+ elog(E_FATAL, NULL, "SSL_CONF_CTX_new error"); -+ debug("SSL_CONF_CTX_new error"); -+ } -+ else { -+ SSL_CONF_CTX_set_ssl_ctx(CCTX, CTX); -+ } -+ -+/* - while (ssl_disabled_protocols) { - struct ctx_opts_t { - char *name; -- long opt; -+ char *opt; - } protocols[] = { -- { "SSLv2", SSL_OP_NO_SSLv2 }, -- { "SSLv3", SSL_OP_NO_SSLv3 }, -- { "TLSv1", SSL_OP_NO_TLSv1 }, -+ { "SSLv2", "SSLv2" }, -+ { "SSLv3", "SSLv3" }, -+ { "TLSv1", "TLSv1" }, - # if OPENSSL_VERSION_NUMBER >= 0x10001000L -- { "TLSv1_1", SSL_OP_NO_TLSv1_1 }, -- { "TLSv1_2", SSL_OP_NO_TLSv1_2 }, -+ { "TLSv1_1", "TLSv1.1" }, -+ { "TLSv1_2", "TLSv1.2" }, - # endif - { NULL, 0 } - }; -@@ -150,7 +151,17 @@ set_ssl(struct shttpd_ctx *ctx, void *ar +@@ -150,7 +140,7 @@ set_ssl(struct shttpd_ctx *ctx, void *ar for (idx = 0; protocols[idx].name ; ++idx) { if (strncasecmp(protocols[idx].name, ssl_disabled_protocols, blank_ptr-ssl_disabled_protocols) == 0) { debug("SSL: disable %s protocol", protocols[idx].name); - SSL_CTX_ctrl(CTX, SSL_CTRL_OPTIONS, protocols[idx].opt, NULL); -+ debug("SSL: set '%s' as minimum protocol version - opt value", protocols[idx].opt); -+ ret = SSL_CONF_cmd(CTX, "MinProtocol", protocols[idx].opt); -+ if (ret > 2) { -+ debug("SSL: SSL_CONF_cmd OK"); -+ } -+ if (ret == -2) { -+ debug("SSL: SSL_CONF_cmd ret == -2"); -+ } -+ if (ret != -2) { -+ debug("Error processing SSL_CONF_cmd()"); -+ } ++ SSL_CTX_set_options(CTX, protocols[idx].opt); break; } } -@@ -158,6 +169,10 @@ set_ssl(struct shttpd_ctx *ctx, void *ar - break; - ssl_disabled_protocols = blank_ptr + 1; - } -+*/ -+ if (!SSL_CONF_CTX_finish(CCTX)) { -+ elog(E_FATAL, NULL, "SSL_CONF_CTX_finish error"); -+ } - - ctx->ssl_ctx = CTX; - } diff -up openwsman-2.6.2/src/server/shttpd/io_ssl.c.orig openwsman-2.6.2/src/server/shttpd/io_ssl.c --- openwsman-2.6.2/src/server/shttpd/io_ssl.c.orig 2015-10-19 15:27:46.000000000 +0200 -+++ openwsman-2.6.2/src/server/shttpd/io_ssl.c 2017-01-03 13:43:13.926524433 +0100 ++++ openwsman-2.6.2/src/server/shttpd/io_ssl.c 2017-01-09 15:12:40.824514919 +0100 @@ -11,26 +11,6 @@ #include "shttpd_defs.h" @@ -157,7 +95,7 @@ diff -up openwsman-2.6.2/src/server/shttpd/io_ssl.c.orig openwsman-2.6.2/src/ser ssl_handshake(struct stream *stream) diff -up openwsman-2.6.2/src/server/shttpd/ssl.h.orig openwsman-2.6.2/src/server/shttpd/ssl.h --- openwsman-2.6.2/src/server/shttpd/ssl.h.orig 2015-10-19 15:27:46.000000000 +0200 -+++ openwsman-2.6.2/src/server/shttpd/ssl.h 2017-01-02 15:18:43.445990500 +0100 ++++ openwsman-2.6.2/src/server/shttpd/ssl.h 2017-01-09 15:12:40.824514919 +0100 @@ -12,56 +12,4 @@ # include diff --git a/openwsman.spec b/openwsman.spec index 8a1ac98..f490d72 100644 --- a/openwsman.spec +++ b/openwsman.spec @@ -9,7 +9,7 @@ BuildRequires: perl-devel perl-generators pkgconfig openssl-devel BuildRequires: cmake BuildRequires: systemd-units Version: 2.6.2 -Release: 9%{?dist} +Release: 10%{?dist} Url: http://www.openwsman.org/ License: BSD Group: Applications/System @@ -359,6 +359,9 @@ rm -f /var/log/wsmand.log %changelog +* Mon Jan 09 2017 Vitezslav Crhonek - 2.6.2-10 +- Disable SSL protocols listed in config file + * Tue Jan 03 2017 Vitezslav Crhonek - 2.6.2-9 - Port to openssl 1.1.0 Resolves: #1383992