mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-31 14:25:26 +00:00
Code Issues Releases Wiki Activity

stream-ssl: Don't enable new TLS versions by default

Browse Source 
Currently protocol_flags is populated by the list of SSL and TLS
protocols by hand. This means that when a new TLS version is added to
openssl (in this case TLS v1.3 is added to openssl 1.1.1 beta)
ovsdb-server automatically enable support to it with the default ciphers.
This can be a security problem (since other ciphers can be enabled) and it
also makes a test (SSL db: implementation) to fail.

This commit changes the 'protocol_flags' to use the list of all protocol
flags as provided by openssl library (SSL_OP_NO_SSL_MASK) so there is no
need to keep the list updated by hand.

Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
This commit is contained in:
Timothy Redaelli
2018-07-27 16:29:40 +02:00
committed by Ben Pfaff
parent 49c5ee21ea
commit ab16d2c287
1 changed files with 1 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
lib/stream-ssl.c
View File

@@ -1188,8 +1188,7 @@ stream_ssl_set_protocols(const char *arg)
} }
/* Start with all the flags off and turn them on as requested. */ /* Start with all the flags off and turn them on as requested. */
long protocol_flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1; long protocol_flags = SSL_OP_NO_SSL_MASK;
protocol_flags |= SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
char *s = xstrdup(arg); char *s = xstrdup(arg);
char *save_ptr = NULL; char *save_ptr = NULL;