[evolution-data-server/gnome-3-8] [Camel] Disable SSL v2 and weak ciphers by default
- From: Milan Crha <mcrha src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [evolution-data-server/gnome-3-8] [Camel] Disable SSL v2 and weak ciphers by default
- Date: Thu, 8 Aug 2013 12:48:36 +0000 (UTC)
commit 76b6e96b76c1616987c5da8dabc7fd1dd3dac394
Author: Milan Crha <mcrha redhat com>
Date: Thu Aug 8 14:36:10 2013 +0200
[Camel] Disable SSL v2 and weak ciphers by default
The change for disabled weak ciphers require at least NSS 3.14, thus
weak ciphers are enabled, if it's compiled with older NSS. In case
any server will require either weak ciphers or SSL v2 (while there
really should not anyone use it these days), then two environment
variables were added:
CAMEL_SSL_V2_ENABLE=1 - to have SSL v2 enabled, otherwise it's disabled,
regardless what camel providers request (they usually request v2 and
v3 together)
CAMEL_SSL_WEAK_CIPHERS=1 - to enable weak ciphers, almost the same as
before; otherwise these are disabled and only those covered by
NSS_SetDomesticPolicy() are enabled
These are added to the group of one for SSL V2 compatible hello:
CAMEL_SSL_V2_HELLO=1 - to force SSL v2 compatible hello on SSL connections
camel/camel-tcp-stream-ssl.c | 7 ++++++-
camel/camel.c | 35 +++++++++++++++++++++++++++--------
2 files changed, 33 insertions(+), 9 deletions(-)
---
diff --git a/camel/camel-tcp-stream-ssl.c b/camel/camel-tcp-stream-ssl.c
index 9e58400..97f053c 100644
--- a/camel/camel-tcp-stream-ssl.c
+++ b/camel/camel-tcp-stream-ssl.c
@@ -544,6 +544,7 @@ enable_ssl (CamelTcpStreamSSL *ssl,
PRFileDesc *fd)
{
PRFileDesc *ssl_fd;
+ static gchar v2_enabled = -1;
g_assert (fd != NULL);
@@ -553,7 +554,11 @@ enable_ssl (CamelTcpStreamSSL *ssl,
SSL_OptionSet (ssl_fd, SSL_SECURITY, PR_TRUE);
- if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_SSL2) {
+ /* check camel.c for the same "CAMEL_SSL_V2_ENABLE" */
+ if (v2_enabled == -1)
+ v2_enabled = g_strcmp0 (g_getenv ("CAMEL_SSL_V2_ENABLE"), "1") == 0 ? 1 : 0;
+
+ if (v2_enabled && (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_SSL2) != 0) {
static gchar v2_hello = -1;
/* Zarafa server with disabled SSL v2 rejects connection when
diff --git a/camel/camel.c b/camel/camel.c
index 49f2d60..fc73fe5 100644
--- a/camel/camel.c
+++ b/camel/camel.c
@@ -31,6 +31,7 @@
#include <prthread.h>
#include "nss.h" /* Don't use <> here or it will include the system nss.h instead */
#include <ssl.h>
+#include <sslproto.h>
#include <errno.h>
#include <glib/gi18n-lib.h>
@@ -95,10 +96,22 @@ camel_init (const gchar *configdir,
camel_debug_init ();
if (nss_init) {
+ static gchar v2_enabled = -1, weak_ciphers = -1;
gchar *nss_configdir = NULL;
gchar *nss_sql_configdir = NULL;
SECStatus status = SECFailure;
- PRUint16 indx;
+
+#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 14)
+ /* NSS pre-3.14 has most of the ciphers disabled, thus enable
+ * weak ciphers, if it's compiled against such */
+ weak_ciphers = 1;
+#endif
+
+ /* check camel-tcp-stream-ssl.c for the same "CAMEL_SSL_V2_ENABLE" */
+ if (v2_enabled == -1)
+ v2_enabled = g_strcmp0 (g_getenv ("CAMEL_SSL_V2_ENABLE"), "1") == 0 ? 1 : 0;
+ if (weak_ciphers == -1)
+ weak_ciphers = g_strcmp0 (g_getenv ("CAMEL_SSL_WEAK_CIPHERS"), "1") == 0 ? 1 : 0;
if (nss_initlock == NULL) {
PR_Init (PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 10);
@@ -185,18 +198,24 @@ skip_nss_init:
NSS_SetDomesticPolicy ();
- PR_Unlock (nss_initlock);
+ if (weak_ciphers) {
+ PRUint16 indx;
- /* we must enable all ciphersuites */
- for (indx = 0; indx < SSL_NumImplementedCiphers; indx++) {
- if (!SSL_IS_SSL2_CIPHER (SSL_ImplementedCiphers[indx]))
- SSL_CipherPrefSetDefault (SSL_ImplementedCiphers[indx], PR_TRUE);
+ /* enable SSL3/TLS cipher-suites */
+ for (indx = 0; indx < SSL_NumImplementedCiphers; indx++) {
+ if (!SSL_IS_SSL2_CIPHER (SSL_ImplementedCiphers[indx]) &&
+ SSL_ImplementedCiphers[indx] != SSL_RSA_WITH_NULL_SHA &&
+ SSL_ImplementedCiphers[indx] != SSL_RSA_WITH_NULL_MD5)
+ SSL_CipherPrefSetDefault (SSL_ImplementedCiphers[indx], PR_TRUE);
+ }
}
- SSL_OptionSetDefault (SSL_ENABLE_SSL2, PR_TRUE);
+ SSL_OptionSetDefault (SSL_ENABLE_SSL2, v2_enabled ? PR_TRUE : PR_FALSE);
+ SSL_OptionSetDefault (SSL_V2_COMPATIBLE_HELLO, PR_FALSE);
SSL_OptionSetDefault (SSL_ENABLE_SSL3, PR_TRUE);
SSL_OptionSetDefault (SSL_ENABLE_TLS, PR_TRUE);
- SSL_OptionSetDefault (SSL_V2_COMPATIBLE_HELLO, PR_TRUE /* maybe? */);
+
+ PR_Unlock (nss_initlock);
g_free (nss_configdir);
g_free (nss_sql_configdir);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]