hcq/oceanbase
hcq/oceanbase
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

observer forbid SSLv2,SSLv3,TLSv1,TLSv1_1 and only support TLSv1_2 and TLSv1_3

Browse Source
This commit is contained in:
496148326@qq.com 2023-06-14 03:12:36 +00:00 committed by ob-robot
parent 85bca4f17b
commit 4c8bf212ae
3 changed files with 18 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
deps/easy/src/io/easy_ssl.c vendored
View File

@ -136,7 +136,9 @@ const char baba_tls_ciphers_list[]= "!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!DES:!RC2:!
"DH-DSS-AES256-SHA:ECDH-ECDSA-AES256-SHA:DH-RSA-AES128-SHA:"
"ECDH-RSA-AES128-SHA:DH-RSA-AES256-SHA:ECDH-RSA-AES256-SHA:DES-CBC3-SHA";
const uint64_t tls_protocols = (SSL_OP_NO_SSLv2
| SSL_OP_NO_SSLv3);
| SSL_OP_NO_SSLv3
| SSL_OP_NO_TLSv1
| SSL_OP_NO_TLSv1_1);
static unsigned long id_function(void)
{
@ -1483,9 +1485,7 @@ static int easy_ssl_ctx_create(easy_ssl_ctx_t *ssl)
/* server side options */
SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
#endif
/* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
@ -1521,9 +1521,7 @@ static int easy_ssl_ctx_create_for_mysql(easy_ssl_ctx_t *ssl, int is_babassl)
/* server side options */
SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
#endif
/* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);

11
deps/oblib/src/lib/ssl/ob_ssl_config.cpp vendored
View File

@ -104,6 +104,11 @@ const char baba_tls_ciphers_list[]= "!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!DES:!RC2:!
"ECDH-RSA-AES128-SHA:DH-RSA-AES256-SHA:ECDH-RSA-AES256-SHA:DES-CBC3-SHA";
static const uint64_t tls_protocols = (SSL_OP_NO_SSLv2
| SSL_OP_NO_SSLv3
| SSL_OP_NO_TLSv1
| SSL_OP_NO_TLSv1_1);
static X509* ob_ssl_get_sm_cert_memory(const char *cert)
{
BIO *bio = NULL;
@ -335,9 +340,9 @@ static SSL_CTX* ob_ssl_create_ssl_ctx(const ObSSLConfig& ssl_config)
/* server side options */
SSL_CTX_set_options(ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
SSL_CTX_set_options(ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3);
#endif
SSL_CTX_set_options(ctx, tls_protocols);
/* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
SSL_CTX_set_options(ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);

8
deps/ussl-hook/ssl/ssl_config.c vendored
View File

@ -101,6 +101,10 @@ static const char baba_tls_ciphers_list[] =
"ECDH-RSA-AES128-SHA:DH-RSA-AES256-SHA:ECDH-RSA-AES256-SHA:DES-CBC3-SHA";
static const uint64_t tls_protocols = (SSL_OP_NO_SSLv2
| SSL_OP_NO_SSLv3
| SSL_OP_NO_TLSv1
| SSL_OP_NO_TLSv1_1);
struct fd_ssl_st
{
SSL *ssl;
@ -331,9 +335,7 @@ static SSL_CTX *ob_ssl_create_ssl_ctx(const ssl_config_item_t *ssl_config)
/* server side options */
SSL_CTX_set_options(ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
SSL_CTX_set_options(ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3);
#endif
SSL_CTX_set_options(ctx, tls_protocols);
/* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
SSL_CTX_set_options(ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);