diff --git a/deps/easy/src/io/easy_ssl.c b/deps/easy/src/io/easy_ssl.c index 70bce0b8e..cdb6ca7a5 100644 --- a/deps/easy/src/io/easy_ssl.c +++ b/deps/easy/src/io/easy_ssl.c @@ -136,7 +136,9 @@ const char baba_tls_ciphers_list[]= "!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!DES:!RC2:! "DH-DSS-AES256-SHA:ECDH-ECDSA-AES256-SHA:DH-RSA-AES128-SHA:" "ECDH-RSA-AES128-SHA:DH-RSA-AES256-SHA:ECDH-RSA-AES256-SHA:DES-CBC3-SHA"; const uint64_t tls_protocols = (SSL_OP_NO_SSLv2 - | SSL_OP_NO_SSLv3); + | SSL_OP_NO_SSLv3 + | SSL_OP_NO_TLSv1 + | SSL_OP_NO_TLSv1_1); static unsigned long id_function(void) { @@ -1483,9 +1485,7 @@ static int easy_ssl_ctx_create(easy_ssl_ctx_t *ssl) /* server side options */ SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); -#if OPENSSL_VERSION_NUMBER >= 0x10101000L - SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3); -#endif + /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */ SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING); @@ -1521,9 +1521,7 @@ static int easy_ssl_ctx_create_for_mysql(easy_ssl_ctx_t *ssl, int is_babassl) /* server side options */ SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); -#if OPENSSL_VERSION_NUMBER >= 0x10101000L - SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3); -#endif + /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */ SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING); diff --git a/deps/oblib/src/lib/ssl/ob_ssl_config.cpp b/deps/oblib/src/lib/ssl/ob_ssl_config.cpp index b008a41f6..887a7eed0 100644 --- a/deps/oblib/src/lib/ssl/ob_ssl_config.cpp +++ b/deps/oblib/src/lib/ssl/ob_ssl_config.cpp @@ -104,6 +104,11 @@ const char baba_tls_ciphers_list[]= "!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!DES:!RC2:! "ECDH-RSA-AES128-SHA:DH-RSA-AES256-SHA:ECDH-RSA-AES256-SHA:DES-CBC3-SHA"; +static const uint64_t tls_protocols = (SSL_OP_NO_SSLv2 + | SSL_OP_NO_SSLv3 + | SSL_OP_NO_TLSv1 + | SSL_OP_NO_TLSv1_1); + static X509* ob_ssl_get_sm_cert_memory(const char *cert) { BIO *bio = NULL; @@ -335,9 +340,9 @@ static SSL_CTX* ob_ssl_create_ssl_ctx(const ObSSLConfig& ssl_config) /* server side options */ SSL_CTX_set_options(ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); SSL_CTX_set_options(ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); -#if OPENSSL_VERSION_NUMBER >= 0x10101000L - SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3); -#endif + + SSL_CTX_set_options(ctx, tls_protocols); + /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */ SSL_CTX_set_options(ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING); diff --git a/deps/ussl-hook/ssl/ssl_config.c b/deps/ussl-hook/ssl/ssl_config.c index ce0c18cf9..946ef04f6 100644 --- a/deps/ussl-hook/ssl/ssl_config.c +++ b/deps/ussl-hook/ssl/ssl_config.c @@ -101,6 +101,10 @@ static const char baba_tls_ciphers_list[] = "ECDH-RSA-AES128-SHA:DH-RSA-AES256-SHA:ECDH-RSA-AES256-SHA:DES-CBC3-SHA"; +static const uint64_t tls_protocols = (SSL_OP_NO_SSLv2 + | SSL_OP_NO_SSLv3 + | SSL_OP_NO_TLSv1 + | SSL_OP_NO_TLSv1_1); struct fd_ssl_st { SSL *ssl; @@ -331,9 +335,7 @@ static SSL_CTX *ob_ssl_create_ssl_ctx(const ssl_config_item_t *ssl_config) /* server side options */ SSL_CTX_set_options(ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); SSL_CTX_set_options(ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); - #if OPENSSL_VERSION_NUMBER >= 0x10101000L - SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3); - #endif + SSL_CTX_set_options(ctx, tls_protocols); /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */ SSL_CTX_set_options(ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);