hcq/oceanbase
hcq/oceanbase
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

[revert]observer forbid SSLv2,SSLv3,TLSv1,TLSv1_1 and only support TLSv2 and TLSv3

Browse Source
This commit is contained in:
496148326@qq.com 2023-06-28 12:12:16 +00:00 committed by ob-robot
parent 6e23091d74
commit 5b9655c0e7
3 changed files with 13 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
deps/easy/src/io/easy_ssl.c vendored
View File

@ -136,9 +136,7 @@ const char baba_tls_ciphers_list[]= "!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!DES:!RC2:!
"DH-DSS-AES256-SHA:ECDH-ECDSA-AES256-SHA:DH-RSA-AES128-SHA:"
"ECDH-RSA-AES128-SHA:DH-RSA-AES256-SHA:ECDH-RSA-AES256-SHA:DES-CBC3-SHA";
const uint64_t tls_protocols = (SSL_OP_NO_SSLv2
| SSL_OP_NO_SSLv3
| SSL_OP_NO_TLSv1
| SSL_OP_NO_TLSv1_1);
| SSL_OP_NO_SSLv3);
static unsigned long id_function(void)
{
@ -1485,7 +1483,9 @@ static int easy_ssl_ctx_create(easy_ssl_ctx_t *ssl)
/* server side options */
SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
#endif
/* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
@ -1521,7 +1521,9 @@ static int easy_ssl_ctx_create_for_mysql(easy_ssl_ctx_t *ssl, int is_babassl)
/* server side options */
SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
#endif
/* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);

11
deps/oblib/src/lib/ssl/ob_ssl_config.cpp vendored
View File

@ -104,11 +104,6 @@ const char baba_tls_ciphers_list[]= "!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!DES:!RC2:!
"ECDH-RSA-AES128-SHA:DH-RSA-AES256-SHA:ECDH-RSA-AES256-SHA:DES-CBC3-SHA";
static const uint64_t tls_protocols = (SSL_OP_NO_SSLv2
| SSL_OP_NO_SSLv3
| SSL_OP_NO_TLSv1
| SSL_OP_NO_TLSv1_1);
static X509* ob_ssl_get_sm_cert_memory(const char *cert)
{
BIO *bio = NULL;
@ -340,9 +335,9 @@ static SSL_CTX* ob_ssl_create_ssl_ctx(const ObSSLConfig& ssl_config)
/* server side options */
SSL_CTX_set_options(ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
SSL_CTX_set_options(ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
SSL_CTX_set_options(ctx, tls_protocols);
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3);
#endif
/* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
SSL_CTX_set_options(ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);

8
deps/ussl-hook/ssl/ssl_config.c vendored
View File

@ -101,10 +101,6 @@ static const char baba_tls_ciphers_list[] =
"ECDH-RSA-AES128-SHA:DH-RSA-AES256-SHA:ECDH-RSA-AES256-SHA:DES-CBC3-SHA";
static const uint64_t tls_protocols = (SSL_OP_NO_SSLv2
| SSL_OP_NO_SSLv3
| SSL_OP_NO_TLSv1
| SSL_OP_NO_TLSv1_1);
struct fd_ssl_st
{
SSL *ssl;
@ -344,7 +340,9 @@ static SSL_CTX *ob_ssl_create_ssl_ctx(const ssl_config_item_t *ssl_config, int t
/* server side options */
SSL_CTX_set_options(ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
SSL_CTX_set_options(ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
SSL_CTX_set_options(ctx, tls_protocols);
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3);
#endif
/* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
SSL_CTX_set_options(ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);