From 5b9655c0e735eb1138ebdcf0f70215d212f89253 Mon Sep 17 00:00:00 2001 From: "496148326@qq.com" <496148326@qq.com> Date: Wed, 28 Jun 2023 12:12:16 +0000 Subject: [PATCH] [revert]observer forbid SSLv2,SSLv3,TLSv1,TLSv1_1 and only support TLSv2 and TLSv3 --- deps/easy/src/io/easy_ssl.c | 12 +++++++----- deps/oblib/src/lib/ssl/ob_ssl_config.cpp | 11 +++-------- deps/ussl-hook/ssl/ssl_config.c | 8 +++----- 3 files changed, 13 insertions(+), 18 deletions(-) diff --git a/deps/easy/src/io/easy_ssl.c b/deps/easy/src/io/easy_ssl.c index cdb6ca7a5..70bce0b8e 100644 --- a/deps/easy/src/io/easy_ssl.c +++ b/deps/easy/src/io/easy_ssl.c @@ -136,9 +136,7 @@ const char baba_tls_ciphers_list[]= "!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!DES:!RC2:! "DH-DSS-AES256-SHA:ECDH-ECDSA-AES256-SHA:DH-RSA-AES128-SHA:" "ECDH-RSA-AES128-SHA:DH-RSA-AES256-SHA:ECDH-RSA-AES256-SHA:DES-CBC3-SHA"; const uint64_t tls_protocols = (SSL_OP_NO_SSLv2 - | SSL_OP_NO_SSLv3 - | SSL_OP_NO_TLSv1 - | SSL_OP_NO_TLSv1_1); + | SSL_OP_NO_SSLv3); static unsigned long id_function(void) { @@ -1485,7 +1483,9 @@ static int easy_ssl_ctx_create(easy_ssl_ctx_t *ssl) /* server side options */ SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); - +#if OPENSSL_VERSION_NUMBER >= 0x10101000L + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3); +#endif /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */ SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING); @@ -1521,7 +1521,9 @@ static int easy_ssl_ctx_create_for_mysql(easy_ssl_ctx_t *ssl, int is_babassl) /* server side options */ SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); - +#if OPENSSL_VERSION_NUMBER >= 0x10101000L + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3); +#endif /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */ SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING); diff --git a/deps/oblib/src/lib/ssl/ob_ssl_config.cpp b/deps/oblib/src/lib/ssl/ob_ssl_config.cpp index 887a7eed0..b008a41f6 100644 --- a/deps/oblib/src/lib/ssl/ob_ssl_config.cpp +++ b/deps/oblib/src/lib/ssl/ob_ssl_config.cpp @@ -104,11 +104,6 @@ const char baba_tls_ciphers_list[]= "!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!DES:!RC2:! "ECDH-RSA-AES128-SHA:DH-RSA-AES256-SHA:ECDH-RSA-AES256-SHA:DES-CBC3-SHA"; -static const uint64_t tls_protocols = (SSL_OP_NO_SSLv2 - | SSL_OP_NO_SSLv3 - | SSL_OP_NO_TLSv1 - | SSL_OP_NO_TLSv1_1); - static X509* ob_ssl_get_sm_cert_memory(const char *cert) { BIO *bio = NULL; @@ -340,9 +335,9 @@ static SSL_CTX* ob_ssl_create_ssl_ctx(const ObSSLConfig& ssl_config) /* server side options */ SSL_CTX_set_options(ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); SSL_CTX_set_options(ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); - - SSL_CTX_set_options(ctx, tls_protocols); - +#if OPENSSL_VERSION_NUMBER >= 0x10101000L + SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3); +#endif /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */ SSL_CTX_set_options(ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING); diff --git a/deps/ussl-hook/ssl/ssl_config.c b/deps/ussl-hook/ssl/ssl_config.c index d1f8a173f..f53b92854 100644 --- a/deps/ussl-hook/ssl/ssl_config.c +++ b/deps/ussl-hook/ssl/ssl_config.c @@ -101,10 +101,6 @@ static const char baba_tls_ciphers_list[] = "ECDH-RSA-AES128-SHA:DH-RSA-AES256-SHA:ECDH-RSA-AES256-SHA:DES-CBC3-SHA"; -static const uint64_t tls_protocols = (SSL_OP_NO_SSLv2 - | SSL_OP_NO_SSLv3 - | SSL_OP_NO_TLSv1 - | SSL_OP_NO_TLSv1_1); struct fd_ssl_st { SSL *ssl; @@ -344,7 +340,9 @@ static SSL_CTX *ob_ssl_create_ssl_ctx(const ssl_config_item_t *ssl_config, int t /* server side options */ SSL_CTX_set_options(ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); SSL_CTX_set_options(ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); - SSL_CTX_set_options(ctx, tls_protocols); + #if OPENSSL_VERSION_NUMBER >= 0x10101000L + SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3); + #endif /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */ SSL_CTX_set_options(ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);