net/Ssl.cpp | 9 +++------ wsd/LOOLWSD.cpp | 7 ++++++- 2 files changed, 9 insertions(+), 7 deletions(-)
New commits: commit cfe43ef3f571b46f9808b4844fed303ec3be761f Author: Aron Budea <[email protected]> AuthorDate: Sat Jul 27 01:31:55 2019 +0200 Commit: Michael Meeks <[email protected]> CommitDate: Wed Aug 21 15:25:43 2019 +0200 Improve SSL initialization Always log cipher list, and disable any chance of fallback to deprecated protocols. Change-Id: Ifdfc7a3e44e98b078a36fdda6f3c813354a79e60 Reviewed-on: https://gerrit.libreoffice.org/76465 Reviewed-by: Michael Meeks <[email protected]> Tested-by: Michael Meeks <[email protected]> diff --git a/net/Ssl.cpp b/net/Ssl.cpp index 06c5e06d6..ec14502d3 100644 --- a/net/Ssl.cpp +++ b/net/Ssl.cpp @@ -30,8 +30,6 @@ extern "C" }; } -#define DEFAULT_CIPHER_SET "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" - std::unique_ptr<SslContext> SslContext::Instance(nullptr); SslContext::SslContext(const std::string& certFilePath, @@ -71,8 +69,10 @@ SslContext::SslContext(const std::string& certFilePath, // as we don't expect/support different servers in same process. #if OPENSSL_VERSION_NUMBER >= 0x10100000L _ctx = SSL_CTX_new(TLS_method()); + SSL_CTX_set_min_proto_version(_ctx, TLS1_VERSION); #else _ctx = SSL_CTX_new(SSLv23_method()); + SSL_CTX_set_options(_ctx, SSL_OP_NO_SSLv3); #endif // SSL_CTX_set_default_passwd_cb(_ctx, &privateKeyPassphraseCallback); @@ -113,10 +113,7 @@ SslContext::SslContext(const std::string& certFilePath, } SSL_CTX_set_verify(_ctx, SSL_VERIFY_NONE, nullptr /*&verifyServerCallback*/); - std::string ciphers(cipherList); - if (ciphers.empty()) - ciphers = DEFAULT_CIPHER_SET; - SSL_CTX_set_cipher_list(_ctx, ciphers.c_str()); + SSL_CTX_set_cipher_list(_ctx, cipherList.c_str()); SSL_CTX_set_verify_depth(_ctx, 9); // The write buffer may re-allocate, and we don't mind partial writes. diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp index 6bf628632..5a1dbce41 100644 --- a/wsd/LOOLWSD.cpp +++ b/wsd/LOOLWSD.cpp @@ -25,6 +25,9 @@ #define LOOLWSD_TEST_DOCUMENT_RELATIVE_PATH_CALC "test/data/hello-world.ods" #define LOOLWSD_TEST_DOCUMENT_RELATIVE_PATH_IMPRESS "test/data/hello-world.odp" +/* Default ciphers used, when not specified otherwise */ +#define DEFAULT_CIPHER_SET "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" + // This is the main source for the loolwsd program. LOOL uses several loolwsd processes: one main // parent process that listens on the TCP port and accepts connections from LOOL clients, and a // number of child processes, each which handles a viewing (editing) session for one document. @@ -1224,7 +1227,9 @@ void LOOLWSD::initializeSSL() const std::string ssl_ca_file_path = getPathFromConfig("ssl.ca_file_path"); LOG_INF("SSL CA file: " << ssl_ca_file_path); - const std::string ssl_cipher_list = config().getString("ssl.cipher_list", ""); + std::string ssl_cipher_list = config().getString("ssl.cipher_list", ""); + if (ssl_cipher_list.empty()) + ssl_cipher_list = DEFAULT_CIPHER_SET; LOG_INF("SSL Cipher list: " << ssl_cipher_list); // Initialize the non-blocking socket SSL. _______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
