Probably not the cleanest of patches, but attached is a patch that will
allow a
"DisableSSLv2" option
within a ListenHTTPS
Which will disable SSLv2
--- a/config.c
+++ b/config.c
@@ -76,7 +76,7 @@
static regex_t Err414, Err500, Err501, Err503, MaxRequest, HeadRemove, RewriteLocation, RewriteDestination;
static regex_t Service, ServiceName, URL, HeadRequire, HeadDeny, BackEnd, Emergency, Priority, HAport, HAportAddr;
static regex_t Redirect, RedirectN, TimeOut, Session, Type, TTL, ID, DynScale;
-static regex_t ClientCert, AddHeader, SSLAllowClientRenegotiation, SSLHonorCipherOrder, Ciphers, CAlist, VerifyList, CRLlist, NoHTTPS11;
+static regex_t ClientCert, AddHeader, DisableSSLv2, SSLAllowClientRenegotiation, SSLHonorCipherOrder, Ciphers, CAlist, VerifyList, CRLlist, NoHTTPS11;
static regex_t Grace, Include, ConnTO, IgnoreCase, HTTPS, HTTPSCert, Disabled, Threads, CNName;
static regmatch_t matches[5];
@@ -855,6 +855,7 @@
res->err501 = "This method may not be used.";
res->err503 = "The service is not available. Please try again later.";
res->allow_client_reneg = 0;
+ res->disable_ssl_v2 = 0;
res->log_level = log_level;
if(regcomp(&res->verb, xhttp[0], REG_ICASE | REG_NEWLINE | REG_EXTENDED))
conf_err("xHTTP bad default pattern - aborted");
@@ -1040,6 +1041,8 @@
strcat(res->add_head, "\r\n");
strcat(res->add_head, lin + matches[1].rm_so);
}
+ } else if(!regexec(&DisableSSLv2, lin, 4, matches, 0)) {
+ res->disable_ssl_v2 = 1;
} else if(!regexec(&SSLAllowClientRenegotiation, lin, 4, matches, 0)) {
res->allow_client_reneg = atoi(lin + matches[1].rm_so);
if (res->allow_client_reneg == 2) {
@@ -1137,6 +1140,10 @@
SSL_CTX_set_mode(pc->ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_options(pc->ctx, ssl_op_enable);
SSL_CTX_clear_options(pc->ctx, ssl_op_disable);
+ if (res->disable_ssl_v2 == 1)
+ {
+ SSL_CTX_set_options(pc->ctx, SSL_OP_NO_SSLv2);
+ }
sprintf(lin, "%d-Pound-%ld", getpid(), random());
SSL_CTX_set_session_id_context(pc->ctx, (unsigned char *)lin, strlen(lin));
SSL_CTX_set_tmp_rsa_callback(pc->ctx, RSA_tmp_callback);
@@ -1337,6 +1344,7 @@
|| regcomp(&ClientCert, "^[ \t]*ClientCert[ \t]+([0-3])[ \t]+([1-9])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&AddHeader, "^[ \t]*AddHeader[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&SSLAllowClientRenegotiation, "^[ \t]*SSLAllowClientRenegotiation[ \t]+([012])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
+ || regcomp(&DisableSSLv2, "^[ \t]*DisableSSLv2[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&SSLHonorCipherOrder, "^[ \t]*SSLHonorCipherOrder[ \t]+([01])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&Ciphers, "^[ \t]*Ciphers[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&CAlist, "^[ \t]*CAlist[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
@@ -1497,6 +1505,7 @@
regfree(&ClientCert);
regfree(&AddHeader);
regfree(&SSLAllowClientRenegotiation);
+ regfree(&DisableSSLv2);
regfree(&SSLHonorCipherOrder);
regfree(&Ciphers);
regfree(&CAlist);
--- a/pound.h
+++ b/pound.h
@@ -405,6 +405,7 @@
int disabled; /* true if the listener is disabled */
int log_level; /* log level for this listener */
int allow_client_reneg; /* Allow Client SSL Renegotiation */
+ int disable_ssl_v2; /* Disable SSL version 2 */
SERVICE *services;
struct _listener *next;
} LISTENER;
