Here's a patch for v2.6-pcidss that implements DisableSSLv2 and
DisableSSLv3 directives, hope it's useful to someone.
--
Liam Gretton [email protected]
Systems Specialist http://www.le.ac.uk/its/
IT Services Tel: +44 (0)116 2522254
University Of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom
--- pound.h 2013-09-14 21:44:25.000000000 +0100
+++ pound.h 2014-10-16 15:41:24.000000000 +0100
@@ -405,6 +405,8 @@ typedef struct _listener {
int disabled; /* true if the listener is disabled */
int log_level; /* log level for this listener */
int allow_cl_reneg; /* Allow Client SSL Renegotiation */
+ int disable_ssl_v2; /* Disable SSLv2 */
+ int disable_ssl_v3; /* Disable SSLv3 */
SERVICE *services;
struct _listener *next;
} LISTENER;
--- config.c 2013-09-14 21:44:25.000000000 +0100
+++ config.c 2014-10-16 15:38:52.000000000 +0100
@@ -8,15 +8,15 @@
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
- *
+ *
* Pound is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
- *
+ *
* Contact information:
* Apsis GmbH
* P.O.Box
@@ -76,7 +76,7 @@ static regex_t ListenHTTP, ListenHTTPS,
static regex_t Err414, Err500, Err501, Err503, MaxRequest, HeadRemove,
RewriteLocation, RewriteDestination;
static regex_t Service, ServiceName, URL, HeadRequire, HeadDeny, BackEnd,
Emergency, Priority, HAport, HAportAddr;
static regex_t Redirect, RedirectN, TimeOut, Session, Type, TTL, ID, DynScale;
-static regex_t ClientCert, AddHeader, DisableSSLv2,
SSLAllowClientRenegotiation, SSLHonorCipherOrder, Ciphers, CAlist, VerifyList,
CRLlist, NoHTTPS11;
+static regex_t ClientCert, AddHeader, DisableSSLv2, DisableSSLv3,
SSLAllowClientRenegotiation, SSLHonorCipherOrder, Ciphers, CAlist, VerifyList,
CRLlist, NoHTTPS11;
static regex_t Grace, Include, ConnTO, IgnoreCase, HTTPS, HTTPSCert,
HTTPSCiphers, Disabled, Threads, CNName, DHParams, ECDHCurve;
static regmatch_t matches[5];
@@ -492,7 +492,7 @@ static IMPLEMENT_LHASH_HASH_FN(t, TABNOD
#else
static IMPLEMENT_LHASH_HASH_FN(t_hash, const TABNODE *)
#endif
-
+
static int
t_cmp(const TABNODE *d1, const TABNODE *d2)
{
@@ -906,6 +906,8 @@ parse_HTTPS(void)
res->err501 = "This method may not be used.";
res->err503 = "The service is not available. Please try again later.";
res->allow_cl_reneg = 0;
+ res->disable_ssl_v2 == 0;
+ res->disable_ssl_v3 == 0;
res->log_level = log_level;
if(regcomp(&res->verb, xhttp[0], REG_ICASE | REG_NEWLINE | REG_EXTENDED))
conf_err("xHTTP bad default pattern - aborted");
@@ -1091,6 +1093,10 @@ parse_HTTPS(void)
strcat(res->add_head, "\r\n");
strcat(res->add_head, lin + matches[1].rm_so);
}
+ } else if(!regexec(&DisableSSLv2, lin, 4, matches, 0)) {
+ res->disable_ssl_v2 = 1;
+ } else if(!regexec(&DisableSSLv3, lin, 4, matches, 0)) {
+ res->disable_ssl_v3 = 1;
} else if(!regexec(&SSLAllowClientRenegotiation, lin, 4, matches, 0)) {
res->allow_cl_reneg = atoi(lin + matches[1].rm_so);
if (res->allow_cl_reneg == 2) {
@@ -1189,6 +1195,10 @@ parse_HTTPS(void)
SSL_CTX_set_app_data(pc->ctx, res);
SSL_CTX_set_mode(pc->ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_options(pc->ctx, ssl_op_enable);
+ if (res->disable_ssl_v2 == 1)
+ SSL_CTX_set_options(pc->ctx, SSL_OP_NO_SSLv2);
+ if (res->disable_ssl_v3 == 1)
+ SSL_CTX_set_options(pc->ctx, SSL_OP_NO_SSLv3);
SSL_CTX_clear_options(pc->ctx, ssl_op_disable);
sprintf(lin, "%d-Pound-%ld", getpid(), random());
SSL_CTX_set_session_id_context(pc->ctx, (unsigned char *)lin,
strlen(lin));
@@ -1440,6 +1450,8 @@ config_parse(const int argc, char **cons
|| regcomp(&DHParams, "^[ \t]*DHParams(|Export)[ \t]+\"(.+)\"[ \t]*$",
REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&ECDHCurve, "^[ \t]*ECDHCurve[ \t]+(.+)[ \t]*$", REG_ICASE |
REG_NEWLINE | REG_EXTENDED)
|| regcomp(&CNName, ".*[Cc][Nn]=([-*.A-Za-z0-9]+).*$", REG_ICASE |
REG_NEWLINE | REG_EXTENDED)
+ || regcomp(&DisableSSLv2, "^[ \t]*DisableSSLv2[ \t]+([01])[ \t]*$",
REG_ICASE | REG_NEWLINE | REG_EXTENDED)
+ || regcomp(&DisableSSLv3, "^[ \t]*DisableSSLv3[ \t]+([01])[ \t]*$",
REG_ICASE | REG_NEWLINE | REG_EXTENDED)
) {
logmsg(LOG_ERR, "bad config Regex - aborted");
exit(1);
@@ -1608,6 +1620,8 @@ config_parse(const int argc, char **cons
regfree(&CNName);
regfree(&DHParams);
regfree(&ECDHCurve);
+ regfree(&DisableSSLv2);
+ regfree(&DisableSSLv3);
/* set the facility only here to ensure the syslog gets opened if
necessary */
log_facility = def_facility;
