cedric pushed a commit to branch master.
http://git.enlightenment.org/core/efl.git/commit/?id=ae5e2c82843a5dea2474b79f5426207495b465a8
commit ae5e2c82843a5dea2474b79f5426207495b465a8
Author: Cedric BAIL <ced...@osg.samsung.com>
Date: Mon Nov 2 14:11:09 2015 -0800
emile/ecore_con: drop SSLv3 support due to security issue.
SSLv3 has been compromised a year ago by what is known as POODLE
(https://en.wikipedia.org/wiki/POODLE). Every major browser have now
dropped support for SSLv3 and distribution are starting to do so also.
It is a good timing for us to do so, especially as it breaks build on
some distribution.
---
src/lib/ecore_con/Ecore_Con.h | 2 +-
src/lib/ecore_con/ecore_con_private.h | 3 ++-
src/lib/ecore_con/ecore_con_ssl.c | 26 +++++++++---------------
src/lib/emile/emile_cipher.h | 1 -
src/lib/emile/emile_cipher_openssl.c | 6 ------
src/tests/ecore_con/ecore_con_test_ecore_con.c | 28 --------------------------
6 files changed, 13 insertions(+), 53 deletions(-)
diff --git a/src/lib/ecore_con/Ecore_Con.h b/src/lib/ecore_con/Ecore_Con.h
index 2971221..09363f7 100644
--- a/src/lib/ecore_con/Ecore_Con.h
+++ b/src/lib/ecore_con/Ecore_Con.h
@@ -299,7 +299,7 @@ typedef enum _Ecore_Con_Type
ECORE_CON_REMOTE_CORK = 8,
/** Use SSL2: UNSUPPORTED. **/
ECORE_CON_USE_SSL2 = (1 << 4),
- /** Use SSL3 */
+ /** Use SSL3: UNSUPPORTED. **/
ECORE_CON_USE_SSL3 = (1 << 5),
/** Use TLS */
ECORE_CON_USE_TLS = (1 << 6),
diff --git a/src/lib/ecore_con/ecore_con_private.h
b/src/lib/ecore_con/ecore_con_private.h
index dff720b..181ca44 100644
--- a/src/lib/ecore_con/ecore_con_private.h
+++ b/src/lib/ecore_con/ecore_con_private.h
@@ -71,7 +71,8 @@ typedef enum _Ecore_Con_Ssl_Error
ECORE_CON_SSL_ERROR_NOT_SUPPORTED,
ECORE_CON_SSL_ERROR_INIT_FAILED,
ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED,
- ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED
+ ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED,
+ ECORE_CON_SSL_ERROR_SSL3_NOT_SUPPORTED
} Ecore_Con_Ssl_Error;
typedef enum _Ecore_Con_Ssl_Handshake
diff --git a/src/lib/ecore_con/ecore_con_ssl.c
b/src/lib/ecore_con/ecore_con_ssl.c
index 03ce569..d66262d 100644
--- a/src/lib/ecore_con/ecore_con_ssl.c
+++ b/src/lib/ecore_con/ecore_con_ssl.c
@@ -497,6 +497,16 @@ ecore_con_ssl_server_prepare(Ecore_Con_Server *svr,
if (!emile_cipher_init())
return ECORE_CON_SSL_ERROR_SERVER_INIT_FAILED;
+ // We forcibly disable SSL3 now
+ if (ssl_type & ECORE_CON_USE_MIXED)
+ ssl_type &= ~ECORE_CON_USE_SSL3;
+
+ if (ssl_type & ECORE_CON_USE_SSL2)
+ return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED;
+
+ if (ssl_type & ECORE_CON_USE_SSL3)
+ return ECORE_CON_SSL_ERROR_SSL3_NOT_SUPPORTED;
+
return SSL_SUFFIX(_ecore_con_ssl_server_prepare) (svr, ssl_type);
}
@@ -754,13 +764,8 @@ _ecore_con_ssl_server_prepare_gnutls(Ecore_Con_Server *obj,
Ecore_Con_Server_Data *svr = eo_data_scope_get(obj, ECORE_CON_SERVER_CLASS);
int ret;
- if (ssl_type & ECORE_CON_USE_SSL2)
- return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED;
-
switch (ssl_type)
{
- case ECORE_CON_USE_SSL3:
- case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT:
case ECORE_CON_USE_TLS:
case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT:
case ECORE_CON_USE_MIXED:
@@ -1379,19 +1384,8 @@ _ecore_con_ssl_server_prepare_openssl(Ecore_Con_Server
*obj,
long options;
int dh = 0;
- if (ssl_type & ECORE_CON_USE_SSL2)
- return ECORE_CON_SSL_ERROR_SSL2_NOT_SUPPORTED;
-
switch (ssl_type)
{
- case ECORE_CON_USE_SSL3:
- case ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT:
- if (!svr->created)
- SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx =
SSL_CTX_new(SSLv3_client_method())));
- else
- SSL_ERROR_CHECK_GOTO_ERROR(!(svr->ssl_ctx =
SSL_CTX_new(SSLv3_server_method())));
- break;
-
case ECORE_CON_USE_TLS:
case ECORE_CON_USE_TLS | ECORE_CON_LOAD_CERT:
if (!svr->created)
diff --git a/src/lib/emile/emile_cipher.h b/src/lib/emile/emile_cipher.h
index 74a1b51..9d82d16 100644
--- a/src/lib/emile/emile_cipher.h
+++ b/src/lib/emile/emile_cipher.h
@@ -92,7 +92,6 @@ typedef struct _Emile_SSL Emile_SSL;
typedef enum
{
EMILE_SSLv23,
- EMILE_SSLv3,
EMILE_TLSv1
} Emile_Cipher_Type;
diff --git a/src/lib/emile/emile_cipher_openssl.c
b/src/lib/emile/emile_cipher_openssl.c
index b7f03c2..2bbe83f 100644
--- a/src/lib/emile/emile_cipher_openssl.c
+++ b/src/lib/emile/emile_cipher_openssl.c
@@ -294,9 +294,6 @@ emile_cipher_server_listen(Emile_Cipher_Type t)
SSL_CTX_set_options(r->ssl_ctx,
options | SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE);
break;
- case EMILE_SSLv3:
- r->ssl_ctx = SSL_CTX_new(SSLv3_server_method());
- break;
case EMILE_TLSv1:
r->ssl_ctx = SSL_CTX_new(TLSv1_server_method());
break;
@@ -742,9 +739,6 @@ emile_cipher_server_connect(Emile_Cipher_Type t)
SSL_CTX_set_options(r->ssl_ctx,
options | SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE);
break;
- case EMILE_SSLv3:
- r->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
- break;
case EMILE_TLSv1:
r->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
break;
diff --git a/src/tests/ecore_con/ecore_con_test_ecore_con.c
b/src/tests/ecore_con/ecore_con_test_ecore_con.c
index 6618221..249f39e 100644
--- a/src/tests/ecore_con/ecore_con_test_ecore_con.c
+++ b/src/tests/ecore_con/ecore_con_test_ecore_con.c
@@ -410,18 +410,6 @@ START_TEST(ecore_test_ecore_con_remote_nodelay)
}
END_TEST
-START_TEST(ecore_test_ecore_con_remote_tcp_ssl3)
-{
- _ecore_con_server_client_tests(ECORE_CON_REMOTE_TCP | ECORE_CON_USE_SSL3,
"127.0.0.1", EINA_TRUE, 12345);
-}
-END_TEST
-
-START_TEST(ecore_test_ecore_con_remote_tcp_ssl3_load_cert)
-{
- _ecore_con_server_client_tests(ECORE_CON_REMOTE_TCP | ECORE_CON_USE_SSL3 |
ECORE_CON_LOAD_CERT, "127.0.0.1", EINA_TRUE, 12345);
-}
-END_TEST
-
START_TEST(ecore_test_ecore_con_remote_tcp_tls)
{
_ecore_con_server_client_tests(ECORE_CON_REMOTE_TCP | ECORE_CON_USE_TLS,
"127.0.0.1", EINA_TRUE, 12345);
@@ -446,18 +434,6 @@ START_TEST(ecore_test_ecore_con_remote_tcp_mixed_load_cert)
}
END_TEST
-START_TEST(ecore_test_ecore_con_remote_nodelay_ssl3)
-{
- _ecore_con_server_client_tests(ECORE_CON_REMOTE_NODELAY |
ECORE_CON_USE_SSL3, "127.0.0.1", EINA_TRUE, 12345);
-}
-END_TEST
-
-START_TEST(ecore_test_ecore_con_remote_nodelay_ssl3_load_cert)
-{
- _ecore_con_server_client_tests(ECORE_CON_REMOTE_NODELAY |
ECORE_CON_USE_SSL3 | ECORE_CON_LOAD_CERT, "127.0.0.1", EINA_TRUE, 12345);
-}
-END_TEST
-
START_TEST(ecore_test_ecore_con_remote_nodelay_tls)
{
_ecore_con_server_client_tests(ECORE_CON_REMOTE_NODELAY |
ECORE_CON_USE_TLS, "127.0.0.1", EINA_TRUE, 12345);
@@ -595,15 +571,11 @@ void ecore_con_test_ecore_con(TCase *tc)
tcase_add_test(tc, ecore_test_ecore_con_local_system_negport_fullpath);
tcase_add_test(tc, ecore_test_ecore_con_local_abstract);
tcase_add_test(tc, ecore_test_ecore_con_remote_tcp);
- tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_ssl3);
- tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_ssl3_load_cert);
tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_tls);
tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_tls_load_cert);
tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_mixed);
tcase_add_test(tc, ecore_test_ecore_con_remote_tcp_mixed_load_cert);
tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay);
- tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_ssl3);
- tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_ssl3_load_cert);
tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_tls);
tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_tls_load_cert);
tcase_add_test(tc, ecore_test_ecore_con_remote_nodelay_mixed);
--
