Sebastian Andrzej Siewior
2017-Aug-26 16:47 UTC
[PATCH] Add support for lower TLS version than default
The openssl library in Debian unstable (targeting Buster) supports TLS1.2 by default. The library itself supports also TLS1.1 and TLS1.0. If the admin decides to also support TLS1.[01] users he can then enable the lower protocol version in case the users can't update their system. Signed-off-by: Sebastian Andrzej Siewior <sebastian at breakpoint.cc> --- src/config/all-settings.c | 1 + src/lib-master/master-service-ssl-settings.c | 2 ++ src/lib-master/master-service-ssl-settings.h | 1 + src/login-common/ssl-proxy-openssl.c | 15 ++++++++++++++- 4 files changed, 18 insertions(+), 1 deletion(-) --- a/src/config/all-settings.c +++ b/src/config/all-settings.c @@ -308,6 +308,7 @@ struct master_service_ssl_settings { const char *ssl_cert_username_field; const char *ssl_crypto_device; const char *ssl_options; + const char *ssl_lowest_version; bool ssl_verify_client_cert; bool ssl_require_crl; --- a/src/lib-master/master-service-ssl-settings.c +++ b/src/lib-master/master-service-ssl-settings.c @@ -26,6 +26,7 @@ static const struct setting_define maste DEF(SET_STR, ssl_protocols), DEF(SET_STR, ssl_cert_username_field), DEF(SET_STR, ssl_crypto_device), + DEF(SET_STR, ssl_lowest_version), DEF(SET_BOOL, ssl_verify_client_cert), DEF(SET_BOOL, ssl_require_crl), DEF(SET_BOOL, verbose_ssl), @@ -54,6 +55,7 @@ static const struct master_service_ssl_s .ssl_protocols = "!SSLv3", #endif .ssl_cert_username_field = "commonName", + .ssl_lowest_version = NULL, .ssl_crypto_device = "", .ssl_verify_client_cert = FALSE, .ssl_require_crl = TRUE, --- a/src/lib-master/master-service-ssl-settings.h +++ b/src/lib-master/master-service-ssl-settings.h @@ -16,6 +16,7 @@ struct master_service_ssl_settings { const char *ssl_cert_username_field; const char *ssl_crypto_device; const char *ssl_options; + const char *ssl_lowest_version; bool ssl_verify_client_cert; bool ssl_require_crl; --- a/src/login-common/ssl-proxy-openssl.c +++ b/src/login-common/ssl-proxy-openssl.c @@ -1302,7 +1302,20 @@ ssl_server_context_init(const struct log if (ctx->prefer_server_ciphers) SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); SSL_CTX_set_options(ssl_ctx, openssl_get_protocol_options(ctx->protocols)); - +#if OPENSSL_VERSION_NUMBER >= 0x10100000 + if (ssl_set->ssl_lowest_version) { + if (!strcmp(ssl_set->ssl_lowest_version, "TLS1.0")) + SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_VERSION); + else if (!strcmp(ssl_set->ssl_lowest_version, "TLS1.1")) + SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_1_VERSION); + else if (!strcmp(ssl_set->ssl_lowest_version, "TLS1.2")) + SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_2_VERSION); + else + i_fatal("TLS min version: '%s' is invalid. Only " + "'TLS1.0' and 'TLS1.1' is supported", + ssl_set->ssl_lowest_version); + } +#endif if (ctx->pri.cert != NULL && *ctx->pri.cert != '\0' && ssl_proxy_ctx_use_certificate_chain(ctx->ctx, ctx->pri.cert) != 1) { i_fatal("Can't load ssl_cert: %s",
Timo Sirainen
2017-Aug-27 06:32 UTC
[PATCH] Add support for lower TLS version than default
On 26 Aug 2017, at 19.47, Sebastian Andrzej Siewior <sebastian at breakpoint.cc> wrote:> > The openssl library in Debian unstable (targeting Buster) supports > TLS1.2 by default. The library itself supports also TLS1.1 and TLS1.0. > If the admin decides to also support TLS1.[01] users he can then enable > the lower protocol version in case the users can't update their system...> DEF(SET_STR, ssl_protocols), > DEF(SET_STR, ssl_cert_username_field), > DEF(SET_STR, ssl_crypto_device), > + DEF(SET_STR, ssl_lowest_version),Does it really require a new setting? Couldn't it use the existing ssl_protocols setting?
On 2017-08-27 09:32, Timo Sirainen wrote:> On 26 Aug 2017, at 19.47, Sebastian Andrzej Siewior <sebastian at breakpoint.cc> wrote: >> The openssl library in Debian unstable (targeting Buster) supports >> TLS1.2 by default. The library itself supports also TLS1.1 and TLS1.0. >> If the admin decides to also support TLS1.[01] users he can then enable >> the lower protocol version in case the users can't update their system. > .. >> DEF(SET_STR, ssl_protocols), >> DEF(SET_STR, ssl_cert_username_field), >> DEF(SET_STR, ssl_crypto_device), >> + DEF(SET_STR, ssl_lowest_version), > Does it really require a new setting? Couldn't it use the existing ssl_protocols setting?I think we should set the min protocol version from ssl_protocols, by looking at the lowest SSL protocol field there. Aki
Sebastian Andrzej Siewior
2017-Aug-27 10:46 UTC
[PATCH] Add support for lower TLS version than default
On 27 August 2017 08:32:06 CEST, Timo Sirainen <tss at iki.fi> wrote:>> DEF(SET_STR, ssl_protocols), >> DEF(SET_STR, ssl_cert_username_field), >> DEF(SET_STR, ssl_crypto_device), >> + DEF(SET_STR, ssl_lowest_version), > >Does it really require a new setting? Couldn't it use the existing >ssl_protocols setting?You need to set a minimal version. SSL_PROTOLS can be set tls1.0 and tls1.2 which avoids tls1.1. Not saying that it is a good thing to do. Also you set it to not do sslv2 and sslv3 which then enables tls1.0+. If you want change its definition to use as a minimal version, be my guest. Or if you plan to scan the string and match for the lowest version then this could work, too. Sebastian
Possibly Parallel Threads
- [PATCH] Add support for lower TLS version than default
- [RFC master-2.2 0/1] Support OpenSSL 1.1 API for setting allowed TLS versions
- [PATCH] Add support for lower TLS version than default
- [PATCH] Add support for lower TLS version than default
- [PATCH] Fix for client certificate validation does not work