Sākums Izpētīt Palīdzība
Reģistrēties Pierakstīties
PSG
/
civetweb
spogulis no https://github.com/civetweb/civetweb.git
5
0
Atdalīts 0
Faili Problēmas 0 Vikivietne
Pārlūkot izejas kodu

Disable SSL renegotiation (for recent OpenSSL versions)

See #737
bel2125 6 gadi atpakaļ
vecāks
f3242b4046
revīzija
5df77ec2f5
2 mainītis faili ar 31 papildinājumiem un 11 dzēšanām
Dalītais skats Rādīt salīdzināšanas statistiku
  1. 4 0
      docs/UserManual.md
  2. 27 11
      src/civetweb.c

+ 4 - 0
docs/UserManual.md
Parādīt failu 

@@ -621,6 +621,10 @@ TLS1.0+TLS1.1+TLS1.2 | 2
 
 TLS1.1+TLS1.2 | 3
 
 TLS1.2 | 4
 
 
+More recent versions of OpenSSL include support for TLS version 1.3. 
+To use TLS1.3 only, set ssl\_protocol\_version to 5.
 
+
 
+
 
 ### ssl\_short\_trust `no`
 
 Enables the use of short lived certificates. This will allow for the certificates
 
 and keys specified in `ssl_certificate`, `ssl_ca_file` and `ssl_ca_path` to be

+ 27 - 11
src/civetweb.c
Parādīt failu 

@@ -1785,17 +1785,20 @@ typedef struct x509 X509;
 
 #define SSL_VERIFY_PEER (1)
 
 #define SSL_VERIFY_FAIL_IF_NO_PEER_CERT (2)
 
 #define SSL_VERIFY_CLIENT_ONCE (4)
 
-#define SSL_OP_ALL ((long)(0x80000BFFUL))
 
-#define SSL_OP_NO_SSLv2 (0x01000000L)
 
-#define SSL_OP_NO_SSLv3 (0x02000000L)
 
-#define SSL_OP_NO_TLSv1 (0x04000000L)
 
-#define SSL_OP_NO_TLSv1_2 (0x08000000L)
 
-#define SSL_OP_NO_TLSv1_1 (0x10000000L)
 
-#define SSL_OP_NO_TLSv1_3 (0x20000000UL)
 
-#define SSL_OP_SINGLE_DH_USE (0x00100000L)
 
-#define SSL_OP_CIPHER_SERVER_PREFERENCE (0x00400000L)
 
-#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (0x00010000L)
 
-#define SSL_OP_NO_COMPRESSION (0x00020000L)
 
+
 
+#define SSL_OP_ALL (0x80000BFFul)
 
+
 
+#define SSL_OP_NO_SSLv2 (0x01000000ul)
 
+#define SSL_OP_NO_SSLv3 (0x02000000ul)
 
+#define SSL_OP_NO_TLSv1 (0x04000000ul)
 
+#define SSL_OP_NO_TLSv1_2 (0x08000000ul)
 
+#define SSL_OP_NO_TLSv1_1 (0x10000000ul)
 
+#define SSL_OP_NO_TLSv1_3 (0x20000000ul)
 
+#define SSL_OP_SINGLE_DH_USE (0x00100000ul)
 
+#define SSL_OP_CIPHER_SERVER_PREFERENCE (0x00400000ul)
 
+#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (0x00010000ul)
 
+#define SSL_OP_NO_COMPRESSION (0x00020000ul)
 
+#define SSL_OP_NO_RENEGOTIATION (0x40000000ul)
 
 
 #define SSL_CB_HANDSHAKE_START (0x10)
 
 #define SSL_CB_HANDSHAKE_DONE (0x20)
 
@@ -15680,8 +15683,10 @@ ssl_get_protocol(int version_id)
 
 		ret |= SSL_OP_NO_TLSv1_1;
 
 	if (version_id > 4)
 
 		ret |= SSL_OP_NO_TLSv1_2;
 
+#if defined(SSL_OP_NO_TLSv1_3)
 
 	if (version_id > 5)
 
 		ret |= SSL_OP_NO_TLSv1_3;
 
+#endif
 
 	return ret;
 
 }
 
 #else
 
@@ -15697,6 +15702,12 @@ ssl_get_protocol(int version_id)
 
 		ret |= SSL_OP_NO_TLSv1;
 
 	if (version_id > 3)
 
 		ret |= SSL_OP_NO_TLSv1_1;
 
+	if (version_id > 4)
 
+		ret |= SSL_OP_NO_TLSv1_2;
 
+#if defined(SSL_OP_NO_TLSv1_3)
 
+	if (version_id > 5)
 
+		ret |= SSL_OP_NO_TLSv1_3;
 
+#endif
 
 	return ret;
 
 }
 
 #endif /* OPENSSL_API_1_1 */
 
@@ -15838,6 +15849,11 @@ init_ssl_ctx_impl(struct mg_context *phys_ctx,
 
 	SSL_CTX_set_options(dom_ctx->ssl_ctx,
 
 	                    SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
 
 	SSL_CTX_set_options(dom_ctx->ssl_ctx, SSL_OP_NO_COMPRESSION);
 
+
 
+#if defined(SSL_OP_NO_RENEGOTIATION)
 
+	SSL_CTX_set_options(dom_ctx->ssl_ctx, SSL_OP_NO_RENEGOTIATION);
 
+#endif
 
+
 
 #if !defined(NO_SSL_DL)
 
 	SSL_CTX_set_ecdh_auto(dom_ctx->ssl_ctx, 1);
 
 #endif /* NO_SSL_DL */