Fossil SCM
Disable SSLv3 by default, but provide a new setting "ssl-enable-v3" to enable it.
Commit
9f1f3f34095397183f2b0c278001341c573d73ca
Parent
47a9d3899a69b2c…
2 files changed
+4
+4
-2
M
src/db.c
+4
| --- src/db.c | ||
| +++ src/db.c | ||
| @@ -2326,10 +2326,11 @@ | ||
| 2326 | 2326 | { "relative-paths", 0, 0, 0, 0, "on" }, |
| 2327 | 2327 | { "repo-cksum", 0, 0, 0, 0, "on" }, |
| 2328 | 2328 | { "self-register", 0, 0, 0, 0, "off" }, |
| 2329 | 2329 | { "ssh-command", 0, 40, 0, 0, "" }, |
| 2330 | 2330 | { "ssl-ca-location", 0, 40, 0, 0, "" }, |
| 2331 | + { "ssl-enable-v3", 0, 0, 0, 0, "off" }, | |
| 2331 | 2332 | { "ssl-identity", 0, 40, 0, 0, "" }, |
| 2332 | 2333 | #ifdef FOSSIL_ENABLE_TCL |
| 2333 | 2334 | { "tcl", 0, 0, 0, 0, "off" }, |
| 2334 | 2335 | { "tcl-setup", 0, 40, 1, 1, "" }, |
| 2335 | 2336 | #endif |
| @@ -2528,10 +2529,13 @@ | ||
| 2528 | 2529 | ** OpenSSL CAs. If unset, the default list will be used. |
| 2529 | 2530 | ** Some platforms may add additional certificates. |
| 2530 | 2531 | ** Check your platform behaviour is as required if the |
| 2531 | 2532 | ** exact contents of the CA root is critical for your |
| 2532 | 2533 | ** application. |
| 2534 | +** | |
| 2535 | +** ssl-enable-v3 If enabled, allow the SSLv3 protocol to be used. | |
| 2536 | +** Default: off | |
| 2533 | 2537 | ** |
| 2534 | 2538 | ** ssl-identity The full pathname to a file containing a certificate |
| 2535 | 2539 | ** and private key in PEM format. Create by concatenating |
| 2536 | 2540 | ** the certificate and private key files. |
| 2537 | 2541 | ** This identity will be presented to SSL servers to |
| 2538 | 2542 |
| --- src/db.c | |
| +++ src/db.c | |
| @@ -2326,10 +2326,11 @@ | |
| 2326 | { "relative-paths", 0, 0, 0, 0, "on" }, |
| 2327 | { "repo-cksum", 0, 0, 0, 0, "on" }, |
| 2328 | { "self-register", 0, 0, 0, 0, "off" }, |
| 2329 | { "ssh-command", 0, 40, 0, 0, "" }, |
| 2330 | { "ssl-ca-location", 0, 40, 0, 0, "" }, |
| 2331 | { "ssl-identity", 0, 40, 0, 0, "" }, |
| 2332 | #ifdef FOSSIL_ENABLE_TCL |
| 2333 | { "tcl", 0, 0, 0, 0, "off" }, |
| 2334 | { "tcl-setup", 0, 40, 1, 1, "" }, |
| 2335 | #endif |
| @@ -2528,10 +2529,13 @@ | |
| 2528 | ** OpenSSL CAs. If unset, the default list will be used. |
| 2529 | ** Some platforms may add additional certificates. |
| 2530 | ** Check your platform behaviour is as required if the |
| 2531 | ** exact contents of the CA root is critical for your |
| 2532 | ** application. |
| 2533 | ** |
| 2534 | ** ssl-identity The full pathname to a file containing a certificate |
| 2535 | ** and private key in PEM format. Create by concatenating |
| 2536 | ** the certificate and private key files. |
| 2537 | ** This identity will be presented to SSL servers to |
| 2538 |
| --- src/db.c | |
| +++ src/db.c | |
| @@ -2326,10 +2326,11 @@ | |
| 2326 | { "relative-paths", 0, 0, 0, 0, "on" }, |
| 2327 | { "repo-cksum", 0, 0, 0, 0, "on" }, |
| 2328 | { "self-register", 0, 0, 0, 0, "off" }, |
| 2329 | { "ssh-command", 0, 40, 0, 0, "" }, |
| 2330 | { "ssl-ca-location", 0, 40, 0, 0, "" }, |
| 2331 | { "ssl-enable-v3", 0, 0, 0, 0, "off" }, |
| 2332 | { "ssl-identity", 0, 40, 0, 0, "" }, |
| 2333 | #ifdef FOSSIL_ENABLE_TCL |
| 2334 | { "tcl", 0, 0, 0, 0, "off" }, |
| 2335 | { "tcl-setup", 0, 40, 1, 1, "" }, |
| 2336 | #endif |
| @@ -2528,10 +2529,13 @@ | |
| 2529 | ** OpenSSL CAs. If unset, the default list will be used. |
| 2530 | ** Some platforms may add additional certificates. |
| 2531 | ** Check your platform behaviour is as required if the |
| 2532 | ** exact contents of the CA root is critical for your |
| 2533 | ** application. |
| 2534 | ** |
| 2535 | ** ssl-enable-v3 If enabled, allow the SSLv3 protocol to be used. |
| 2536 | ** Default: off |
| 2537 | ** |
| 2538 | ** ssl-identity The full pathname to a file containing a certificate |
| 2539 | ** and private key in PEM format. Create by concatenating |
| 2540 | ** the certificate and private key files. |
| 2541 | ** This identity will be presented to SSL servers to |
| 2542 |
+4
-2
| --- src/http_ssl.c | ||
| +++ src/http_ssl.c | ||
| @@ -92,19 +92,21 @@ | ||
| 92 | 92 | ** This routine does initial configuration of the SSL module. |
| 93 | 93 | */ |
| 94 | 94 | void ssl_global_init(void){ |
| 95 | 95 | const char *zCaSetting = 0, *zCaFile = 0, *zCaDirectory = 0; |
| 96 | 96 | const char *identityFile; |
| 97 | + int sslDisableFlags = SSL_OP_NO_SSLv2; | |
| 97 | 98 | |
| 98 | 99 | if( sslIsInit==0 ){ |
| 99 | 100 | SSL_library_init(); |
| 100 | 101 | SSL_load_error_strings(); |
| 101 | 102 | ERR_load_BIO_strings(); |
| 102 | 103 | OpenSSL_add_all_algorithms(); |
| 103 | 104 | sslCtx = SSL_CTX_new(SSLv23_client_method()); |
| 104 | - /* Disable SSLv2 */ | |
| 105 | - SSL_CTX_set_options(sslCtx, SSL_OP_NO_SSLv2); | |
| 105 | + /* Disable SSLv2 and (optionally) SSLv3 */ | |
| 106 | + if (!db_get_boolean("ssl-enable-v3", 0)) sslDisableFlags |= SSL_OP_NO_SSLv3; | |
| 107 | + SSL_CTX_set_options(sslCtx, sslDisableFlags); | |
| 106 | 108 | |
| 107 | 109 | /* Set up acceptable CA root certificates */ |
| 108 | 110 | zCaSetting = db_get("ssl-ca-location", 0); |
| 109 | 111 | if( zCaSetting==0 || zCaSetting[0]=='\0' ){ |
| 110 | 112 | /* CA location not specified, use platform's default certificate store */ |
| 111 | 113 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -92,19 +92,21 @@ | |
| 92 | ** This routine does initial configuration of the SSL module. |
| 93 | */ |
| 94 | void ssl_global_init(void){ |
| 95 | const char *zCaSetting = 0, *zCaFile = 0, *zCaDirectory = 0; |
| 96 | const char *identityFile; |
| 97 | |
| 98 | if( sslIsInit==0 ){ |
| 99 | SSL_library_init(); |
| 100 | SSL_load_error_strings(); |
| 101 | ERR_load_BIO_strings(); |
| 102 | OpenSSL_add_all_algorithms(); |
| 103 | sslCtx = SSL_CTX_new(SSLv23_client_method()); |
| 104 | /* Disable SSLv2 */ |
| 105 | SSL_CTX_set_options(sslCtx, SSL_OP_NO_SSLv2); |
| 106 | |
| 107 | /* Set up acceptable CA root certificates */ |
| 108 | zCaSetting = db_get("ssl-ca-location", 0); |
| 109 | if( zCaSetting==0 || zCaSetting[0]=='\0' ){ |
| 110 | /* CA location not specified, use platform's default certificate store */ |
| 111 |
| --- src/http_ssl.c | |
| +++ src/http_ssl.c | |
| @@ -92,19 +92,21 @@ | |
| 92 | ** This routine does initial configuration of the SSL module. |
| 93 | */ |
| 94 | void ssl_global_init(void){ |
| 95 | const char *zCaSetting = 0, *zCaFile = 0, *zCaDirectory = 0; |
| 96 | const char *identityFile; |
| 97 | int sslDisableFlags = SSL_OP_NO_SSLv2; |
| 98 | |
| 99 | if( sslIsInit==0 ){ |
| 100 | SSL_library_init(); |
| 101 | SSL_load_error_strings(); |
| 102 | ERR_load_BIO_strings(); |
| 103 | OpenSSL_add_all_algorithms(); |
| 104 | sslCtx = SSL_CTX_new(SSLv23_client_method()); |
| 105 | /* Disable SSLv2 and (optionally) SSLv3 */ |
| 106 | if (!db_get_boolean("ssl-enable-v3", 0)) sslDisableFlags |= SSL_OP_NO_SSLv3; |
| 107 | SSL_CTX_set_options(sslCtx, sslDisableFlags); |
| 108 | |
| 109 | /* Set up acceptable CA root certificates */ |
| 110 | zCaSetting = db_get("ssl-ca-location", 0); |
| 111 | if( zCaSetting==0 || zCaSetting[0]=='\0' ){ |
| 112 | /* CA location not specified, use platform's default certificate store */ |
| 113 |