1bba186b2d
With this patch, the stunnel defaults defined in sslVersionMin and sslVersionMax cannot override the default versions defined in OpenSSL crypto policies.
81 lines
3.8 KiB
Diff
81 lines
3.8 KiB
Diff
--- stunnel-5.56/src/prototypes.h.default-tls-version 2020-04-06 11:22:24.480280384 +0200
|
|
+++ stunnel-5.56/src/prototypes.h 2020-04-06 11:21:05.407597053 +0200
|
|
@@ -897,6 +897,9 @@ ICON_IMAGE load_icon_default(ICON_TYPE);
|
|
ICON_IMAGE load_icon_file(const char *);
|
|
#endif
|
|
|
|
+#define USE_DEFAULT_TLS_VERSION ((long unsigned)-2) /* Use defaults in OpenSSL
|
|
+ crypto policies */
|
|
+
|
|
#endif /* defined PROTOTYPES_H */
|
|
|
|
/* end of prototypes.h */
|
|
--- stunnel-5.56/src/options.c.default-tls-version 2020-04-06 11:14:41.993334510 +0200
|
|
+++ stunnel-5.56/src/options.c 2020-04-06 11:22:37.393391977 +0200
|
|
@@ -3142,7 +3142,10 @@ NOEXPORT char *parse_service_option(CMD
|
|
/* sslVersionMax */
|
|
switch(cmd) {
|
|
case CMD_SET_DEFAULTS:
|
|
- section->max_proto_version=0; /* highest supported */
|
|
+ section->max_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
|
|
+ OpenSSL crypto
|
|
+ policies.Do not
|
|
+ override it */
|
|
break;
|
|
case CMD_SET_COPY:
|
|
section->max_proto_version=new_service_options.max_proto_version;
|
|
@@ -3173,7 +3176,10 @@ NOEXPORT char *parse_service_option(CMD
|
|
/* sslVersionMin */
|
|
switch(cmd) {
|
|
case CMD_SET_DEFAULTS:
|
|
- section->min_proto_version=TLS1_VERSION;
|
|
+ section->min_proto_version=USE_DEFAULT_TLS_VERSION; /* use defaults in
|
|
+ OpenSSL crypto
|
|
+ policies. Do not
|
|
+ override it */
|
|
break;
|
|
case CMD_SET_COPY:
|
|
section->min_proto_version=new_service_options.min_proto_version;
|
|
--- stunnel-5.56/src/ctx.c.default-tls-version 2019-10-24 10:48:11.000000000 +0200
|
|
+++ stunnel-5.56/src/ctx.c 2020-04-06 11:16:48.406406794 +0200
|
|
@@ -143,17 +143,29 @@ int context_init(SERVICE_OPTIONS *sectio
|
|
section->ctx=SSL_CTX_new(TLS_client_method());
|
|
else /* server mode */
|
|
section->ctx=SSL_CTX_new(TLS_server_method());
|
|
- if(!SSL_CTX_set_min_proto_version(section->ctx,
|
|
- section->min_proto_version)) {
|
|
- s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
|
- section->min_proto_version);
|
|
- return 1; /* FAILED */
|
|
+
|
|
+ if (section->min_proto_version == USE_DEFAULT_TLS_VERSION) {
|
|
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
|
|
+ OpenSSL crypto policies. Not setting explicitly.");
|
|
+ } else {
|
|
+ if(!SSL_CTX_set_min_proto_version(section->ctx,
|
|
+ section->min_proto_version)) {
|
|
+ s_log(LOG_ERR, "Failed to set the minimum protocol version 0x%X",
|
|
+ section->min_proto_version);
|
|
+ return 1; /* FAILED */
|
|
+ }
|
|
}
|
|
- if(!SSL_CTX_set_max_proto_version(section->ctx,
|
|
- section->max_proto_version)) {
|
|
- s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
|
- section->max_proto_version);
|
|
- return 1; /* FAILED */
|
|
+
|
|
+ if (section->max_proto_version == USE_DEFAULT_TLS_VERSION) {
|
|
+ s_log(LOG_INFO, "Using the default TLS version as specified in \
|
|
+ OpenSSL crypto policies. Not setting explicitly");
|
|
+ } else {
|
|
+ if(!SSL_CTX_set_max_proto_version(section->ctx,
|
|
+ section->max_proto_version)) {
|
|
+ s_log(LOG_ERR, "Failed to set the maximum protocol version 0x%X",
|
|
+ section->max_proto_version);
|
|
+ return 1; /* FAILED */
|
|
+ }
|
|
}
|
|
#else /* OPENSSL_VERSION_NUMBER<0x10100000L */
|
|
if(section->option.client)
|