[PATCH spice-gtk] Use TLS version 1.0 or better

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

When creating a TLS socket, both spice-server and spice-gtk currently
call SSL_CTX_new(TLSv1_method()). The TLSv1_method() function set the
protocol version to TLS 1.0 exclusively. The correct way to support
multiple protocol versions is to call SSLv23_method() in spite of its
scary name. This method will enable all protocol versions deemed secure
by openssl project. The protocol suite may be further narrowed down by
setting respective SSL_OP_NO_<version_code> options of SSL context. This
possibility is used in this patch in order to block use of SSLv3 that is
enabled by default in openssl as of now but spice has never used it.
---
 gtk/spice-channel.c |   13 ++++++++++++-
 1 files changed, 12 insertions(+), 1 deletions(-)

diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
index e4683f8..2e38196 100644
--- a/gtk/spice-channel.c
+++ b/gtk/spice-channel.c
@@ -2215,6 +2215,15 @@ static void *spice_channel_coroutine(void *data)
     int rc, delay_val = 1;
     gboolean switch_tls = FALSE;
     gboolean switch_protocol = FALSE;
+    /* When some other SSL/TLS version becomes obsolete, add it to this
+     * variable.
+     *
+     * Note that SSLv23_method() even with no SSL_OP_NO_* options uses
+     * just protocol versions deemed secure by openssl project so the
+     * SSL_OP_NO_SSLv2 is already redundant and SSL_OP_NO_SSLv3 option is
+     * present just in order to allow only currently-availabe version or
+     * better. */
+    long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
 
     CHANNEL_DEBUG(channel, "Started background coroutine %p", &c->coroutine);
 
@@ -2254,13 +2263,15 @@ reconnect:
     c->has_error = FALSE;
 
     if (c->tls) {
-        c->ctx = SSL_CTX_new(TLSv1_method());
+        c->ctx = SSL_CTX_new(SSLv23_method());
         if (c->ctx == NULL) {
             g_critical("SSL_CTX_new failed");
             emit_main_context(channel, SPICE_CHANNEL_EVENT, SPICE_CHANNEL_ERROR_TLS);
             goto cleanup;
         }
 
+        SSL_CTX_set_options(c->ctx, ssl_options);
+
         verify = spice_session_get_verify(c->session);
         if (verify &
             (SPICE_SESSION_VERIFY_SUBJECT | SPICE_SESSION_VERIFY_HOSTNAME)) {



-- 

David Jaša, RHCE

SPICE QE based in Brno
GPG Key:     22C33E24 
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]