Re: [PATCH spice-server] Use TLS version 1.0 or better

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Daniel P. Berrange píše v St 27. 11. 2013 v 16:27 +0000:
> On Wed, Nov 27, 2013 at 05:23:53PM +0100, David Jaša wrote:
> > When creating a TLS socket, both spice-server and spice-gtk currently
> > call SSL_CTX_new(TLSv1_method()). The TLSv1_method() function set the
> > protocol version to TLS 1.0 exclusively. The correct way to support
> > multiple protocol versions is to call SSLv23_method() in spite of its
> > scary name. This method will enable all protocol versions deemed secure
> > by openssl project. The protocol suite may be further narrowed down by
> > setting respective SSL_OP_NO_<version_code> options of SSL context. This
> > possibility is used in this patch in order to block use of SSLv3 that is
> > enabled by default in openssl as of now but spice has never used it.
> > ---
> >  server/reds.c |   10 +++++++++-
> >  1 files changed, 9 insertions(+), 1 deletions(-)
> > 
> > diff --git a/server/reds.c b/server/reds.c
> > index 2a0002b..263843f 100644
> > --- a/server/reds.c
> > +++ b/server/reds.c
> > @@ -3221,6 +3221,14 @@ static int reds_init_ssl(void)
> >      SSL_METHOD *ssl_method;
> >  #endif
> >      int return_code;
> > +    /* When some other SSL/TLS version becomes obsolete, add it to this
> > +     * variable.
> > +     *
> > +     * Note that SSLv23_method() even with no SSL_OP_NO_* options uses
> > +     * just protocol versions deemed secure by openssl project so the
> > +     * SSL_OP_NO_SSLv2 is already redundant and SSL_OP_NO_SSLv3 option is
> > +     * present just in order to allow only currently-availabe version or
> > +     * better. */
> >      long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
> >  
> >      /* Global system initialization*/
> > @@ -3228,7 +3236,7 @@ static int reds_init_ssl(void)
> >      SSL_load_error_strings();
> >  
> >      /* Create our context*/
> > -    ssl_method = TLSv1_method();
> > +    ssl_method = ssl_method = SSLv23_method();
> 
> You're setting the same variable twice.
> 
> Daniel

Thanks, I've sent v2 with this error fixed.

David

-- 

David Jaša, RHCE

SPICE QE based in Brno
GPG Key:     22C33E24 
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]