NetBSD Problem Report #55830
From www@netbsd.org Sat Nov 28 06:40:07 2020
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id D64AC1A921F
for <gnats-bugs@gnats.NetBSD.org>; Sat, 28 Nov 2020 06:40:07 +0000 (UTC)
Message-Id: <20201128064006.979E41A923F@mollari.NetBSD.org>
Date: Sat, 28 Nov 2020 06:40:06 +0000 (UTC)
From: sunil@nimmagadda.net
Reply-To: sunil@nimmagadda.net
To: gnats-bugs@NetBSD.org
Subject: bozohttpd(8): Make SSL protocol version selection a runtime option.
X-Send-Pr-Version: www-1.0
>Number: 55830
>Category: bin
>Synopsis: bozohttpd(8): Make SSL protocol version selection a runtime option.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Nov 28 06:45:00 +0000 2020
>Closed-Date: Tue Aug 24 09:54:40 +0000 2021
>Last-Modified: Tue Aug 24 09:54:40 +0000 2021
>Originator: Sunil Nimmagadda
>Release: netbsd-current
>Organization:
>Environment:
NetBSD x230.nimmagadda.net 9.99.75 NetBSD 9.99.75 (GENERIC) #0: Mon Nov 16 19:02:54 IST 2020 skn@x230.nimmagadda.net:/home/skn/obj/home/skn/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
The attached diff enables to set TLS version at runtime. Prior discussion thread on current-users here http://mail-index.netbsd.org/current-users/2020/10/22/msg039734.html
Raising a PR on mrg@'s request.
>How-To-Repeat:
>Fix:
diff --git a/libexec/httpd/bozohttpd.8 b/libexec/httpd/bozohttpd.8
--- a/libexec/httpd/bozohttpd.8
+++ b/libexec/httpd/bozohttpd.8
@@ -39,6 +39,7 @@
.Op Fl I Ar port
.Op Fl L Ar prefix script
.Op Fl M Ar suffix type encoding encoding11
+.Op Fl m Ar version
.Op Fl P Ar pidfile
.Op Fl R Ar readme
.Op Fl S Ar version
@@ -221,6 +222,18 @@
Multiple
.Fl M
options may be passed.
+.It Fl m Ar version
+Set the minimum supported SSL protocol
+.Ar version .
+The valid values of
+.Ar version
+are
+.Dq TLSv1.1 ,
+.Dq TLSv1.2 ,
+and
+.Dq TLSv1.3 .
+The default version is
+.Dq TLSv1.1 .
.It Fl n
Stops
.Nm
diff --git a/libexec/httpd/bozohttpd.h b/libexec/httpd/bozohttpd.h
--- a/libexec/httpd/bozohttpd.h
+++ b/libexec/httpd/bozohttpd.h
@@ -313,6 +313,7 @@
#ifdef NO_SSL_SUPPORT
#define bozo_ssl_set_opts(w, x, y) bozo_noop
#define bozo_ssl_set_ciphers(w, x) bozo_noop
+#define bozo_ssl_set_min_proto(x) bozo_noop
#define bozo_ssl_init(x) bozo_noop
#define bozo_ssl_accept(x) (0)
#define bozo_ssl_shutdown(x) bozo_noop
@@ -321,6 +322,7 @@
#else
void bozo_ssl_set_opts(bozohttpd_t *, const char *, const char *);
void bozo_ssl_set_ciphers(bozohttpd_t *, const char *);
+void bozo_ssl_set_min_proto(bozohttpd_t *, const char *);
void bozo_ssl_init(bozohttpd_t *);
int bozo_ssl_accept(bozohttpd_t *);
void bozo_ssl_shutdown(bozohttpd_t *);
diff --git a/libexec/httpd/main.c b/libexec/httpd/main.c
--- a/libexec/httpd/main.c
+++ b/libexec/httpd/main.c
@@ -165,7 +165,7 @@
*/
while ((c = getopt(argc, argv,
- "C:EGHI:L:M:P:R:S:T:U:VXZ:bc:defhi:np:st:uv:x:z:")) != -1) {
+ "C:EGHI:L:M:m:P:R:S:T:U:VXZ:bc:defhi:np:st:uv:x:z:")) != -1) {
switch (c) {
case 'b':
@@ -283,6 +283,13 @@
optind += 3;
break;
+ case 'm':
+ if (!have_ssl)
+ goto no_ssl;
+
+ bozo_ssl_set_min_proto(&httpd, optarg);
+ break;
+
case 'n':
bozo_set_pref(&httpd, &prefs, "numeric", "true");
break;
diff --git a/libexec/httpd/ssl-bozo.c b/libexec/httpd/ssl-bozo.c
--- a/libexec/httpd/ssl-bozo.c
+++ b/libexec/httpd/ssl-bozo.c
@@ -61,13 +61,6 @@
"!KRB5-DES-CBC3-SHA"
#endif
-#ifndef BOZO_SSL_OPTIONS
-#define BOZO_SSL_OPTIONS \
- ((long)(SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1))
-#endif
-
- /* this structure encapsulates the ssl info */
-
/* this structure encapsulates the ssl info */
typedef struct sslinfo_t {
SSL_CTX *ssl_context;
@@ -76,6 +69,7 @@
char *certificate_file;
char *privatekey_file;
char *ciphers;
+ char *min_proto_version;
} sslinfo_t;
/*
@@ -204,11 +198,26 @@
return (ssize_t)ret;
}
+static int
+bozo_ssl_version(const char *version)
+{
+
+ if (strcmp(version, "TLSv1.1") == 0)
+ return TLS1_1_VERSION;
+
+ if (strcmp(version, "TLSv1.2") == 0)
+ return TLS1_2_VERSION;
+
+ if (strcmp(version, "TLSv1.3") == 0)
+ return TLS1_3_VERSION;
+
+ return -1;
+}
void
bozo_ssl_init(bozohttpd_t *httpd)
{
sslinfo_t *sslinfo = httpd->sslinfo;
- long options;
+ int proto;
if (sslinfo == NULL || !sslinfo->certificate_file)
return;
@@ -222,12 +231,13 @@
bozo_ssl_err(httpd, EXIT_FAILURE,
"SSL context creation failed");
- options = SSL_CTX_set_options(sslinfo->ssl_context,
- BOZO_SSL_OPTIONS);
- if ((options & BOZO_SSL_OPTIONS) != BOZO_SSL_OPTIONS)
+ proto = sslinfo->min_proto_version ?
+ bozo_ssl_version(sslinfo->min_proto_version) : TLS1_1_VERSION;
+
+ if (!SSL_CTX_set_min_proto_version(sslinfo->ssl_context, proto))
bozo_ssl_err(httpd, EXIT_FAILURE,
- "Error setting ssl options requested %#lx, got %#lx",
- BOZO_SSL_OPTIONS, options);
+ "Error setting minimum protocol version '%s'",
+ sslinfo->min_proto_version);
if (!SSL_CTX_set_cipher_list(sslinfo->ssl_context,
sslinfo->ciphers ? sslinfo->ciphers : BOZO_SSL_CIPHERS))
@@ -340,6 +350,15 @@
debug((httpd, DEBUG_NORMAL, "using ciphers: %s", sslinfo->ciphers));
}
+void
+bozo_ssl_set_min_proto(bozohttpd_t *httpd, const char *version)
+{
+ sslinfo_t *sslinfo = bozo_get_sslinfo(httpd);
+
+ sslinfo->min_proto_version = bozostrdup(httpd, NULL, version);
+ debug((httpd, DEBUG_NORMAL,
+ "using minimum protocol version: %s", version));
+}
#endif /* NO_SSL_SUPPORT */
/*
>Release-Note:
>Audit-Trail:
From: "matthew green" <mrg@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/55830 CVS commit: src/libexec/httpd
Date: Tue, 24 Aug 2021 09:47:37 +0000
Module Name: src
Committed By: mrg
Date: Tue Aug 24 09:47:36 UTC 2021
Modified Files:
src/libexec/httpd: CHANGES bozohttpd.8 bozohttpd.c bozohttpd.h main.c
ssl-bozo.c
Log Message:
implement tls minimum version setting.
mostly from sunil@nimmagadda.net in PR#55830, though i moved the
member into the main http structure, so that it doesn't trigger
sslinfo being allocated via command line without the rest of the
ssl being setup (which then leads to crashes.)
To generate a diff of this commit:
cvs rdiff -u -r1.49 -r1.50 src/libexec/httpd/CHANGES
cvs rdiff -u -r1.88 -r1.89 src/libexec/httpd/bozohttpd.8
cvs rdiff -u -r1.135 -r1.136 src/libexec/httpd/bozohttpd.c
cvs rdiff -u -r1.69 -r1.70 src/libexec/httpd/bozohttpd.h
cvs rdiff -u -r1.28 -r1.29 src/libexec/httpd/main.c
cvs rdiff -u -r1.29 -r1.30 src/libexec/httpd/ssl-bozo.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: mrg@NetBSD.org
State-Changed-When: Tue, 24 Aug 2021 09:54:40 +0000
State-Changed-Why:
feature commited.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.