Re: bozohttpd(8): Make SSL protocol version selection a runtime option.

To: matthew green <mrg%eterna.com.au@localhost>
Subject: Re: bozohttpd(8): Make SSL protocol version selection a runtime option.
From: Sunil Nimmagadda <sunil+current-users%nimmagadda.net@localhost>
Date: Tue, 27 Oct 2020 16:14:06 +0000

matthew green <mrg%eterna.com.au@localhost> wrote:
> hi Sunil,
> 
> 
> thanks for the patch.  i meant to reply earlier.
> 
> can you explain why you want to enable the old ssl/tls
> variants that we know are insecure?

The initial version was to preserve compatibility setting from the
compile time BOZO_SSL_OPTIONS with this runtime option. However,
the default version remains TLSv1.1 in both cases.

This new diff removes the older ssl/tls versions than the default
(TLSv1.1). Is this reasonable?

> 
> i don't know that i want to have an option to enable
> them without a special compile, but i'm willing to be
> convinced.

I prefer secure defaults too and if someone wants to downgrade,
they can do so by using an appropriate version in the code and
re-compile it.

diff --git a/libexec/httpd/bozohttpd.8 b/libexec/httpd/bozohttpd.8
--- a/libexec/httpd/bozohttpd.8
+++ b/libexec/httpd/bozohttpd.8
@@ -39,6 +39,7 @@
 .Op Fl I Ar port
 .Op Fl L Ar prefix script
 .Op Fl M Ar suffix type encoding encoding11
+.Op Fl m Ar version
 .Op Fl P Ar pidfile
 .Op Fl R Ar readme
 .Op Fl S Ar version
@@ -221,6 +222,18 @@
 Multiple
 .Fl M
 options may be passed.
+.It Fl m Ar version
+Set the minimum supported SSL protocol
+.Ar version .
+The valid values of
+.Ar version
+are
+.Dq TLSv1.1 ,
+.Dq TLSv1.2 ,
+and
+.Dq TLSv1.3 .
+The default version is
+.Dq TLSv1.1 .
 .It Fl n
 Stops
 .Nm
diff --git a/libexec/httpd/bozohttpd.h b/libexec/httpd/bozohttpd.h
--- a/libexec/httpd/bozohttpd.h
+++ b/libexec/httpd/bozohttpd.h
@@ -313,6 +313,7 @@
 #ifdef NO_SSL_SUPPORT
 #define bozo_ssl_set_opts(w, x, y)			bozo_noop
 #define bozo_ssl_set_ciphers(w, x)			bozo_noop
+#define bozo_ssl_set_min_proto(x)			bozo_noop
 #define bozo_ssl_init(x)				bozo_noop
 #define bozo_ssl_accept(x)				(0)
 #define bozo_ssl_shutdown(x)				bozo_noop
@@ -321,6 +322,7 @@
 #else
 void	bozo_ssl_set_opts(bozohttpd_t *, const char *, const char *);
 void	bozo_ssl_set_ciphers(bozohttpd_t *, const char *);
+void	bozo_ssl_set_min_proto(bozohttpd_t *, const char *);
 void	bozo_ssl_init(bozohttpd_t *);
 int	bozo_ssl_accept(bozohttpd_t *);
 void	bozo_ssl_shutdown(bozohttpd_t *);
diff --git a/libexec/httpd/main.c b/libexec/httpd/main.c
--- a/libexec/httpd/main.c
+++ b/libexec/httpd/main.c
@@ -165,7 +165,7 @@
 	 */
 
 	while ((c = getopt(argc, argv,
-	    "C:EGHI:L:M:P:R:S:T:U:VXZ:bc:defhi:np:st:uv:x:z:")) != -1) {
+	    "C:EGHI:L:M:m:P:R:S:T:U:VXZ:bc:defhi:np:st:uv:x:z:")) != -1) {
 		switch (c) {
 
 		case 'b':
@@ -283,6 +283,13 @@
 			optind += 3;
 			break;
 
+		case 'm':
+			if (!have_ssl)
+				goto no_ssl;
+
+			bozo_ssl_set_min_proto(&httpd, optarg);
+			break;
+
 		case 'n':
 			bozo_set_pref(&httpd, &prefs, "numeric", "true");
 			break;
diff --git a/libexec/httpd/ssl-bozo.c b/libexec/httpd/ssl-bozo.c
--- a/libexec/httpd/ssl-bozo.c
+++ b/libexec/httpd/ssl-bozo.c
@@ -61,13 +61,6 @@
 	"!KRB5-DES-CBC3-SHA"
 #endif
 
-#ifndef BOZO_SSL_OPTIONS
-#define BOZO_SSL_OPTIONS					\
-	((long)(SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1))
-#endif
-
-  /* this structure encapsulates the ssl info */
-
 /* this structure encapsulates the ssl info */
 typedef struct sslinfo_t {
 	SSL_CTX			*ssl_context;
@@ -76,6 +69,7 @@
 	char			*certificate_file;
 	char			*privatekey_file;
 	char			*ciphers;
+	char			*min_proto_version;
 } sslinfo_t;
 
 /*
@@ -204,11 +198,26 @@
 	return (ssize_t)ret;
 }
 
+static int
+bozo_ssl_version(const char *version)
+{
+
+	if (strcmp(version, "TLSv1.1") == 0)
+		return TLS1_1_VERSION;
+
+	if (strcmp(version, "TLSv1.2") == 0)
+		return TLS1_2_VERSION;
+
+	if (strcmp(version, "TLSv1.3") == 0)
+		return TLS1_3_VERSION;
+
+	return -1;
+}
 void
 bozo_ssl_init(bozohttpd_t *httpd)
 {
 	sslinfo_t *sslinfo = httpd->sslinfo;
-	long options;
+	int proto;
 
 	if (sslinfo == NULL || !sslinfo->certificate_file)
 		return;
@@ -222,12 +231,13 @@
 		bozo_ssl_err(httpd, EXIT_FAILURE,
 		    "SSL context creation failed");
 
-	options = SSL_CTX_set_options(sslinfo->ssl_context,
-	    BOZO_SSL_OPTIONS);
-	if ((options & BOZO_SSL_OPTIONS) != BOZO_SSL_OPTIONS)
+	proto = sslinfo->min_proto_version ?
+	    bozo_ssl_version(sslinfo->min_proto_version) : TLS1_1_VERSION;
+
+	if (!SSL_CTX_set_min_proto_version(sslinfo->ssl_context, proto))
 		bozo_ssl_err(httpd, EXIT_FAILURE,
-		    "Error setting ssl options requested %#lx, got %#lx",
-		    BOZO_SSL_OPTIONS, options);
+		    "Error setting minimum protocol version '%s'",
+		    sslinfo->min_proto_version);
 
 	if (!SSL_CTX_set_cipher_list(sslinfo->ssl_context,
 	    sslinfo->ciphers ? sslinfo->ciphers : BOZO_SSL_CIPHERS))
@@ -340,6 +350,15 @@
 	debug((httpd, DEBUG_NORMAL, "using ciphers: %s", sslinfo->ciphers));
 }
 
+void
+bozo_ssl_set_min_proto(bozohttpd_t *httpd, const char *version)
+{
+	sslinfo_t *sslinfo = bozo_get_sslinfo(httpd);
+
+	sslinfo->min_proto_version = bozostrdup(httpd, NULL, version);
+	debug((httpd, DEBUG_NORMAL,
+		"using minimum protocol version: %s", version));
+}
 #endif /* NO_SSL_SUPPORT */
 
 /*

Follow-Ups:
- re: bozohttpd(8): Make SSL protocol version selection a runtime option.
  - From: matthew green

References:
- re: bozohttpd(8): Make SSL protocol version selection a runtime option.
  - From: matthew green

Prev by Date: Re: All ATF curses tests failing on babylon5 i386
Next by Date: build-success/install-fault on i486 with xsrc
Previous by Thread: re: bozohttpd(8): Make SSL protocol version selection a runtime option.
Next by Thread: re: bozohttpd(8): Make SSL protocol version selection a runtime option.
Indexes:

Home | Main Index | Thread Index | Old Index