Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/libexec/httpd implement tls minimum version setting.
details: https://anonhg.NetBSD.org/src/rev/d3ddb91ec902
branches: trunk
changeset: 985430:d3ddb91ec902
user: mrg <mrg%NetBSD.org@localhost>
date: Tue Aug 24 09:47:36 2021 +0000
description:
implement tls minimum version setting.
mostly from sunil%nimmagadda.net@localhost in PR#55830, though i moved the
member into the main http structure, so that it doesn't trigger
sslinfo being allocated via command line without the rest of the
ssl being setup (which then leads to crashes.)
diffstat:
libexec/httpd/CHANGES | 6 ++++-
libexec/httpd/bozohttpd.8 | 24 +++++++++++++++++---
libexec/httpd/bozohttpd.c | 4 +-
libexec/httpd/bozohttpd.h | 3 +-
libexec/httpd/main.c | 13 +++++++++-
libexec/httpd/ssl-bozo.c | 55 +++++++++++++++++++++++++++++++++++-----------
6 files changed, 81 insertions(+), 24 deletions(-)
diffs (246 lines):
diff -r a2f58ac93a19 -r d3ddb91ec902 libexec/httpd/CHANGES
--- a/libexec/httpd/CHANGES Tue Aug 24 08:39:50 2021 +0000
+++ b/libexec/httpd/CHANGES Tue Aug 24 09:47:36 2021 +0000
@@ -1,4 +1,8 @@
-$NetBSD: CHANGES,v 1.49 2021/05/05 07:41:48 mrg Exp $
+$NetBSD: CHANGES,v 1.50 2021/08/24 09:47:36 mrg Exp $
+
+changes in bozohttpd 20210824:
+ o new "-m tlsversion" option to set the minimum TLS version
+ available. partially from <sunil%nimmagadda.net@localhost>.
changes in bozohttpd 20210504:
o don't assume host BUFSIZ is sufficent. small BUFSIZ leads to
diff -r a2f58ac93a19 -r d3ddb91ec902 libexec/httpd/bozohttpd.8
--- a/libexec/httpd/bozohttpd.8 Tue Aug 24 08:39:50 2021 +0000
+++ b/libexec/httpd/bozohttpd.8 Tue Aug 24 09:47:36 2021 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: bozohttpd.8,v 1.88 2021/02/28 05:19:52 mrg Exp $
+.\" $NetBSD: bozohttpd.8,v 1.89 2021/08/24 09:47:36 mrg Exp $
.\"
.\" $eterna: bozohttpd.8,v 1.101 2011/11/18 01:25:11 mrg Exp $
.\"
@@ -26,7 +26,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd February 27, 2021
+.Dd August 24, 2021
.Dt BOZOHTTPD 8
.Os
.Sh NAME
@@ -39,6 +39,7 @@
.Op Fl I Ar port
.Op Fl L Ar prefix script
.Op Fl M Ar suffix type encoding encoding11
+.Op Fl m Ar version
.Op Fl P Ar pidfile
.Op Fl R Ar readme
.Op Fl S Ar version
@@ -221,6 +222,18 @@
Multiple
.Fl M
options may be passed.
+.It Fl m Ar version
+Set the minimum supported SSL protocol
+.Ar version .
+The valid values of
+.Ar version
+are
+.Dq TLSv1.1 ,
+.Dq TLSv1.2 ,
+and
+.Dq TLSv1.3 .
+The default version is
+.Dq TLSv1.1 .
.It Fl n
Stops
.Nm
@@ -646,7 +659,7 @@
and regular code audits.
This manual documents
.Nm
-version 20210227.
+version 20210824.
.Sh AUTHORS
.An -nosplit
.Nm
@@ -769,6 +782,10 @@
provided many various fixes, including cgi-bin fixes and enhancements,
HTTP basic authorization support and much code clean up
.It
+.An Sunil Nimmagadda
+.Aq Mt sunil%nimmagadda.net@localhost
+provided runtime TLS version control
+.It
.An Rajeev V. Pillai
.Aq Mt rajeev_v_pillai%yahoo.com@localhost
provided several fixes for virtual hosting and directory indexing and
@@ -819,7 +836,6 @@
.It
.Aq Mt xs%kittenz.org@localhost
provided chroot and change-to-user support, and other various fixes
-
.It
.An S.P.Zeidler
.Aq Mt spz%NetBSD.org@localhost
diff -r a2f58ac93a19 -r d3ddb91ec902 libexec/httpd/bozohttpd.c
--- a/libexec/httpd/bozohttpd.c Tue Aug 24 08:39:50 2021 +0000
+++ b/libexec/httpd/bozohttpd.c Tue Aug 24 09:47:36 2021 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: bozohttpd.c,v 1.135 2021/08/24 05:39:39 mrg Exp $ */
+/* $NetBSD: bozohttpd.c,v 1.136 2021/08/24 09:47:36 mrg Exp $ */
/* $eterna: bozohttpd.c,v 1.178 2011/11/18 09:21:15 mrg Exp $ */
@@ -108,7 +108,7 @@
#define INDEX_HTML "index.html"
#endif
#ifndef SERVER_SOFTWARE
-#define SERVER_SOFTWARE "bozohttpd/20210504"
+#define SERVER_SOFTWARE "bozohttpd/20210824"
#endif
#ifndef PUBLIC_HTML
#define PUBLIC_HTML "public_html"
diff -r a2f58ac93a19 -r d3ddb91ec902 libexec/httpd/bozohttpd.h
--- a/libexec/httpd/bozohttpd.h Tue Aug 24 08:39:50 2021 +0000
+++ b/libexec/httpd/bozohttpd.h Tue Aug 24 09:47:36 2021 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: bozohttpd.h,v 1.69 2021/05/05 07:41:48 mrg Exp $ */
+/* $NetBSD: bozohttpd.h,v 1.70 2021/08/24 09:47:36 mrg Exp $ */
/* $eterna: bozohttpd.h,v 1.39 2011/11/18 09:21:15 mrg Exp $ */
@@ -130,6 +130,7 @@
unsigned initial_timeout;/* first line timeout */
unsigned header_timeout; /* header lines timeout */
unsigned request_timeout;/* total session timeout */
+ char *ssl_min_proto; /* minimum ssl protocol level */
#ifndef NO_LUA_SUPPORT
int process_lua; /* use the Lua handler */
SIMPLEQ_HEAD(, lua_state_map) lua_states;
diff -r a2f58ac93a19 -r d3ddb91ec902 libexec/httpd/main.c
--- a/libexec/httpd/main.c Tue Aug 24 08:39:50 2021 +0000
+++ b/libexec/httpd/main.c Tue Aug 24 09:47:36 2021 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: main.c,v 1.28 2021/08/24 05:29:27 mrg Exp $ */
+/* $NetBSD: main.c,v 1.29 2021/08/24 09:47:36 mrg Exp $ */
/* $eterna: main.c,v 1.6 2011/11/18 09:21:15 mrg Exp $ */
/* from: eterna: bozohttpd.c,v 1.159 2009/05/23 02:14:30 mrg Exp */
@@ -164,7 +164,7 @@
*/
while ((c = getopt(argc, argv,
- "C:EGHI:L:M:P:R:S:T:U:VXZ:bc:defhi:np:st:uv:x:z:")) != -1) {
+ "C:EGHI:L:M:m:P:R:S:T:U:VXZ:bc:defhi:np:st:uv:x:z:")) != -1) {
switch (c) {
case 'b':
@@ -282,6 +282,15 @@
optind += 3;
break;
+ case 'm':
+ if (!have_ssl)
+ goto no_ssl;
+
+ httpd.ssl_min_proto = optarg;
+ debug((&httpd, DEBUG_NORMAL,
+ "using minimum protocol version: %s", optarg));
+ break;
+
case 'n':
bozo_set_pref(&httpd, &prefs, "numeric", "true");
break;
diff -r a2f58ac93a19 -r d3ddb91ec902 libexec/httpd/ssl-bozo.c
--- a/libexec/httpd/ssl-bozo.c Tue Aug 24 08:39:50 2021 +0000
+++ b/libexec/httpd/ssl-bozo.c Tue Aug 24 09:47:36 2021 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ssl-bozo.c,v 1.29 2020/10/15 04:21:53 mrg Exp $ */
+/* $NetBSD: ssl-bozo.c,v 1.30 2021/08/24 09:47:36 mrg Exp $ */
/* $eterna: ssl-bozo.c,v 1.15 2011/11/18 09:21:15 mrg Exp $ */
@@ -61,13 +61,6 @@
"!KRB5-DES-CBC3-SHA"
#endif
-#ifndef BOZO_SSL_OPTIONS
-#define BOZO_SSL_OPTIONS \
- ((long)(SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1))
-#endif
-
- /* this structure encapsulates the ssl info */
-
/* this structure encapsulates the ssl info */
typedef struct sslinfo_t {
SSL_CTX *ssl_context;
@@ -78,6 +71,40 @@
char *ciphers;
} sslinfo_t;
+/* Default to TLS 1.3. */
+struct {
+ unsigned proto;
+ const char *name;
+} protos[] = {
+ { TLS1_3_VERSION, "TLSv1.3" },
+ { TLS1_2_VERSION, "TLSv1.2" },
+ { TLS1_1_VERSION, "TLSv1.1" },
+ { 0, NULL },
+};
+
+static int
+bozo_ssl_proto(const char *name)
+{
+ unsigned i;
+
+ if (name)
+ for (i = 0; protos[0].proto != 0; i++)
+ if (strcasecmp(name, protos[i].name) == 0)
+ return protos[i].proto;
+ return protos[0].proto;
+}
+
+static const char *
+bozo_ssl_name(unsigned version)
+{
+ unsigned i;
+
+ for (i = 0; protos[0].proto != 0; i++)
+ if (version == protos[i].proto)
+ return protos[i].name;
+ return protos[0].name;
+}
+
/*
* bozo_clear_ssl_queue: print the contents of the SSL error queue
*/
@@ -208,7 +235,7 @@
bozo_ssl_init(bozohttpd_t *httpd)
{
sslinfo_t *sslinfo = httpd->sslinfo;
- long options;
+ int proto;
if (sslinfo == NULL || !sslinfo->certificate_file)
return;
@@ -222,12 +249,12 @@
bozo_ssl_err(httpd, EXIT_FAILURE,
"SSL context creation failed");
- options = SSL_CTX_set_options(sslinfo->ssl_context,
- BOZO_SSL_OPTIONS);
- if ((options & BOZO_SSL_OPTIONS) != BOZO_SSL_OPTIONS)
+ proto = bozo_ssl_proto(httpd->ssl_min_proto);
+
+ if (!SSL_CTX_set_min_proto_version(sslinfo->ssl_context, proto))
bozo_ssl_err(httpd, EXIT_FAILURE,
- "Error setting ssl options requested %#lx, got %#lx",
- BOZO_SSL_OPTIONS, options);
+ "Error setting minimum protocol version '%s'",
+ bozo_ssl_name(proto));
if (!SSL_CTX_set_cipher_list(sslinfo->ssl_context,
sslinfo->ciphers ? sslinfo->ciphers : BOZO_SSL_CIPHERS))
Home |
Main Index |
Thread Index |
Old Index