tech-security archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Disable SSLv3 and set cipher list for bozohttpd
Hi tech-security,
Below is a patch which adds a new command line argument to
bozohttpd (-z) which can be used to override a built in
cipher list.
I will let others continue the discussion about which
ciphers are best to include by default as the list below
still results in an A- score from the Qualys SSL Labs
Server Test tool[1].
I welcome any feedback on the patch below. Please
let me know if I should create a PR.
Thanks,
Travis Paul
[1] https://www.ssllabs.com/ssltest/index.html
Index: bozohttpd.8
===================================================================
RCS file: /cvsroot/src/libexec/httpd/bozohttpd.8,v
retrieving revision 1.56
diff -u -r1.56 bozohttpd.8
--- bozohttpd.8 29 Nov 2015 15:58:07 -0000 1.56
+++ bozohttpd.8 12 Dec 2015 05:17:11 -0000
@@ -34,7 +34,7 @@
.Nd hyper text transfer protocol version 1.1 daemon
.Sh SYNOPSIS
.Nm
-.Op Fl EHVXefhnsu
+.Op Fl EHVXbefhnsu
.Op Fl C Ar suffix cgihandler
.Op Fl I Ar port
.Op Fl L Ar prefix script
@@ -49,6 +49,7 @@
.Op Fl t Ar chrootdir
.Op Fl v Ar virtualroot
.Op Fl x Ar index
+.Op Fl z Ar ciphers
.Ar slashdir
.Op Ar myname
.Sh DESCRIPTION
@@ -303,6 +304,8 @@
.Dq index.html
to
.Ar index .
+.It Fl z Ar ciphers
+Sets the list of SSL ciphers.
.It Fl Z Ar certificate_path privatekey_path
Sets the path to the server certificate file and the private key file
in pem format.
@@ -425,7 +428,7 @@
.Dq -lcrypt .
.Ss SSL SUPPORT
.Nm
-has support for SSLv2, SSLv3, and TLSv1 protocols that is included by
+has support for TLSv1.1 and TLSv1.2 protocols that are included by
default.
It requires linking with the crypto and ssl library, using
.Dq -lcrypto -lssl .
@@ -436,7 +439,7 @@
on the compiler command line.
.Ss COMPRESSION
.Nm
-supports a very basic form compression.
+supports a very basic form of compression.
.Nm
will serve the requested file postpended with
.Dq Pa .gz
Index: bozohttpd.h
===================================================================
RCS file: /cvsroot/src/libexec/httpd/bozohttpd.h,v
retrieving revision 1.38
diff -u -r1.38 bozohttpd.h
--- bozohttpd.h 28 Oct 2015 09:20:15 -0000 1.38
+++ bozohttpd.h 12 Dec 2015 05:17:11 -0000
@@ -241,11 +241,13 @@
/* ssl-bozo.c */
#ifdef NO_SSL_SUPPORT
#define bozo_ssl_set_opts(w, x, y) do { /* nothing */ } while (0)
+#define bozo_ssl_set_ciphers(x, y) do { /* nothing */ } while (0)
#define bozo_ssl_init(x) do { /* nothing */ } while (0)
#define bozo_ssl_accept(x) (0)
#define bozo_ssl_destroy(x) do { /* nothing */ } while (0)
#else
void bozo_ssl_set_opts(bozohttpd_t *, const char *, const char *);
+void bozo_ssl_set_ciphers(bozohttpd_t *, const char *);
void bozo_ssl_init(bozohttpd_t *);
int bozo_ssl_accept(bozohttpd_t *);
void bozo_ssl_destroy(bozohttpd_t *);
Index: main.c
===================================================================
RCS file: /cvsroot/src/libexec/httpd/main.c,v
retrieving revision 1.10
diff -u -r1.10 main.c
--- main.c 29 Nov 2015 15:26:10 -0000 1.10
+++ main.c 12 Dec 2015 05:17:11 -0000
@@ -111,6 +111,7 @@
bozo_warn(httpd,
" -x index\t\tchange default `index.html' file name");
#ifndef NO_SSL_SUPPORT
+ bozo_warn(httpd, " -z ciphers\t\tspecify SSL ciphers");
bozo_warn(httpd,
" -Z cert privkey\tspecify path to server certificate"
" and private key file\n"
@@ -145,7 +146,7 @@
*/
while ((c = getopt(argc, argv,
- "C:EHI:L:M:P:S:U:VXZ:bc:defhi:np:st:uv:x:")) != -1) {
+ "C:EHI:L:M:P:S:U:VXZ:bc:defhi:np:st:uv:x:z:")) != -1) {
switch (c) {
case 'L':
@@ -187,6 +188,16 @@
case 'S':
bozo_set_pref(&prefs, "server software",
optarg);
break;
+
+ case 'z':
+#ifdef NO_SSL_SUPPORT
+ bozo_err(&httpd, 1, "ssl support is not
enabled");
+ /* NOT REACHED */
+#else
+ bozo_ssl_set_ciphers(&httpd, optarg);
+ break;
+#endif /* NO_SSL_SUPPORT */
+
case 'Z':
#ifdef NO_SSL_SUPPORT
bozo_err(&httpd, 1, "ssl support is not
enabled");
Index: ssl-bozo.c
===================================================================
RCS file: /cvsroot/src/libexec/httpd/ssl-bozo.c,v
retrieving revision 1.18
diff -u -r1.18 ssl-bozo.c
--- ssl-bozo.c 17 Jul 2014 06:27:52 -0000 1.18
+++ ssl-bozo.c 12 Dec 2015 05:17:11 -0000
@@ -48,6 +48,10 @@
#define USE_ARG(x) /*LINTED*/(void)&(x)
#endif
+#ifndef BOZO_SSL_CIPHERS
+#define BOZO_SSL_CIPHERS
"-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
+#endif
+
/* this structure encapsulates the ssl info */
typedef struct sslinfo_t {
SSL_CTX *ssl_context;
@@ -55,6 +59,7 @@
SSL *bozossl;
char *certificate_file;
char *privatekey_file;
+ char *ciphers;
} sslinfo_t;
/*
@@ -196,6 +201,15 @@
sslinfo->ssl_method = SSLv23_server_method();
sslinfo->ssl_context = SSL_CTX_new(sslinfo->ssl_method);
+ SSL_CTX_set_options(sslinfo->ssl_context,
+ SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1);
+
+ if (!SSL_CTX_set_cipher_list(sslinfo->ssl_context,
+ sslinfo->ciphers ? sslinfo->ciphers : BOZO_SSL_CIPHERS))
+ bozo_ssl_err(httpd, EXIT_FAILURE,
+ "Error setting cipher list '%s'",
+ sslinfo->ciphers);
+
if (NULL == sslinfo->ssl_context)
bozo_ssl_err(httpd, EXIT_FAILURE,
"SSL context creation failed");
@@ -261,6 +275,7 @@
if (sslinfo == NULL)
bozo_err(httpd, 1, "sslinfo allocation failed");
httpd->sslinfo = sslinfo;
+ sslinfo->ciphers = NULL;
}
sslinfo->certificate_file = strdup(cert);
sslinfo->privatekey_file = strdup(priv);
@@ -271,6 +286,23 @@
httpd->bindport = strdup("https");
}
+void
+bozo_ssl_set_ciphers(bozohttpd_t *httpd, const char *ciphers)
+{
+ sslinfo_t *sslinfo = httpd->sslinfo;
+
+ if (sslinfo == NULL) {
+ sslinfo = bozomalloc(httpd, sizeof(*sslinfo));
+ if (sslinfo == NULL)
+ bozo_err(httpd, 1, "sslinfo allocation failed");
+ httpd->sslinfo = sslinfo;
+ }
+ if ((sslinfo->ciphers = strdup(ciphers)) == NULL)
+ bozo_err(httpd, 1, "cipher list allocation failed");
+ debug((httpd, DEBUG_NORMAL, "using ciphers: %s",
+ sslinfo->ciphers));
+}
+
#endif /* NO_SSL_SUPPORT */
int
Home |
Main Index |
Thread Index |
Old Index