Set min version to TLS 1.0 in programs

This commit is contained in:
Manuel Pégourié-Gonnard 2015-01-12 11:40:14 +01:00
parent d68b65199f
commit 448ea506bf
10 changed files with 32 additions and 10 deletions

View File

@ -1,5 +1,9 @@
PolarSSL ChangeLog (Sorted per branch, date) PolarSSL ChangeLog (Sorted per branch, date)
= PolarSSL 1.3.10 released ???
Changes
* Example programs for SSL client and server now disable SSLv3 by default.
= PolarSSL 1.3.9 released 2014-10-20 = PolarSSL 1.3.9 released 2014-10-20
Security Security
* Lowest common hash was selected from signature_algorithms extension in * Lowest common hash was selected from signature_algorithms extension in

View File

@ -1372,9 +1372,11 @@ void ssl_set_max_version( ssl_context *ssl, int major, int minor );
* \brief Set the minimum accepted SSL/TLS protocol version * \brief Set the minimum accepted SSL/TLS protocol version
* (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION) * (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION)
* *
* Note: Input outside of the SSL_MAX_XXXXX_VERSION and * \note Input outside of the SSL_MAX_XXXXX_VERSION and
* SSL_MIN_XXXXX_VERSION range is ignored. * SSL_MIN_XXXXX_VERSION range is ignored.
* *
* \note SSL_MINOR_VERSION_0 (SSL v3) should be avoided.
*
* \param ssl SSL context * \param ssl SSL context
* \param major Major version number (only SSL_MAJOR_VERSION_3 supported) * \param major Major version number (only SSL_MAJOR_VERSION_3 supported)
* \param minor Minor version number (SSL_MINOR_VERSION_0, * \param minor Minor version number (SSL_MINOR_VERSION_0,

View File

@ -168,6 +168,9 @@ int main( int argc, char *argv[] )
ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL ); ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
ssl_set_ca_chain( &ssl, &cacert, NULL, "PolarSSL Server 1" ); ssl_set_ca_chain( &ssl, &cacert, NULL, "PolarSSL Server 1" );
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout ); ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &server_fd, ssl_set_bio( &ssl, net_recv, &server_fd,

View File

@ -86,7 +86,7 @@ int main( int argc, char *argv[] )
#define DFL_ALLOW_LEGACY SSL_LEGACY_NO_RENEGOTIATION #define DFL_ALLOW_LEGACY SSL_LEGACY_NO_RENEGOTIATION
#define DFL_RENEGOTIATE 0 #define DFL_RENEGOTIATE 0
#define DFL_EXCHANGES 1 #define DFL_EXCHANGES 1
#define DFL_MIN_VERSION -1 #define DFL_MIN_VERSION SSL_MINOR_VERSION_1
#define DFL_MAX_VERSION -1 #define DFL_MAX_VERSION -1
#define DFL_AUTH_MODE SSL_VERIFY_REQUIRED #define DFL_AUTH_MODE SSL_VERIFY_REQUIRED
#define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE #define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE

View File

@ -264,6 +264,10 @@ int main( int argc, char *argv[] )
ssl_set_endpoint( &ssl, SSL_IS_SERVER ); ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE ); ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3,
SSL_MINOR_VERSION_1 );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout ); ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &client_fd, ssl_set_bio( &ssl, net_recv, &client_fd,

View File

@ -601,6 +601,9 @@ int main( int argc, char *argv[] )
* but makes interop easier in this simplified example */ * but makes interop easier in this simplified example */
ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL ); ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout ); ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &server_fd, ssl_set_bio( &ssl, net_recv, &server_fd,

View File

@ -165,6 +165,9 @@ static void *handle_ssl_connection( void *data )
ssl_set_endpoint( &ssl, SSL_IS_SERVER ); ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE ); ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_mutexed_debug, stdout ); ssl_set_dbg( &ssl, my_mutexed_debug, stdout );

View File

@ -198,6 +198,9 @@ int main( int argc, char *argv[] )
ssl_set_endpoint( &ssl, SSL_IS_SERVER ); ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE ); ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout ); ssl_set_dbg( &ssl, my_debug, stdout );

View File

@ -105,7 +105,7 @@ int main( int argc, char *argv[] )
#define DFL_RENEGOTIATE 0 #define DFL_RENEGOTIATE 0
#define DFL_RENEGO_DELAY -2 #define DFL_RENEGO_DELAY -2
#define DFL_EXCHANGES 1 #define DFL_EXCHANGES 1
#define DFL_MIN_VERSION -1 #define DFL_MIN_VERSION SSL_MINOR_VERSION_1
#define DFL_MAX_VERSION -1 #define DFL_MAX_VERSION -1
#define DFL_AUTH_MODE SSL_VERIFY_OPTIONAL #define DFL_AUTH_MODE SSL_VERIFY_OPTIONAL
#define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE #define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE

View File

@ -941,7 +941,7 @@ run_test "Authentication: client no cert, openssl server optional" \
run_test "Authentication: client no cert, ssl3" \ run_test "Authentication: client no cert, ssl3" \
"$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \ "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
"$P_CLI debug_level=3 crt_file=none key_file=none" \ "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
0 \ 0 \
-S "skip write certificate request" \ -S "skip write certificate request" \
-C "skip parse certificate request" \ -C "skip parse certificate request" \
@ -1569,7 +1569,7 @@ run_test "PSK callback: wrong key" \
# Tests for ciphersuites per version # Tests for ciphersuites per version
run_test "Per-version suites: SSL3" \ run_test "Per-version suites: SSL3" \
"$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
"$P_CLI force_version=ssl3" \ "$P_CLI force_version=ssl3" \
0 \ 0 \
-c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA" -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
@ -1609,14 +1609,14 @@ run_test "ssl_get_bytes_avail: extra data" \
# Tests for small packets # Tests for small packets
run_test "Small packet SSLv3 BlockCipher" \ run_test "Small packet SSLv3 BlockCipher" \
"$P_SRV" \ "$P_SRV min_version=ssl3" \
"$P_CLI request_size=1 force_version=ssl3 \ "$P_CLI request_size=1 force_version=ssl3 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
0 \ 0 \
-s "Read from client: 1 bytes read" -s "Read from client: 1 bytes read"
run_test "Small packet SSLv3 StreamCipher" \ run_test "Small packet SSLv3 StreamCipher" \
"$P_SRV" \ "$P_SRV min_version=ssl3" \
"$P_CLI request_size=1 force_version=ssl3 \ "$P_CLI request_size=1 force_version=ssl3 \
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
0 \ 0 \
@ -1728,14 +1728,14 @@ run_test "Small packet TLS 1.2 AEAD shorter tag" \
# Test for large packets # Test for large packets
run_test "Large packet SSLv3 BlockCipher" \ run_test "Large packet SSLv3 BlockCipher" \
"$P_SRV" \ "$P_SRV min_version=ssl3" \
"$P_CLI request_size=16384 force_version=ssl3 \ "$P_CLI request_size=16384 force_version=ssl3 \
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
0 \ 0 \
-s "Read from client: 16384 bytes read" -s "Read from client: 16384 bytes read"
run_test "Large packet SSLv3 StreamCipher" \ run_test "Large packet SSLv3 StreamCipher" \
"$P_SRV" \ "$P_SRV min_version=ssl3" \
"$P_CLI request_size=16384 force_version=ssl3 \ "$P_CLI request_size=16384 force_version=ssl3 \
force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
0 \ 0 \