diff options
author | Ben Pfaff <blp@nicira.com> | 2014-06-13 16:24:49 -0700 |
---|---|---|
committer | Ben Pfaff <blp@nicira.com> | 2014-06-13 16:26:04 -0700 |
commit | 881cdb3caafc435ec7de337a8cf8dd811a20fbe3 (patch) | |
tree | 8d882d6b39a279a6a6bc9351b349e91a3637b544 | |
parent | 13db1a79f838cbbafa82c151d112f7a8fd106c06 (diff) | |
download | openvswitch-881cdb3caafc435ec7de337a8cf8dd811a20fbe3.tar.gz |
stream-ssl: Enable TLSv1.1 and TLSv1.2.
The Open vSwitch SSL code was inadvertently enabling only TLSv1, not
later versions. This commit should fix it.
See https://www.openssl.org/docs/ssl/SSL_CTX_new.html
and http://www.postgresql.org/message-id/20131203213049.GA8259@gmail.com
for more information.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Reported-by: Abhinav Singhal <Abhinav.Singhal@spirent.com>
Acked-by: Gurucharan Shetty <gshetty@nicira.com>
-rw-r--r-- | AUTHORS | 1 | ||||
-rw-r--r-- | lib/stream-ssl.c | 14 |
2 files changed, 12 insertions, 3 deletions
@@ -113,6 +113,7 @@ The following additional people are mentioned in commit logs as having provided helpful bug reports or suggestions. Aaron M. Ucko ucko@debian.org +Abhinav Singhal Abhinav.Singhal@spirent.com Adam Heath doogie@brainfood.com Ahmed Bilal numan252@gmail.com Alan Shieh ashieh@nicira.com diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index 3b9270f93..cd4783ca9 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -938,9 +938,17 @@ do_ssl_init(void) RAND_seed(seed, sizeof seed); } - /* New OpenSSL changed TLSv1_method() to return a "const" pointer, so the - * cast is needed to avoid a warning with those newer versions. */ - method = CONST_CAST(SSL_METHOD *, TLSv1_method()); + /* OpenSSL has a bunch of "connection methods": SSLv2_method(), + * SSLv3_method(), TLSv1_method(), SSLv23_method(), ... Most of these + * support exactly one version of SSL, e.g. TLSv1_method() supports TLSv1 + * only, not any earlier *or later* version. The only exception is + * SSLv23_method(), which in fact supports *any* version of SSL and TLS. + * We don't want SSLv2 or SSLv3 support, so we turn it off below with + * SSL_CTX_set_options(). + * + * The cast is needed to avoid a warning with newer versions of OpenSSL in + * which SSLv23_method() returns a "const" pointer. */ + method = CONST_CAST(SSL_METHOD *, SSLv23_method()); if (method == NULL) { VLOG_ERR("TLSv1_method: %s", ERR_error_string(ERR_get_error(), NULL)); return ENOPROTOOPT; |