aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--doc-jp/README.SSL3
-rw-r--r--fm.h3
-rw-r--r--rc.c7
-rw-r--r--url.c43
4 files changed, 56 insertions, 0 deletions
diff --git a/doc-jp/README.SSL b/doc-jp/README.SSL
index 0542ffd..d7f26c7 100644
--- a/doc-jp/README.SSL
+++ b/doc-jp/README.SSL
@@ -27,6 +27,9 @@ SSL サポートについて
使わないSSLメソッドのリスト(2: SSLv2, 3: SSLv3, t: TLSv1.0,
5: TLSv1.1, 6: TLSv1.2, 7: TLSv1.3)
(デフォルトは2, 3).
+ ssl_min_version
+ 最小のSSLバージョン, OpenSSL 1.1以上で有効(TLSv1.0, TLSv1.1,
+ TLSv1.2, TLSv1.3のいずれか) (デフォルトは<NULL>).
ssl_ciphers
TLSv1.2以下用のSSL暗号(例: DEFAULT:@SECLEVEL=2) (デフォルトは
OpenSSL 1.1以上なら<NULL>、それ以外なら"DEFAULT:!LOW:!RC4:!EXP").
diff --git a/fm.h b/fm.h
index 9d1995e..1f884be 100644
--- a/fm.h
+++ b/fm.h
@@ -1191,6 +1191,9 @@ global int ssl_path_modified init(FALSE);
* defined(USE_SSL_VERIFY) */
#ifdef USE_SSL
global char *ssl_forbid_method init("2, 3");
+#ifdef SSL_CTX_set_min_proto_version
+global char *ssl_min_version init(NULL);
+#endif
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
global char *ssl_cipher init("DEFAULT:!LOW:!RC4:!EXP");
#else
diff --git a/rc.c b/rc.c
index 521e830..f2c4021 100644
--- a/rc.c
+++ b/rc.c
@@ -205,6 +205,9 @@ static int OptionEncode = FALSE;
#define CMT_SSL_CA_FILE N_("File consisting of PEM encoded certificates of CAs")
#endif /* USE_SSL_VERIFY */
#define CMT_SSL_FORBID_METHOD N_("List of forbidden SSL methods (2: SSLv2, 3: SSLv3, t: TLSv1.0, 5: TLSv1.1, 6: TLSv1.2, 7: TLSv1.3)")
+#ifdef SSL_CTX_set_min_proto_version
+#define CMT_SSL_MIN_VERSION N_("Minimum SSL version (TLSv1.0, TLSv1.1, TLSv1.2, or TLSv1.3)")
+#endif
#define CMT_SSL_CIPHER N_("SSL ciphers for TLSv1.2 and below (e.g. DEFAULT:@SECLEVEL=2)")
#endif /* USE_SSL */
#ifdef USE_COOKIE
@@ -613,6 +616,10 @@ struct param_ptr params6[] = {
struct param_ptr params7[] = {
{"ssl_forbid_method", P_STRING, PI_TEXT, (void *)&ssl_forbid_method,
CMT_SSL_FORBID_METHOD, NULL},
+#ifdef SSL_CTX_set_min_proto_version
+ {"ssl_min_version", P_STRING, PI_TEXT, (void *)&ssl_min_version,
+ CMT_SSL_MIN_VERSION, NULL},
+#endif
{"ssl_cipher", P_STRING, PI_TEXT, (void *)&ssl_cipher, CMT_SSL_CIPHER,
NULL},
#ifdef USE_SSL_VERIFY
diff --git a/url.c b/url.c
index c7eeb16..9e67e06 100644
--- a/url.c
+++ b/url.c
@@ -293,6 +293,38 @@ init_PRNG()
}
#endif /* SSLEAY_VERSION_NUMBER >= 0x00905100 */
+#ifdef SSL_CTX_set_min_proto_version
+static int
+str_to_ssl_version(const char *name)
+{
+#ifdef TLS1_3_VERSION
+ if (!strcasecmp(name, "TLSv1.3"))
+ return TLS1_3_VERSION;
+#endif
+#ifdef TLS1_2_VERSION
+ if (!strcasecmp(name, "TLSv1.2"))
+ return TLS1_2_VERSION;
+#endif
+#ifdef TLS1_1_VERSION
+ if (!strcasecmp(name, "TLSv1.1"))
+ return TLS1_1_VERSION;
+#endif
+ if (!strcasecmp(name, "TLSv1.0"))
+ return TLS1_VERSION;
+ if (!strcasecmp(name, "TLSv1"))
+ return TLS1_VERSION;
+ if (!strcasecmp(name, "SSLv3.0"))
+ return SSL3_VERSION;
+ if (!strcasecmp(name, "SSLv3"))
+ return SSL3_VERSION;
+ if (!strcasecmp(name, "SSLv2.0"))
+ return SSL2_VERSION;
+ if (!strcasecmp(name, "SSLv2"))
+ return SSL2_VERSION;
+ return 0;
+}
+#endif /* SSL_CTX_set_min_proto_version */
+
static SSL *
openSSLHandle(int sock, char *hostname, char **p_cert)
{
@@ -336,6 +368,17 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
#endif
if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method())))
goto eend;
+#ifdef SSL_CTX_set_min_proto_version
+ if (ssl_min_version && *ssl_min_version != '\0') {
+ int sslver;
+ sslver = str_to_ssl_version(ssl_min_version);
+ if (sslver <= 0
+ || !SSL_CTX_set_min_proto_version(ssl_ctx, sslver)) {
+ free_ssl_ctx();
+ goto eend;
+ }
+ }
+#endif
if (ssl_cipher && *ssl_cipher != '\0')
if (!SSL_CTX_set_cipher_list(ssl_ctx, ssl_cipher)) {
free_ssl_ctx();