diff options
-rw-r--r-- | doc-jp/README.SSL | 3 | ||||
-rw-r--r-- | fm.h | 3 | ||||
-rw-r--r-- | rc.c | 7 | ||||
-rw-r--r-- | url.c | 43 |
4 files changed, 56 insertions, 0 deletions
diff --git a/doc-jp/README.SSL b/doc-jp/README.SSL index 0542ffd..d7f26c7 100644 --- a/doc-jp/README.SSL +++ b/doc-jp/README.SSL @@ -27,6 +27,9 @@ SSL サポートについて 使わないSSLメソッドのリスト(2: SSLv2, 3: SSLv3, t: TLSv1.0, 5: TLSv1.1, 6: TLSv1.2, 7: TLSv1.3) (デフォルトは2, 3). + ssl_min_version + 最小のSSLバージョン, OpenSSL 1.1以上で有効(TLSv1.0, TLSv1.1, + TLSv1.2, TLSv1.3のいずれか) (デフォルトは<NULL>). ssl_ciphers TLSv1.2以下用のSSL暗号(例: DEFAULT:@SECLEVEL=2) (デフォルトは OpenSSL 1.1以上なら<NULL>、それ以外なら"DEFAULT:!LOW:!RC4:!EXP"). @@ -1191,6 +1191,9 @@ global int ssl_path_modified init(FALSE); * defined(USE_SSL_VERIFY) */ #ifdef USE_SSL global char *ssl_forbid_method init("2, 3"); +#ifdef SSL_CTX_set_min_proto_version +global char *ssl_min_version init(NULL); +#endif #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) global char *ssl_cipher init("DEFAULT:!LOW:!RC4:!EXP"); #else @@ -205,6 +205,9 @@ static int OptionEncode = FALSE; #define CMT_SSL_CA_FILE N_("File consisting of PEM encoded certificates of CAs") #endif /* USE_SSL_VERIFY */ #define CMT_SSL_FORBID_METHOD N_("List of forbidden SSL methods (2: SSLv2, 3: SSLv3, t: TLSv1.0, 5: TLSv1.1, 6: TLSv1.2, 7: TLSv1.3)") +#ifdef SSL_CTX_set_min_proto_version +#define CMT_SSL_MIN_VERSION N_("Minimum SSL version (TLSv1.0, TLSv1.1, TLSv1.2, or TLSv1.3)") +#endif #define CMT_SSL_CIPHER N_("SSL ciphers for TLSv1.2 and below (e.g. DEFAULT:@SECLEVEL=2)") #endif /* USE_SSL */ #ifdef USE_COOKIE @@ -613,6 +616,10 @@ struct param_ptr params6[] = { struct param_ptr params7[] = { {"ssl_forbid_method", P_STRING, PI_TEXT, (void *)&ssl_forbid_method, CMT_SSL_FORBID_METHOD, NULL}, +#ifdef SSL_CTX_set_min_proto_version + {"ssl_min_version", P_STRING, PI_TEXT, (void *)&ssl_min_version, + CMT_SSL_MIN_VERSION, NULL}, +#endif {"ssl_cipher", P_STRING, PI_TEXT, (void *)&ssl_cipher, CMT_SSL_CIPHER, NULL}, #ifdef USE_SSL_VERIFY @@ -293,6 +293,38 @@ init_PRNG() } #endif /* SSLEAY_VERSION_NUMBER >= 0x00905100 */ +#ifdef SSL_CTX_set_min_proto_version +static int +str_to_ssl_version(const char *name) +{ +#ifdef TLS1_3_VERSION + if (!strcasecmp(name, "TLSv1.3")) + return TLS1_3_VERSION; +#endif +#ifdef TLS1_2_VERSION + if (!strcasecmp(name, "TLSv1.2")) + return TLS1_2_VERSION; +#endif +#ifdef TLS1_1_VERSION + if (!strcasecmp(name, "TLSv1.1")) + return TLS1_1_VERSION; +#endif + if (!strcasecmp(name, "TLSv1.0")) + return TLS1_VERSION; + if (!strcasecmp(name, "TLSv1")) + return TLS1_VERSION; + if (!strcasecmp(name, "SSLv3.0")) + return SSL3_VERSION; + if (!strcasecmp(name, "SSLv3")) + return SSL3_VERSION; + if (!strcasecmp(name, "SSLv2.0")) + return SSL2_VERSION; + if (!strcasecmp(name, "SSLv2")) + return SSL2_VERSION; + return 0; +} +#endif /* SSL_CTX_set_min_proto_version */ + static SSL * openSSLHandle(int sock, char *hostname, char **p_cert) { @@ -336,6 +368,17 @@ openSSLHandle(int sock, char *hostname, char **p_cert) #endif if (!(ssl_ctx = SSL_CTX_new(SSLv23_client_method()))) goto eend; +#ifdef SSL_CTX_set_min_proto_version + if (ssl_min_version && *ssl_min_version != '\0') { + int sslver; + sslver = str_to_ssl_version(ssl_min_version); + if (sslver <= 0 + || !SSL_CTX_set_min_proto_version(ssl_ctx, sslver)) { + free_ssl_ctx(); + goto eend; + } + } +#endif if (ssl_cipher && *ssl_cipher != '\0') if (!SSL_CTX_set_cipher_list(ssl_ctx, ssl_cipher)) { free_ssl_ctx(); |