gnustep/libs-base
0
0
Fork 0
mirror of https://github.com/gnustep/libs-base.git synced 2025-05-30 08:21:25 +00:00
Code Issues Projects Releases Packages Wiki Activity

Disable SSLv2 by default as it is insecure.

Browse source 
git-svn-id: svn+ssh://svn.gna.org/svn/gnustep/libs/base/trunk@28336 72102866-910b-0410-8b05-ffd578937521
This commit is contained in:
rfm 2009-06-09 08:32:16 +00:00
parent ed902f9bcf
commit e069bb1b23
3 changed files with 35 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
ChangeLog
View file

@ -1,3 +1,8 @@
2009-06-09 Richard Frith-Macdonald <rfm@gnu.org>
* SSL/Source/GSSSLHandle.m: Disable v2 by default due to
security issues. GSPermitSSLv2 user default can enable it again.
2009-06-08 Richard Frith-Macdonald <rfm@gnu.org> 2009-06-08 Richard Frith-Macdonald <rfm@gnu.org>
* Source/Additions/Unicode.m: Optimise somewhat for converting * Source/Additions/Unicode.m: Optimise somewhat for converting

29
SSL/GSSSLHandle.m
View file

@ -122,11 +122,21 @@ sslError(int err)
PEMpasswd: (NSString*)PEMpasswd; PEMpasswd: (NSString*)PEMpasswd;
@end @end
static BOOL permitSSLv2 = NO;
@implementation GSSSLHandle @implementation GSSSLHandle
+ (void) _defaultsChanged: (NSNotification*)n
{
permitSSLv2
= [[NSUserDefaults standardUserDefaults] boolForKey: @"GSPermitSSLv2"];
}
+ (void) initialize + (void) initialize
{ {
if (self == [GSSSLHandle class]) if (self == [GSSSLHandle class])
{ {
NSUserDefaults *defs;
SSL_library_init(); SSL_library_init();
/* /*
@ -140,6 +150,13 @@ sslError(int err)
inf = [[[NSProcessInfo processInfo] globallyUniqueString] UTF8String]; inf = [[[NSProcessInfo processInfo] globallyUniqueString] UTF8String];
RAND_seed(inf, strlen(inf)); RAND_seed(inf, strlen(inf));
} }
defs = [NSUserDefaults standardUserDefaults];
permitSSLv2 = [defs boolForKey: @"GSPermitSSLv2"];
[[NSNotificationCenter defaultCenter]
addObserver: self
selector: @selector(_defaultsChanged:)
name: NSUserDefaultsDidChangeNotification
object: nil];
} }
} }
@ -186,6 +203,10 @@ sslError(int err)
if (ctx == 0) if (ctx == 0)
{ {
ctx = SSL_CTX_new(SSLv23_server_method()); ctx = SSL_CTX_new(SSLv23_server_method());
if (permitSSLv2 == NO)
{
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
}
} }
if (ssl == 0) if (ssl == 0)
{ {
@ -288,6 +309,10 @@ sslError(int err)
if (ctx == 0) if (ctx == 0)
{ {
ctx = SSL_CTX_new(SSLv23_client_method()); ctx = SSL_CTX_new(SSLv23_client_method());
if (permitSSLv2 == NO)
{
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
}
} }
if (ssl == 0) if (ssl == 0)
{ {
@ -405,6 +430,10 @@ sslError(int err)
if (ctx == 0) if (ctx == 0)
{ {
ctx = SSL_CTX_new(SSLv23_method()); ctx = SSL_CTX_new(SSLv23_method());
if (permitSSLv2 == NO)
{
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
}
} }
if ([PEMpasswd length] > 0) if ([PEMpasswd length] > 0)
{ {

2
Source/GSSocketStream.m
View file

@ -433,7 +433,7 @@ static gnutls_anon_client_credentials_t anoncred;
else if ([proto isEqualToString: NSStreamSocketSecurityLevelSSLv2] == YES) else if ([proto isEqualToString: NSStreamSocketSecurityLevelSSLv2] == YES)
{ {
proto = NSStreamSocketSecurityLevelSSLv2; proto = NSStreamSocketSecurityLevelSSLv2;
GSOnceMLog(@"NSStreamSocketSecurityLevelTLSv1 is insecure ..." GSOnceMLog(@"NSStreamSocketSecurityLevelTLSv2 is insecure ..."
@" not implemented"); @" not implemented");
DESTROY(self); DESTROY(self);
return nil; return nil;