[Libreoffice-commits] online.git: net/Ssl.cpp wsd/LOOLWSD.cpp
Aron Budea (via logerrit)
logerrit at kemper.freedesktop.org
Wed Aug 21 13:26:01 UTC 2019
net/Ssl.cpp | 9 +++------
wsd/LOOLWSD.cpp | 7 ++++++-
2 files changed, 9 insertions(+), 7 deletions(-)
New commits:
commit cfe43ef3f571b46f9808b4844fed303ec3be761f
Author: Aron Budea <aron.budea at collabora.com>
AuthorDate: Sat Jul 27 01:31:55 2019 +0200
Commit: Michael Meeks <michael.meeks at collabora.com>
CommitDate: Wed Aug 21 15:25:43 2019 +0200
Improve SSL initialization
Always log cipher list, and disable any chance of fallback
to deprecated protocols.
Change-Id: Ifdfc7a3e44e98b078a36fdda6f3c813354a79e60
Reviewed-on: https://gerrit.libreoffice.org/76465
Reviewed-by: Michael Meeks <michael.meeks at collabora.com>
Tested-by: Michael Meeks <michael.meeks at collabora.com>
diff --git a/net/Ssl.cpp b/net/Ssl.cpp
index 06c5e06d6..ec14502d3 100644
--- a/net/Ssl.cpp
+++ b/net/Ssl.cpp
@@ -30,8 +30,6 @@ extern "C"
};
}
-#define DEFAULT_CIPHER_SET "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
-
std::unique_ptr<SslContext> SslContext::Instance(nullptr);
SslContext::SslContext(const std::string& certFilePath,
@@ -71,8 +69,10 @@ SslContext::SslContext(const std::string& certFilePath,
// as we don't expect/support different servers in same process.
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
_ctx = SSL_CTX_new(TLS_method());
+ SSL_CTX_set_min_proto_version(_ctx, TLS1_VERSION);
#else
_ctx = SSL_CTX_new(SSLv23_method());
+ SSL_CTX_set_options(_ctx, SSL_OP_NO_SSLv3);
#endif
// SSL_CTX_set_default_passwd_cb(_ctx, &privateKeyPassphraseCallback);
@@ -113,10 +113,7 @@ SslContext::SslContext(const std::string& certFilePath,
}
SSL_CTX_set_verify(_ctx, SSL_VERIFY_NONE, nullptr /*&verifyServerCallback*/);
- std::string ciphers(cipherList);
- if (ciphers.empty())
- ciphers = DEFAULT_CIPHER_SET;
- SSL_CTX_set_cipher_list(_ctx, ciphers.c_str());
+ SSL_CTX_set_cipher_list(_ctx, cipherList.c_str());
SSL_CTX_set_verify_depth(_ctx, 9);
// The write buffer may re-allocate, and we don't mind partial writes.
diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp
index 6bf628632..5a1dbce41 100644
--- a/wsd/LOOLWSD.cpp
+++ b/wsd/LOOLWSD.cpp
@@ -25,6 +25,9 @@
#define LOOLWSD_TEST_DOCUMENT_RELATIVE_PATH_CALC "test/data/hello-world.ods"
#define LOOLWSD_TEST_DOCUMENT_RELATIVE_PATH_IMPRESS "test/data/hello-world.odp"
+/* Default ciphers used, when not specified otherwise */
+#define DEFAULT_CIPHER_SET "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
+
// This is the main source for the loolwsd program. LOOL uses several loolwsd processes: one main
// parent process that listens on the TCP port and accepts connections from LOOL clients, and a
// number of child processes, each which handles a viewing (editing) session for one document.
@@ -1224,7 +1227,9 @@ void LOOLWSD::initializeSSL()
const std::string ssl_ca_file_path = getPathFromConfig("ssl.ca_file_path");
LOG_INF("SSL CA file: " << ssl_ca_file_path);
- const std::string ssl_cipher_list = config().getString("ssl.cipher_list", "");
+ std::string ssl_cipher_list = config().getString("ssl.cipher_list", "");
+ if (ssl_cipher_list.empty())
+ ssl_cipher_list = DEFAULT_CIPHER_SET;
LOG_INF("SSL Cipher list: " << ssl_cipher_list);
// Initialize the non-blocking socket SSL.
More information about the Libreoffice-commits
mailing list