[Spice-commits] gtk/spice-channel.c

Christophe Fergau teuf at kemper.freedesktop.org
Thu Dec 12 04:54:49 PST 2013


 gtk/spice-channel.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

New commits:
commit bf03c1e605adf8b5513683e3fe82868cc8998a2a
Author: David Jaša <djasa at redhat.com>
Date:   Wed Nov 27 17:24:46 2013 +0100

    Use TLS version 1.0 or better
    
    When creating a TLS socket, both spice-server and spice-gtk currently
    call SSL_CTX_new(TLSv1_method()). The TLSv1_method() function set the
    protocol version to TLS 1.0 exclusively. The correct way to support
    multiple protocol versions is to call SSLv23_method() in spite of its
    scary name. This method will enable all SSL/TLS protocol versions. The
    protocol suite may be further narrowed down by setting respective
    SSL_OP_NO_<version_code> options of SSL context.  This possibility is
    used in this patch in order to block use of SSLv3 that is enabled by
    default in openssl for client sockets as of now but spice has never used
    it.

diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
index e4683f8..f101c3a 100644
--- a/gtk/spice-channel.c
+++ b/gtk/spice-channel.c
@@ -2215,6 +2215,9 @@ static void *spice_channel_coroutine(void *data)
     int rc, delay_val = 1;
     gboolean switch_tls = FALSE;
     gboolean switch_protocol = FALSE;
+    /* When some other SSL/TLS version becomes obsolete, add it to this
+     * variable. */
+    long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
 
     CHANNEL_DEBUG(channel, "Started background coroutine %p", &c->coroutine);
 
@@ -2254,13 +2257,15 @@ reconnect:
     c->has_error = FALSE;
 
     if (c->tls) {
-        c->ctx = SSL_CTX_new(TLSv1_method());
+        c->ctx = SSL_CTX_new(SSLv23_method());
         if (c->ctx == NULL) {
             g_critical("SSL_CTX_new failed");
             emit_main_context(channel, SPICE_CHANNEL_EVENT, SPICE_CHANNEL_ERROR_TLS);
             goto cleanup;
         }
 
+        SSL_CTX_set_options(c->ctx, ssl_options);
+
         verify = spice_session_get_verify(c->session);
         if (verify &
             (SPICE_SESSION_VERIFY_SUBJECT | SPICE_SESSION_VERIFY_HOSTNAME)) {


More information about the Spice-commits mailing list