[Spice-devel] [PATCH spice-server v2] Use TLS version 1.0 or better

David Jaša djasa at redhat.com
Wed Nov 27 08:39:31 PST 2013


From fe1531dfae23baa6dfc8b88e08f273906196e1c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Ja=C5=A1a?= <djasa at redhat.com>
Date: Wed, 27 Nov 2013 17:04:41 +0100
Subject: [PATCH] Use TLS version 1.0 or better

When creating a TLS socket, both spice-server and spice-gtk currently
call SSL_CTX_new(TLSv1_method()). The TLSv1_method() function set the
protocol version to TLS 1.0 exclusively. The correct way to support
multiple protocol versions is to call SSLv23_method() in spite of its
scary name. This method will enable all protocol versions deemed secure
by openssl project. The protocol suite may be further narrowed down by
setting respective SSL_OP_NO_<version_code> options of SSL context. This
possibility is used in this patch in order to block use of SSLv3 that is
enabled by default in openssl as of now but spice has never used it.
---
 server/reds.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

diff --git a/server/reds.c b/server/reds.c
index 2a0002b..fef666d 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -3221,6 +3221,14 @@ static int reds_init_ssl(void)
     SSL_METHOD *ssl_method;
 #endif
     int return_code;
+    /* When some other SSL/TLS version becomes obsolete, add it to this
+     * variable.
+     *
+     * Note that SSLv23_method() even with no SSL_OP_NO_* options uses
+     * just protocol versions deemed secure by openssl project so the
+     * SSL_OP_NO_SSLv2 is already redundant and SSL_OP_NO_SSLv3 option is
+     * present just in order to allow only currently-availabe version or
+     * better. */
     long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
 
     /* Global system initialization*/
@@ -3228,7 +3236,7 @@ static int reds_init_ssl(void)
     SSL_load_error_strings();
 
     /* Create our context*/
-    ssl_method = TLSv1_method();
+    ssl_method = SSLv23_method();
     reds->ctx = SSL_CTX_new(ssl_method);
     if (!reds->ctx) {
         spice_warning("Could not allocate new SSL context");
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5727 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20131127/81ab5bb7/attachment-0001.bin>


More information about the Spice-devel mailing list