[evolution-data-server] [Camel] Disable SSL v2 and weak ciphers by default



commit b3b4ca29572791b40f7ebd1bea0501305b9356c7
Author: Milan Crha <mcrha redhat com>
Date:   Thu Aug 8 14:36:10 2013 +0200

    [Camel] Disable SSL v2 and weak ciphers by default
    
    The change for disabled weak ciphers require at least NSS 3.14, thus
    weak ciphers are enabled, if it's compiled with older NSS. In case
    any server will require either weak ciphers or SSL v2 (while there
    really should not anyone use it these days), then two environment
    variables were added:
    
       CAMEL_SSL_V2_ENABLE=1 - to have SSL v2 enabled, otherwise it's disabled,
           regardless what camel providers request (they usually request v2 and
           v3 together)
    
       CAMEL_SSL_WEAK_CIPHERS=1 - to enable weak ciphers, almost the same as
           before; otherwise these are disabled and only those covered by
           NSS_SetDomesticPolicy() are enabled
    
    These are added to the group of one for SSL V2 compatible hello:
    
       CAMEL_SSL_V2_HELLO=1 - to force SSL v2 compatible hello on SSL connections

 camel/camel-tcp-stream-ssl.c |    7 ++++++-
 camel/camel.c                |   35 +++++++++++++++++++++++++++--------
 2 files changed, 33 insertions(+), 9 deletions(-)
---
diff --git a/camel/camel-tcp-stream-ssl.c b/camel/camel-tcp-stream-ssl.c
index 9e58400..97f053c 100644
--- a/camel/camel-tcp-stream-ssl.c
+++ b/camel/camel-tcp-stream-ssl.c
@@ -544,6 +544,7 @@ enable_ssl (CamelTcpStreamSSL *ssl,
             PRFileDesc *fd)
 {
        PRFileDesc *ssl_fd;
+       static gchar v2_enabled = -1;
 
        g_assert (fd != NULL);
 
@@ -553,7 +554,11 @@ enable_ssl (CamelTcpStreamSSL *ssl,
 
        SSL_OptionSet (ssl_fd, SSL_SECURITY, PR_TRUE);
 
-       if (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_SSL2) {
+       /* check camel.c for the same "CAMEL_SSL_V2_ENABLE" */
+       if (v2_enabled == -1)
+               v2_enabled = g_strcmp0 (g_getenv ("CAMEL_SSL_V2_ENABLE"), "1") == 0 ? 1 : 0;
+
+       if (v2_enabled && (ssl->priv->flags & CAMEL_TCP_STREAM_SSL_ENABLE_SSL2) != 0) {
                static gchar v2_hello = -1;
 
                /* Zarafa server with disabled SSL v2 rejects connection when
diff --git a/camel/camel.c b/camel/camel.c
index 49f2d60..fc73fe5 100644
--- a/camel/camel.c
+++ b/camel/camel.c
@@ -31,6 +31,7 @@
 #include <prthread.h>
 #include "nss.h"      /* Don't use <> here or it will include the system nss.h instead */
 #include <ssl.h>
+#include <sslproto.h>
 #include <errno.h>
 
 #include <glib/gi18n-lib.h>
@@ -95,10 +96,22 @@ camel_init (const gchar *configdir,
        camel_debug_init ();
 
        if (nss_init) {
+               static gchar v2_enabled = -1, weak_ciphers = -1;
                gchar *nss_configdir = NULL;
                gchar *nss_sql_configdir = NULL;
                SECStatus status = SECFailure;
-               PRUint16 indx;
+
+#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 14)
+               /* NSS pre-3.14 has most of the ciphers disabled, thus enable
+                * weak ciphers, if it's compiled against such */
+               weak_ciphers = 1;
+#endif
+
+               /* check camel-tcp-stream-ssl.c for the same "CAMEL_SSL_V2_ENABLE" */
+               if (v2_enabled == -1)
+                       v2_enabled = g_strcmp0 (g_getenv ("CAMEL_SSL_V2_ENABLE"), "1") == 0 ? 1 : 0;
+               if (weak_ciphers == -1)
+                       weak_ciphers = g_strcmp0 (g_getenv ("CAMEL_SSL_WEAK_CIPHERS"), "1") == 0 ? 1 : 0;
 
                if (nss_initlock == NULL) {
                        PR_Init (PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 10);
@@ -185,18 +198,24 @@ skip_nss_init:
 
                NSS_SetDomesticPolicy ();
 
-               PR_Unlock (nss_initlock);
+               if (weak_ciphers) {
+                       PRUint16 indx;
 
-               /* we must enable all ciphersuites */
-               for (indx = 0; indx < SSL_NumImplementedCiphers; indx++) {
-                       if (!SSL_IS_SSL2_CIPHER (SSL_ImplementedCiphers[indx]))
-                               SSL_CipherPrefSetDefault (SSL_ImplementedCiphers[indx], PR_TRUE);
+                       /* enable SSL3/TLS cipher-suites */
+                       for (indx = 0; indx < SSL_NumImplementedCiphers; indx++) {
+                               if (!SSL_IS_SSL2_CIPHER (SSL_ImplementedCiphers[indx]) &&
+                                   SSL_ImplementedCiphers[indx] != SSL_RSA_WITH_NULL_SHA &&
+                                   SSL_ImplementedCiphers[indx] != SSL_RSA_WITH_NULL_MD5)
+                                       SSL_CipherPrefSetDefault (SSL_ImplementedCiphers[indx], PR_TRUE);
+                       }
                }
 
-               SSL_OptionSetDefault (SSL_ENABLE_SSL2, PR_TRUE);
+               SSL_OptionSetDefault (SSL_ENABLE_SSL2, v2_enabled ? PR_TRUE : PR_FALSE);
+               SSL_OptionSetDefault (SSL_V2_COMPATIBLE_HELLO, PR_FALSE);
                SSL_OptionSetDefault (SSL_ENABLE_SSL3, PR_TRUE);
                SSL_OptionSetDefault (SSL_ENABLE_TLS, PR_TRUE);
-               SSL_OptionSetDefault (SSL_V2_COMPATIBLE_HELLO, PR_TRUE /* maybe? */);
+
+               PR_Unlock (nss_initlock);
 
                g_free (nss_configdir);
                g_free (nss_sql_configdir);


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]