SSLv3 support removed

2025-10-28 21:41:29 +01:00 · 2015-11-15 14:58:45 -08:00 · 2015-11-15 14:58:45 -08:00 · 51ca693359
commit 51ca693359
parent 1cf4bee671
11 changed files with 16 additions and 35 deletions
--- a/5
+++ b/5
@ -1,6 +1,7 @@
-10/11/2015 Oleg Moskalenko <mom040267@gmail.com>
+11/15/2015 Oleg Moskalenko <mom040267@gmail.com>
 Version 4.5.0.3 'dan Eider':
-	- Compatibility with OpenSSL distributions or clones
+	- SSLv3 support removed. That provides extra security and
+	compatibility with OpenSSL distributions or clones
 	that does not support SSLv3 (like LibreSSL 2.3.0).
 	This fix is required for fresh FreeBSD and for Debian unstable.
 	- Compilation and configuration cleaning.
--- a/README.turnserver
+++ b/README.turnserver
@ -187,8 +187,6 @@ Flags:

 --dh2066		Use 2066 bits predefined DH TLS key. Default size of the key is 1066.

--no-sslv3		Do not allow SSLv3 protocol.
-
 --no-tlsv1		Do not allow TLSv1/DTLSv1 protocol.

 --no-tlsv1_1		Do not allow TLSv1.1 protocol.
--- a/examples/etc/turnserver.conf
+++ b/examples/etc/turnserver.conf
@ -615,9 +615,8 @@
 #
 #ne=[1|2|3]

-# Do not allow an SSL/TLS/DTLS version of protocol
+# Do not allow an TLS/DTLS version of protocol
 #
-#no-sslv3
 #no-tlsv1
 #no-tlsv1_1
 #no-tlsv1_2
--- a/man/man1/turnadmin.1
+++ b/man/man1/turnadmin.1
@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "13 September 2015" "" ""
+.TH TURN 1 "15 November 2015" "" ""
 .SH GENERAL INFORMATION

 \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage 
--- a/man/man1/turnserver.1
+++ b/man/man1/turnserver.1
@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "13 September 2015" "" ""
+.TH TURN 1 "15 November 2015" "" ""
 .SH GENERAL INFORMATION

 The \fBTURN Server\fP project contains the source code of a TURN server and TURN client 
@ -276,10 +276,6 @@ Use 566 bits predefined DH TLS key. Default size of the key is 1066.
 Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
 .TP
 .B
-\fB\-\-no\-sslv3\fP
-Do not allow SSLv3 protocol.
-.TP
-.B
 \fB\-\-no\-tlsv1\fP
 Do not allow TLSv1/DTLSv1 protocol.
 .TP
--- a/man/man1/turnutils.1
+++ b/man/man1/turnutils.1
@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "13 September 2015" "" ""
+.TH TURN 1 "15 November 2015" "" ""
 .SH GENERAL INFORMATION

 A set of turnutils_* programs provides some utility functionality to be used
--- a/src/apps/common/apputils.c
+++ b/src/apps/common/apputils.c
@ -1037,13 +1037,6 @@ static const char* turn_get_method(const SSL_METHOD *method, const char* mdefaul
 		if(!method)
 			return mdefault;
 		else {
-#ifndef OPENSSL_NO_SSL3
-			if(method == SSLv3_server_method()) {
-				return "SSLv3";
-			} else if(method == SSLv3_client_method()) {
-				return "SSLv3";
-			} else
-#endif
 			if(method == SSLv23_server_method()) {
 					return "SSLv23";
 			} else if(method == SSLv23_client_method()) {
--- a/src/apps/relay/mainrelay.c
+++ b/src/apps/relay/mainrelay.c
@ -82,7 +82,7 @@ NULL,

 DH_1066, "", "", "",
 "turn_server_cert.pem","turn_server_pkey.pem", "", "",
-0,0,0,0,
+0,0,0,
 #if !TLS_SUPPORTED
 1,
 #else
@ -518,7 +518,6 @@ static char Usage[] = "Usage: turnserver [options]\n"
 " --dh2066					Use 2066 bits predefined DH TLS key. Default size of the predefined key is 1066.\n"
 " --dh-file	<dh-file-name>			Use custom DH TLS key, stored in PEM format in the file.\n"
 "						Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.\n"
-" --no-sslv3					Do not allow SSLv3 protocol.\n"
 " --no-tlsv1					Do not allow TLSv1/DTLSv1 protocol.\n"
 " --no-tlsv1_1					Do not allow TLSv1.1 protocol.\n"
 " --no-tlsv1_2					Do not allow TLSv1.2/DTLSv1.2 protocol.\n"
@ -702,7 +701,7 @@ enum EXTRA_OPTS {
 	DH2066_OPT,
 	NE_TYPE_OPT,
 	NO_SSLV2_OPT, /*deprecated*/
-	NO_SSLV3_OPT,
+	NO_SSLV3_OPT, /*deprecated*/
 	NO_TLSV1_OPT,
 	NO_TLSV1_1_OPT,
 	NO_TLSV1_2_OPT,
@ -821,7 +820,7 @@ static const struct myoption long_options[] = {
 				{ "dh2066", optional_argument, NULL, DH2066_OPT },
 				{ "ne", required_argument, NULL, NE_TYPE_OPT },
 				{ "no-sslv2", optional_argument, NULL, NO_SSLV2_OPT }, /* deprecated */
-				{ "no-sslv3", optional_argument, NULL, NO_SSLV3_OPT },
+				{ "no-sslv3", optional_argument, NULL, NO_SSLV3_OPT }, /* deprecated */
 				{ "no-tlsv1", optional_argument, NULL, NO_TLSV1_OPT },
 				{ "no-tlsv1_1", optional_argument, NULL, NO_TLSV1_1_OPT },
 				{ "no-tlsv1_2", optional_argument, NULL, NO_TLSV1_2_OPT },
@ -907,7 +906,7 @@ static void set_option(int c, char *value)
    //deprecated
 	  break;
  case NO_SSLV3_OPT:
-	  turn_params.no_sslv3 = get_bool_value(value);
+	  //deprecated
 	  break;
  case NO_TLSV1_OPT:
 	  turn_params.no_tlsv1 = get_bool_value(value);
@ -2548,8 +2547,9 @@ static void set_ctx(SSL_CTX* ctx, const char *protocol)
 		op |= SSL_OP_NO_SSLv2;
 #endif

-		if(turn_params.no_sslv3)
+#if defined(SSL_OP_NO_SSLv2)
 			op |= SSL_OP_NO_SSLv3;
+#endif

 		if(turn_params.no_tlsv1)
 			op |= SSL_OP_NO_TLSv1;
--- a/src/apps/relay/mainrelay.h
+++ b/src/apps/relay/mainrelay.h
@ -198,8 +198,7 @@ typedef struct _turn_params_ {
  char pkey_file[1025];
  char tls_password[513];
  char dh_file[1025];
-  
-  int no_sslv3;
+
  int no_tlsv1;
  int no_tlsv1_1;
  int no_tlsv1_2;
--- a/src/apps/relay/turn_admin_server.c
+++ b/src/apps/relay/turn_admin_server.c
@ -701,7 +701,6 @@ static void cli_print_configuration(struct cli_session* cs)
 		cli_print_flag(cs,turn_params.no_dtls,"no-dtls",0);
 		cli_print_flag(cs,turn_params.no_tls,"no-tls",0);

-		cli_print_flag(cs,(!turn_params.no_sslv3 && !turn_params.no_tls),"SSLv3",0);
 		cli_print_flag(cs,(!turn_params.no_tlsv1 && !turn_params.no_tls),"TLSv1.0",0);
 		cli_print_flag(cs,(!turn_params.no_tlsv1_1 && !turn_params.no_tls),"TLSv1.1",0);
 		cli_print_flag(cs,(!turn_params.no_tlsv1_2 && !turn_params.no_tls),"TLSv1.2",0);
@ -1963,7 +1962,6 @@ static void write_pc_page(ioa_socket_handle s)
 				https_print_flag(sb,turn_params.no_dtls,"no-dtls",0);
 				https_print_flag(sb,turn_params.no_tls,"no-tls",0);

-				https_print_flag(sb,(!turn_params.no_sslv3 && !turn_params.no_tls),"SSLv3",0);
 				https_print_flag(sb,(!turn_params.no_tlsv1 && !turn_params.no_tls),"TLSv1.0",0);
 				https_print_flag(sb,(!turn_params.no_tlsv1_1 && !turn_params.no_tls),"TLSv1.1",0);
 				https_print_flag(sb,(!turn_params.no_tlsv1_2 && !turn_params.no_tls),"TLSv1.2",0);
--- a/src/apps/uclient/mainuclient.c
+++ b/src/apps/uclient/mainuclient.c
@ -483,14 +483,11 @@ int main(int argc, char **argv)
 		  root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(SSLv23_client_method());
 		  SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
 		  root_tls_ctx_num++;
-#ifndef OPENSSL_NO_SSL3
-		  root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(SSLv3_client_method());
-		  SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
-		  root_tls_ctx_num++;
-#endif
+
 		  root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(TLSv1_client_method());
 		  SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
 		  root_tls_ctx_num++;
+
 #if TLSv1_1_SUPPORTED
 		  root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(TLSv1_1_client_method());
 		  SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);