SSLv3 support removed

2025-10-29 14:01:01 +01:00 · 2015-11-15 14:58:45 -08:00 · 2015-11-15 14:58:45 -08:00 · 51ca693359
commit 51ca693359
parent 1cf4bee671
11 changed files with 16 additions and 35 deletions
--- a/5
+++ b/5
@ -1,6 +1,7 @@
-10/11/2015 Oleg Moskalenko <mom040267@gmail.com>
+11/15/2015 Oleg Moskalenko <mom040267@gmail.com>
 Version 4.5.0.3 'dan Eider':
-	- Compatibility with OpenSSL distributions or clones
+	- SSLv3 support removed. That provides extra security and
 	compatibility with OpenSSL distributions or clones
 	that does not support SSLv3 (like LibreSSL 2.3.0).
 	This fix is required for fresh FreeBSD and for Debian unstable.
 	- Compilation and configuration cleaning.
--- a/README.turnserver
+++ b/README.turnserver
@ -187,8 +187,6 @@ Flags:
 --dh2066		Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
 --no-sslv3		Do not allow SSLv3 protocol.
 --no-tlsv1		Do not allow TLSv1/DTLSv1 protocol.
 --no-tlsv1_1		Do not allow TLSv1.1 protocol.
--- a/examples/etc/turnserver.conf
+++ b/examples/etc/turnserver.conf
@ -615,9 +615,8 @@
 #
 #ne=[1|2|3]
-# Do not allow an SSL/TLS/DTLS version of protocol
+# Do not allow an TLS/DTLS version of protocol
 #
 #no-sslv3
 #no-tlsv1
 #no-tlsv1_1
 #no-tlsv1_2
--- a/man/man1/turnadmin.1
+++ b/man/man1/turnadmin.1
@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "13 September 2015" "" ""
+.TH TURN 1 "15 November 2015" "" ""
 .SH GENERAL INFORMATION
 \fIturnadmin\fP is a TURN administration tool. This tool can be used to manage 
--- a/man/man1/turnserver.1
+++ b/man/man1/turnserver.1
@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "13 September 2015" "" ""
+.TH TURN 1 "15 November 2015" "" ""
 .SH GENERAL INFORMATION
 The \fBTURN Server\fP project contains the source code of a TURN server and TURN client 
@ -276,10 +276,6 @@ Use 566 bits predefined DH TLS key. Default size of the key is 1066.
 Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
 .TP
 .B
 \fB\-\-no\-sslv3\fP
 Do not allow SSLv3 protocol.
 .TP
 .B
 \fB\-\-no\-tlsv1\fP
 Do not allow TLSv1/DTLSv1 protocol.
 .TP
--- a/man/man1/turnutils.1
+++ b/man/man1/turnutils.1
@ -1,5 +1,5 @@
 .\" Text automatically generated by txt2man
-.TH TURN 1 "13 September 2015" "" ""
+.TH TURN 1 "15 November 2015" "" ""
 .SH GENERAL INFORMATION
 A set of turnutils_* programs provides some utility functionality to be used
--- a/src/apps/common/apputils.c
+++ b/src/apps/common/apputils.c
@ -1037,13 +1037,6 @@ static const char* turn_get_method(const SSL_METHOD *method, const char* mdefaul
 		if(!method)
 			return mdefault;
 		else {
 #ifndef OPENSSL_NO_SSL3
 			if(method == SSLv3_server_method()) {
 				return "SSLv3";
 			} else if(method == SSLv3_client_method()) {
 				return "SSLv3";
 			} else
 #endif
 			if(method == SSLv23_server_method()) {
 					return "SSLv23";
 			} else if(method == SSLv23_client_method()) {
--- a/src/apps/relay/mainrelay.c
+++ b/src/apps/relay/mainrelay.c
@ -82,7 +82,7 @@ NULL,
 DH_1066, "", "", "",
 "turn_server_cert.pem","turn_server_pkey.pem", "", "",
-0,0,0,0,
+0,0,0,
 #if !TLS_SUPPORTED
 1,
 #else
@ -518,7 +518,6 @@ static char Usage[] = "Usage: turnserver [options]\n"
 " --dh2066					Use 2066 bits predefined DH TLS key. Default size of the predefined key is 1066.\n"
 " --dh-file	<dh-file-name>			Use custom DH TLS key, stored in PEM format in the file.\n"
 "						Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.\n"
 " --no-sslv3					Do not allow SSLv3 protocol.\n"
 " --no-tlsv1					Do not allow TLSv1/DTLSv1 protocol.\n"
 " --no-tlsv1_1					Do not allow TLSv1.1 protocol.\n"
 " --no-tlsv1_2					Do not allow TLSv1.2/DTLSv1.2 protocol.\n"
@ -702,7 +701,7 @@ enum EXTRA_OPTS {
 	DH2066_OPT,
 	NE_TYPE_OPT,
 	NO_SSLV2_OPT, /*deprecated*/
-	NO_SSLV3_OPT,
+	NO_SSLV3_OPT, /*deprecated*/
 	NO_TLSV1_OPT,
 	NO_TLSV1_1_OPT,
 	NO_TLSV1_2_OPT,
@ -821,7 +820,7 @@ static const struct myoption long_options[] = {
 				{ "dh2066", optional_argument, NULL, DH2066_OPT },
 				{ "ne", required_argument, NULL, NE_TYPE_OPT },
 				{ "no-sslv2", optional_argument, NULL, NO_SSLV2_OPT }, /* deprecated */
-				{ "no-sslv3", optional_argument, NULL, NO_SSLV3_OPT },
+				{ "no-sslv3", optional_argument, NULL, NO_SSLV3_OPT }, /* deprecated */
 				{ "no-tlsv1", optional_argument, NULL, NO_TLSV1_OPT },
 				{ "no-tlsv1_1", optional_argument, NULL, NO_TLSV1_1_OPT },
 				{ "no-tlsv1_2", optional_argument, NULL, NO_TLSV1_2_OPT },
@ -907,7 +906,7 @@ static void set_option(int c, char *value)
    //deprecated
 	  break;
  case NO_SSLV3_OPT:
-	  turn_params.no_sslv3 = get_bool_value(value);
+	  //deprecated
 	  break;
  case NO_TLSV1_OPT:
 	  turn_params.no_tlsv1 = get_bool_value(value);
@ -2548,8 +2547,9 @@ static void set_ctx(SSL_CTX* ctx, const char *protocol)
 		op |= SSL_OP_NO_SSLv2;
 #endif
-		if(turn_params.no_sslv3)
+#if defined(SSL_OP_NO_SSLv2)
 			op |= SSL_OP_NO_SSLv3;
 #endif
 		if(turn_params.no_tlsv1)
 			op |= SSL_OP_NO_TLSv1;
--- a/src/apps/relay/mainrelay.h
+++ b/src/apps/relay/mainrelay.h
@ -198,8 +198,7 @@ typedef struct _turn_params_ {
  char pkey_file[1025];
  char tls_password[513];
  char dh_file[1025];
-  
+
  int no_sslv3;
  int no_tlsv1;
  int no_tlsv1_1;
  int no_tlsv1_2;
--- a/src/apps/relay/turn_admin_server.c
+++ b/src/apps/relay/turn_admin_server.c
@ -701,7 +701,6 @@ static void cli_print_configuration(struct cli_session* cs)
 		cli_print_flag(cs,turn_params.no_dtls,"no-dtls",0);
 		cli_print_flag(cs,turn_params.no_tls,"no-tls",0);
 		cli_print_flag(cs,(!turn_params.no_sslv3 && !turn_params.no_tls),"SSLv3",0);
 		cli_print_flag(cs,(!turn_params.no_tlsv1 && !turn_params.no_tls),"TLSv1.0",0);
 		cli_print_flag(cs,(!turn_params.no_tlsv1_1 && !turn_params.no_tls),"TLSv1.1",0);
 		cli_print_flag(cs,(!turn_params.no_tlsv1_2 && !turn_params.no_tls),"TLSv1.2",0);
@ -1963,7 +1962,6 @@ static void write_pc_page(ioa_socket_handle s)
 				https_print_flag(sb,turn_params.no_dtls,"no-dtls",0);
 				https_print_flag(sb,turn_params.no_tls,"no-tls",0);
 				https_print_flag(sb,(!turn_params.no_sslv3 && !turn_params.no_tls),"SSLv3",0);
 				https_print_flag(sb,(!turn_params.no_tlsv1 && !turn_params.no_tls),"TLSv1.0",0);
 				https_print_flag(sb,(!turn_params.no_tlsv1_1 && !turn_params.no_tls),"TLSv1.1",0);
 				https_print_flag(sb,(!turn_params.no_tlsv1_2 && !turn_params.no_tls),"TLSv1.2",0);
--- a/src/apps/uclient/mainuclient.c
+++ b/src/apps/uclient/mainuclient.c
@ -483,14 +483,11 @@ int main(int argc, char **argv)
 		  root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(SSLv23_client_method());
 		  SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
 		  root_tls_ctx_num++;
-#ifndef OPENSSL_NO_SSL3
+
 		  root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(SSLv3_client_method());
 		  SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
 		  root_tls_ctx_num++;
 #endif
 		  root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(TLSv1_client_method());
 		  SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
 		  root_tls_ctx_num++;
 #if TLSv1_1_SUPPORTED
 		  root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(TLSv1_1_client_method());
 		  SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);