svn commit: r295840 - stable/9/lib/libfetch

Dag-Erling Smørgrav des at FreeBSD.org
Sat Feb 20 13:36:26 UTC 2016 

Author: des
Date: Sat Feb 20 13:36:24 2016
New Revision: 295840
URL: https://svnweb.freebsd.org/changeset/base/295840

Log:
  MFH (r273114, r273124): turn SSLv3 off by default
  MFH (r294326): fall back to standard / configured CA store
  MFH (r295536): fix double-free when SSL connection fails
  
  PR:		193871 206774

Modified:
  stable/9/lib/libfetch/common.c
  stable/9/lib/libfetch/fetch.3
  stable/9/lib/libfetch/http.c
Directory Properties:
  stable/9/   (props changed)
  stable/9/lib/   (props changed)
  stable/9/lib/libfetch/   (props changed)
  stable/9/usr.bin/   (props changed)
  stable/9/usr.bin/fetch/   (props changed)

Modified: stable/9/lib/libfetch/common.c
==============================================================================
--- stable/9/lib/libfetch/common.c	Sat Feb 20 13:21:59 2016	(r295839)
+++ stable/9/lib/libfetch/common.c	Sat Feb 20 13:36:24 2016	(r295840)
@@ -674,7 +674,7 @@ fetch_ssl_setup_transport_layer(SSL_CTX 
 	long ssl_ctx_options;
 
 	ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_TICKET;
-	if (getenv("SSL_NO_SSL3") != NULL)
+	if (getenv("SSL_ALLOW_SSL3") == NULL)
 		ssl_ctx_options |= SSL_OP_NO_SSLv3;
 	if (getenv("SSL_NO_TLS1") != NULL)
 		ssl_ctx_options |= SSL_OP_NO_TLSv1;
@@ -701,7 +701,8 @@ fetch_ssl_setup_peer_verification(SSL_CT
 		if (ca_cert_file == NULL &&
 		    access(LOCAL_CERT_FILE, R_OK) == 0)
 			ca_cert_file = LOCAL_CERT_FILE;
-		if (ca_cert_file == NULL)
+		if (ca_cert_file == NULL &&
+		    access(BASE_CERT_FILE, R_OK) == 0)
 			ca_cert_file = BASE_CERT_FILE;
 		ca_cert_path = getenv("SSL_CA_CERT_PATH");
 		if (verbose) {
@@ -712,11 +713,17 @@ fetch_ssl_setup_peer_verification(SSL_CT
 			if (ca_cert_path != NULL)
 				fetch_info("Using CA cert path: %s",
 				    ca_cert_path);
+			if (ca_cert_file == NULL && ca_cert_path == NULL)
+				fetch_info("Using OpenSSL default "
+				    "CA cert file and path");
 		}
 		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER,
 		    fetch_ssl_cb_verify_crt);
-		SSL_CTX_load_verify_locations(ctx, ca_cert_file,
-		    ca_cert_path);
+		if (ca_cert_file != NULL || ca_cert_path != NULL)
+			SSL_CTX_load_verify_locations(ctx, ca_cert_file,
+			    ca_cert_path);
+		else
+			SSL_CTX_set_default_verify_paths(ctx);
 		if ((crl_file = getenv("SSL_CRL_FILE")) != NULL) {
 			if (verbose)
 				fetch_info("Using CRL file: %s", crl_file);
@@ -872,8 +879,8 @@ fetch_ssl(conn_t *conn, const struct url
 	}
 
 	if (verbose) {
-		fetch_info("SSL connection established using %s",
-		    SSL_get_cipher(conn->ssl));
+		fetch_info("%s connection established using %s",
+		    SSL_get_version(conn->ssl), SSL_get_cipher(conn->ssl));
 		name = X509_get_subject_name(conn->ssl_cert);
 		str = X509_NAME_oneline(name, 0, 0);
 		fetch_info("Certificate subject: %s", str);

Modified: stable/9/lib/libfetch/fetch.3
==============================================================================
--- stable/9/lib/libfetch/fetch.3	Sat Feb 20 13:21:59 2016	(r295839)
+++ stable/9/lib/libfetch/fetch.3	Sat Feb 20 13:36:24 2016	(r295840)
@@ -438,13 +438,13 @@ input (see
 .Pp
 By default
 .Nm libfetch
-allows SSLv3 and TLSv1 when negotiating the connecting with the remote
+allows TLSv1 when negotiating the connecting with the remote
 peer.
 You can change this behavior by setting the
-.Ev SSL_NO_SSL3
-or
+.Ev SSL_ALLOW_SSL3
+environment variable to allow SSLv3 and
 .Ev SSL_NO_TLS1
-environment variables to disable the respective methods.
+to disable TLS 1.0.
 .Sh AUTHENTICATION
 Apart from setting the appropriate environment variables and
 specifying the user name and password in the URL or the
@@ -642,6 +642,8 @@ which proxies should not be used.
 Same as
 .Ev NO_PROXY ,
 for compatibility.
+.It Ev SSL_ALLOW_SSL3
+Allow SSL version 3 when negotiating the connection (not recommended).
 .It Ev SSL_CA_CERT_FILE
 CA certificate bundle containing trusted CA certificates.
 Default value:
@@ -656,10 +658,12 @@ PEM encoded client key in case key and c
 are stored separately.
 .It Ev SSL_CRL_FILE
 File containing certificate revocation list.
-.It Ev SSL_NO_SSL3
-Don't allow SSL version 3 when negotiating the connection.
 .It Ev SSL_NO_TLS1
-Don't allow TLV version 1 when negotiating the connection.
+Do not allow TLS version 1.0 when negotiating the connection.
+.It Ev SSL_NO_TLS1_1
+Do not allow TLS version 1.1 when negotiating the connection.
+.It Ev SSL_NO_TLS1_2
+Do not allow TLS version 1.2 when negotiating the connection.
 .It Ev SSL_NO_VERIFY_HOSTNAME
 If set, do not verify that the hostname matches the subject of the
 certificate presented by the server.

Modified: stable/9/lib/libfetch/http.c
==============================================================================
--- stable/9/lib/libfetch/http.c	Sat Feb 20 13:21:59 2016	(r295839)
+++ stable/9/lib/libfetch/http.c	Sat Feb 20 13:36:24 2016	(r295840)
@@ -1435,7 +1435,6 @@ http_connect(struct url *URL, struct url
 	}
 	if (strcasecmp(URL->scheme, SCHEME_HTTPS) == 0 &&
 	    fetch_ssl(conn, URL, verbose) == -1) {
-		fetch_close(conn);
 		/* grrr */
 		errno = EAUTH;
 		fetch_syserr();

More information about the svn-src-stable-9 mailing list