diff options
-rw-r--r-- | .gitlab-ci.yml | 6 | ||||
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | doc/cha-library.texi | 2 | ||||
-rw-r--r-- | doc/cha-upgrade.texi | 5 | ||||
-rw-r--r-- | lib/cipher-cbc.c | 2 | ||||
-rw-r--r-- | m4/hooks.m4 | 9 |
6 files changed, 19 insertions, 8 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 230b0a043c..a73e42a8df 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -109,13 +109,13 @@ minimal.Fedora.x86_64: except: - tags -no-SSL-3.0.Fedora.x86_64: +SSL-3.0.Fedora.x86_64: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD script: - ./bootstrap - mkdir -p build && cd build && - dash ../configure --disable-gcc-warnings --cache-file ../cache/config.cache --disable-ssl3-support --disable-ssl2-support --disable-full-test-suite --enable-seccomp-tests --disable-doc --disable-guile && + dash ../configure --disable-gcc-warnings --cache-file ../cache/config.cache --enable-ssl3-support --disable-ssl2-support --disable-full-test-suite --enable-seccomp-tests --disable-doc --disable-guile && make -j$(nproc) && make check -j$(nproc) - cd .. tags: @@ -138,7 +138,7 @@ TLS1.3/interop: script: - git submodule update --init --no-fetch - ./bootstrap - - dash ./configure --enable-tls13-support --disable-gcc-warnings --cache-file cache/config.cache --disable-ssl3-support --disable-ssl2-support --disable-full-test-suite --enable-seccomp-tests --disable-doc --disable-guile && + - dash ./configure --enable-tls13-support --disable-gcc-warnings --cache-file cache/config.cache --disable-full-test-suite --enable-seccomp-tests --disable-doc --disable-guile && make -j$(nproc) - cd devel/openssl && ./config enable-tls1_3 && make -j$(nproc) && cd ../.. - make -C tests/suite TESTS=testcompat-tls13-openssl.sh check @@ -31,6 +31,9 @@ See the end for copying conditions. priority strings, as they are undefined under TLS1.3 and they provide not advantage over other options in earlier protocols. +** The SSL 3.0 protocol is disabled on compile-time by default. It can be re-enabled + by specifying --enable-ssl3-support on configure script. + ** libgnutls: Introduced function to switch the current FIPS140-2 operational mode, i.e., strict vs a more lax mode which will allow certain non FIPS140-2 operations. diff --git a/doc/cha-library.texi b/doc/cha-library.texi index 7fe7fb7297..354bb0a769 100644 --- a/doc/cha-library.texi +++ b/doc/cha-library.texi @@ -15,7 +15,7 @@ include: @itemize -@item Support for TLS 1.3, TLS 1.2, TLS 1.1, TLS 1.0 and SSL 3.0 protocols. +@item Support for TLS 1.3, TLS 1.2, TLS 1.1, TLS 1.0 and optionally SSL 3.0 protocols. @item Support for Datagram TLS 1.0 and 1.2. diff --git a/doc/cha-upgrade.texi b/doc/cha-upgrade.texi index 3e593dffb7..83e1120840 100644 --- a/doc/cha-upgrade.texi +++ b/doc/cha-upgrade.texi @@ -194,6 +194,11 @@ however, there are minor differences, listed below. @item The priority strings "+COMP" are a no-op @tab TLS compression is no longer available. +@item The SSL 3.0 protocol is a no-op +@tab SSL 3.0 is no longer compiled in by default. It is a legacy protocol +which is completely eliminated from public internet. As such it was removed +to reduce the attack vector for applications using the library. + @item The hash function SHA2-224 is a no-op for TLS1.2 @tab TLS 1.3 no longer uses SHA2-224, and it was never a widespread hash algorithm. As such it was removed for simplicity. diff --git a/lib/cipher-cbc.c b/lib/cipher-cbc.c index 22b9390596..741119223b 100644 --- a/lib/cipher-cbc.c +++ b/lib/cipher-cbc.c @@ -84,7 +84,9 @@ int cbc_mac_verify(gnutls_session_t session, record_parameters_st *params, const uint8_t *tag_ptr = NULL; unsigned preamble_size; uint8_t tag[MAX_HASH_SIZE]; +#ifdef ENABLE_SSL3 unsigned blocksize = _gnutls_cipher_get_block_size(params->cipher); +#endif pad = data[data_size - 1]; /* pad */ diff --git a/m4/hooks.m4 b/m4/hooks.m4 index fcd6f9cd80..fe8d9a2dde 100644 --- a/m4/hooks.m4 +++ b/m4/hooks.m4 @@ -157,11 +157,11 @@ LIBTASN1_MINIMUM=4.9 fi AM_CONDITIONAL(ALLOW_SHA1, test "$ac_allow_sha1" != "no") - ac_enable_ssl3=yes + ac_enable_ssl3=no AC_MSG_CHECKING([whether to disable the SSL 3.0 protocol]) AC_ARG_ENABLE(ssl3-support, - AS_HELP_STRING([--disable-ssl3-support], - [disable support for the SSL 3.0 protocol]), + AS_HELP_STRING([--enable-ssl3-support], + [enable support for the SSL 3.0 protocol]), ac_enable_ssl3=$enableval) if test x$ac_enable_ssl3 != xno; then AC_MSG_RESULT(no) @@ -170,6 +170,7 @@ LIBTASN1_MINIMUM=4.9 ac_full=0 AC_MSG_RESULT(yes) fi + AM_CONDITIONAL(ENABLE_SSL3, test "$ac_enable_ssl3" != "no") ac_enable_tls13=no @@ -200,7 +201,7 @@ LIBTASN1_MINIMUM=4.9 ac_full=0 AC_MSG_RESULT(yes) fi - AM_CONDITIONAL(ENABLE_SSL3, test "$ac_enable_ssl2" != "no") + AM_CONDITIONAL(ENABLE_SSL2, test "$ac_enable_ssl2" != "no") ac_enable_srtp=yes AC_MSG_CHECKING([whether to disable DTLS-SRTP extension]) |