[Git][NTPsec/ntpsec][master] Fix previous push to work on old versions of OpenSSL

Sat Feb 9 12:52:24 UTC 2019

Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
eb9a747b by Hal Murray at 2019-02-09T12:49:49Z
Fix previous push to work on old versions of OpenSSL

- - - - -


4 changed files:

- include/nts.h
- libntp/ssl_init.c
- ntpd/nts_client.c
- ntpd/nts_server.c


Changes:

=====================================
include/nts.h
=====================================
@@ -54,5 +54,7 @@ extern struct ntsconfig_t ntsconfig;
 
 bool nts_make_keys(SSL *ssl, uint8_t *c2s, uint8_t *s2c, int keylen);
 
+#define NO_OLD_VERSIONS SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1
+
 
 #endif /* GUARD_NTS_H */


=====================================
libntp/ssl_init.c
=====================================
@@ -33,10 +33,8 @@ ssl_init(void)
 		return;
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-	SSL_library_init();
 	OpenSSL_add_all_digests();
 	OpenSSL_add_all_ciphers();
-	SSL_load_error_strings();
 	atexit(&atexit_ssl_cleanup);
 #endif
 


=====================================
ntpd/nts_client.c
=====================================
@@ -51,8 +51,10 @@ bool nts_probe(struct peer * peer) {
 #else
   /* Older versions of OpenSSL don't support min/max version requests.
    * That's OK, since we don't want anything older than 1.2 and
-   * they don't support anything newer. */
+   * they don't support anything newer.
+   * There is similar code in nts_start_server(). */
   ctx = SSL_CTX_new(TLSv1_2_client_method());
+  SSL_CTX_set_options(ctx, NO_OLD_VERSIONS);
   if (1) // FIXME if (non-default version request)
     msyslog(LOG_INFO, "NTSc: can't set min/max TLS versions.");
 #endif
@@ -64,11 +66,13 @@ bool nts_probe(struct peer * peer) {
       msyslog(LOG_ERR, "NTSc: error setting TLS ciphers");
     }
   }
+#ifdef TLS1_3_VERSION
   if (NULL != ntsconfig.tlsciphersuites) {
     if (1 != SSL_CTX_set_ciphersuites(ctx, ntsconfig.tlsciphersuites)) {
       msyslog(LOG_ERR, "NTSc: error setting TLS ciphersuites");
     }
   }
+#endif
 
   ssl = SSL_new(ctx);
 


=====================================
ntpd/nts_server.c
=====================================
@@ -29,8 +29,20 @@ void nts_start_server(void) {
     sigset_t block_mask, saved_sig_mask;
     int rc;
 
+#if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
     ctx = SSL_CTX_new(TLS_server_method());
-    // FIXME set min/max versions
+    SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);  // FIXME
+    SSL_CTX_set_max_proto_version(ctx, 0);
+#else
+    /* Older versions of OpenSSL don't support min/max version requests.
+     * That's OK, since we don't want anything older than 1.2 and
+     * they don't support anything newer.
+     * There is similar code in nts_probe(). */
+    ctx = SSL_CTX_new(TLSv1_2_server_method());
+    SSL_CTX_set_options(ctx, NO_OLD_VERSIONS);
+    if (1) // FIXME if (non-default version request)
+      msyslog(LOG_INFO, "NTSc: can't set min/max TLS versions.");
+#endif
 
     if (1 != SSL_CTX_use_certificate_chain_file(ctx, "/etc/ntp/cert-chain.pem")) {
         // FIXME log SSL errors



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/eb9a747ba4ff467a60712c9affc228043fd81ed8

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/eb9a747ba4ff467a60712c9affc228043fd81ed8
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190209/8f6ddd0e/attachment-0001.html>
