Hawkin
/
arangodb
mirror of https://gitee.com/bigwinds/arangodb
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

abort startup when using SSLv2 for a server endpoint (#5339)

This commit is contained in:
Jan 2018-05-15 18:38:34 +02:00 committed by GitHub
parent a7b1bcb055
commit 76e2c1b087
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 34 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGELOG
View File

@ -1,6 +1,12 @@
devel devel
----- -----
* abort startup when using SSLv2 for a server endpoint, or when connecting with
a client tool via an SSLv2 connection.
SSLv2 has been disabled in the OpenSSL library by default in recent versions
because of security vulnerabilities inherent in this protocol.
* added startup option `--log.escape` * added startup option `--log.escape`
This option toggles the escaping of log output. This option toggles the escaping of log output.

6
Documentation/Books/Manual/Administration/Configuration/SSL.md
View File

@ -89,7 +89,7 @@ The certificates in *filename* must be PEM formatted.
Use this option to specify the default encryption protocol to be used. The Use this option to specify the default encryption protocol to be used. The
following variants are available: following variants are available:
- 1: SSLv2 - 1: SSLv2 (unsupported)
- 2: SSLv2 or SSLv3 (negotiated) - 2: SSLv2 or SSLv3 (negotiated)
- 3: SSLv3 - 3: SSLv3
- 4: TLSv1 - 4: TLSv1
@ -97,6 +97,10 @@ following variants are available:
The default *value* is 5 (TLSv1.2). The default *value* is 5 (TLSv1.2).
Note that SSLv2 is unsupported as of ArangoDB 3.4, because of the inherent
security vulnerabilities in this protocol. Selecting SSLv2 as protocol will
abort the startup.
### SSL cache ### SSL cache
`--ssl.session-cache value` `--ssl.session-cache value`

5
arangosh/Shell/ClientFeature.cpp
View File

@ -129,6 +129,11 @@ void ClientFeature::collectOptions(std::shared_ptr<ProgramOptions> options) {
} }
void ClientFeature::validateOptions(std::shared_ptr<ProgramOptions> options) { void ClientFeature::validateOptions(std::shared_ptr<ProgramOptions> options) {
if (_sslProtocol == 1) {
LOG_TOPIC(FATAL, arangodb::Logger::SSL) << "SSLv2 is not supported any longer because of security vulnerabilities in this protocol";
FATAL_ERROR_EXIT();
}
// if a username is specified explicitly, assume authentication is desired // if a username is specified explicitly, assume authentication is desired
if (options->processingResult().touched("server.username")) { if (options->processingResult().touched("server.username")) {
_authentication = true; _authentication = true;

8
lib/SimpleHttpClient/SslClientConnection.cpp
View File

@ -213,12 +213,6 @@ void SslClientConnection::init(uint64_t sslProtocol) {
SSL_METHOD SSL_CONST* meth = nullptr; SSL_METHOD SSL_CONST* meth = nullptr;
switch (SslProtocol(sslProtocol)) { switch (SslProtocol(sslProtocol)) {
#ifndef OPENSSL_NO_SSL2
case SSL_V2:
meth = SSLv2_method();
break;
#endif
#ifndef OPENSSL_NO_SSL3_METHOD #ifndef OPENSSL_NO_SSL3_METHOD
case SSL_V3: case SSL_V3:
meth = SSLv3_method(); meth = SSLv3_method();
@ -235,7 +229,7 @@ void SslClientConnection::init(uint64_t sslProtocol) {
case TLS_V12: case TLS_V12:
case SSL_UNKNOWN: case SSL_UNKNOWN:
default: default:
// default is to use TLSv13 // default is to use TLSv12
meth = TLS_method(); meth = TLS_method();
break; break;
#else #else

8
lib/Ssl/SslServerFeature.cpp
View File

@ -92,6 +92,14 @@ void SslServerFeature::collectOptions(std::shared_ptr<ProgramOptions> options) {
new StringParameter(&_ecdhCurve)); new StringParameter(&_ecdhCurve));
} }
void SslServerFeature::validateOptions(std::shared_ptr<ProgramOptions> options) {
// check for SSLv2
if (_sslProtocol == 1) {
LOG_TOPIC(FATAL, arangodb::Logger::SSL) << "SSLv2 is not supported any longer because of security vulnerabilities in this protocol";
FATAL_ERROR_EXIT();
}
}
void SslServerFeature::prepare() { void SslServerFeature::prepare() {
LOG_TOPIC(INFO, arangodb::Logger::SSL) << "using SSL options: " LOG_TOPIC(INFO, arangodb::Logger::SSL) << "using SSL options: "
<< stringifySslOptions(_sslOptions); << stringifySslOptions(_sslOptions);

1
lib/Ssl/SslServerFeature.h
View File

@ -42,6 +42,7 @@ class SslServerFeature : public application_features::ApplicationFeature {
public: public:
void collectOptions(std::shared_ptr<options::ProgramOptions>) override; void collectOptions(std::shared_ptr<options::ProgramOptions>) override;
void validateOptions(std::shared_ptr<options::ProgramOptions>) override;
void prepare() override final; void prepare() override final;
void unprepare() override final; void unprepare() override final;

8
lib/Ssl/ssl-helper.cpp
View File

@ -46,11 +46,6 @@ asio::ssl::context arangodb::sslContext(
context::method meth; context::method meth;
switch (protocol) { switch (protocol) {
#ifndef OPENSSL_NO_SSL2
case SSL_V2:
meth = context::method::sslv2;
break;
#endif
#ifndef OPENSSL_NO_SSL3_METHOD #ifndef OPENSSL_NO_SSL3_METHOD
case SSL_V3: case SSL_V3:
meth = context::method::sslv3; meth = context::method::sslv3;
@ -107,9 +102,6 @@ asio::ssl::context arangodb::sslContext(
std::string arangodb::protocolName(SslProtocol protocol) { std::string arangodb::protocolName(SslProtocol protocol) {
switch (protocol) { switch (protocol) {
case SSL_V2:
return "SSLv2";
case SSL_V23: case SSL_V23:
return "SSLv23"; return "SSLv23";

9
lib/Ssl/ssl-helper.h
View File

@ -36,7 +36,14 @@ namespace arangodb {
// SSL protocol methods // SSL protocol methods
enum SslProtocol { enum SslProtocol {
SSL_UNKNOWN = 0, SSL_UNKNOWN = 0,
SSL_V2 = 1, // removed SSL_V2 here, because newer versions of OpenSSL do not
// include it by default.
// from https://www.openssl.org/news/cl110.txt:
// Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
// * Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
// is by default disabled at build-time. Builds that are not configured with
// "enable-ssl2" will not support SSLv2.
// SSL_V2 = 1,
SSL_V23 = 2, SSL_V23 = 2,
SSL_V3 = 3, SSL_V3 = 3,
TLS_V1 = 4, TLS_V1 = 4,