From 8c8be1ebbb8e400733374a72780ddb5ed6fea5c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 31 Mar 2015 14:21:11 +0200 Subject: [PATCH] Change default min TLS version to TLS 1.0 --- ChangeLog | 1 + include/mbedtls/ssl.h | 2 +- library/ssl_tls.c | 4 ++-- programs/ssl/ssl_client1.c | 3 --- programs/ssl/ssl_client2.c | 12 ++++++------ programs/ssl/ssl_fork_server.c | 4 ---- programs/ssl/ssl_mail_client.c | 3 --- programs/ssl/ssl_pthread_server.c | 3 --- programs/ssl/ssl_server.c | 3 --- programs/ssl/ssl_server2.c | 12 ++++++------ 10 files changed, 16 insertions(+), 31 deletions(-) diff --git a/ChangeLog b/ChangeLog index 09c5b2f6e..206a3a825 100644 --- a/ChangeLog +++ b/ChangeLog @@ -41,6 +41,7 @@ Semi-API changes (technically public, morally private) * Remove r and s from ecdsa_context Default behavior changes + * The default minimum TLS version is now TLS 1.0. * RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the default ciphersuite list returned by ssl_list_ciphersuites() * Support for receiving SSLv2 ClientHello is now disabled by default at diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index fa20c7f42..09aaf37d3 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1718,7 +1718,7 @@ int ssl_set_max_version( ssl_context *ssl, int major, int minor ); /** * \brief Set the minimum accepted SSL/TLS protocol version - * (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION) + * (Default: TLS 1.0) * * \note Input outside of the SSL_MAX_XXXXX_VERSION and * SSL_MIN_XXXXX_VERSION range is ignored. diff --git a/library/ssl_tls.c b/library/ssl_tls.c index fb943dc50..73aefc8dd 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4953,8 +4953,8 @@ int ssl_init( ssl_context *ssl ) /* * Sane defaults */ - ssl->min_major_ver = SSL_MIN_MAJOR_VERSION; - ssl->min_minor_ver = SSL_MIN_MINOR_VERSION; + ssl->min_major_ver = SSL_MAJOR_VERSION_3; + ssl->min_minor_ver = SSL_MINOR_VERSION_1; /* TLS 1.0 */ ssl->max_major_ver = SSL_MAX_MAJOR_VERSION; ssl->max_minor_ver = SSL_MAX_MINOR_VERSION; diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index b9735b474..45a690290 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -161,9 +161,6 @@ int main( void ) ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL ); ssl_set_ca_chain( &ssl, &cacert, NULL, "mbed TLS Server 1" ); - /* SSLv3 is deprecated, set minimum to TLS 1.0 */ - ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 ); - ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_debug, stdout ); ssl_set_bio_timeout( &ssl, &server_fd, net_send, net_recv, NULL, 0 ); diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 92599766d..67d29554d 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -83,7 +83,7 @@ #define DFL_ALLOW_LEGACY -2 #define DFL_RENEGOTIATE 0 #define DFL_EXCHANGES 1 -#define DFL_MIN_VERSION SSL_MINOR_VERSION_1 +#define DFL_MIN_VERSION -1 #define DFL_MAX_VERSION -1 #define DFL_ARC4 -1 #define DFL_AUTH_MODE -1 @@ -250,8 +250,8 @@ USAGE_RECSPLIT \ "\n" \ " arc4=%%d default: (library default: 0)\n" \ - " min_version=%%s default: \"\" (ssl3)\n" \ - " max_version=%%s default: \"\" (tls1_2)\n" \ + " min_version=%%s default: (library default: tls1)\n" \ + " max_version=%%s default: (library default: tls1_2)\n" \ " force_version=%%s default: \"\" (none)\n" \ " options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \ "\n" \ @@ -1197,17 +1197,17 @@ int main( int argc, char *argv[] ) } #endif - if( opt.min_version != -1 ) + if( opt.min_version != DFL_MIN_VERSION ) { ret = ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version ); - if( ret != 0 && opt.min_version != DFL_MIN_VERSION ) + if( ret != 0 ) { polarssl_printf( " failed\n ! selected min_version is not available\n" ); goto exit; } } - if( opt.max_version != -1 ) + if( opt.max_version != DFL_MAX_VERSION ) { ret = ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version ); if( ret != 0 ) diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index 451b1a874..72d74b2ec 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -258,10 +258,6 @@ int main( void ) ssl_set_endpoint( &ssl, SSL_IS_SERVER ); ssl_set_authmode( &ssl, SSL_VERIFY_NONE ); - /* SSLv3 is deprecated, set minimum to TLS 1.0 */ - ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, - SSL_MINOR_VERSION_1 ); - ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_debug, stdout ); ssl_set_bio_timeout( &ssl, &client_fd, net_send, net_recv, NULL, 0 ); diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 2a20fbdc7..55d7f87f3 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -602,9 +602,6 @@ int main( int argc, char *argv[] ) * but makes interop easier in this simplified example */ ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL ); - /* SSLv3 is deprecated, set minimum to TLS 1.0 */ - ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 ); - ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_debug, stdout ); ssl_set_bio_timeout( &ssl, &server_fd, net_send, net_recv, NULL, 0 ); diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index ece8ad20e..9702ab1d7 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -168,9 +168,6 @@ static void *handle_ssl_connection( void *data ) ssl_set_endpoint( &ssl, SSL_IS_SERVER ); ssl_set_authmode( &ssl, SSL_VERIFY_NONE ); - /* SSLv3 is deprecated, set minimum to TLS 1.0 */ - ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 ); - ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_mutexed_debug, stdout ); diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 34cfa8c9a..2e4fcd8ba 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -197,9 +197,6 @@ int main( void ) ssl_set_endpoint( &ssl, SSL_IS_SERVER ); ssl_set_authmode( &ssl, SSL_VERIFY_NONE ); - /* SSLv3 is deprecated, set minimum to TLS 1.0 */ - ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 ); - ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_debug, stdout ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index c2beec79e..f3e2955a1 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -99,7 +99,7 @@ #define DFL_RENEGO_DELAY -2 #define DFL_RENEGO_PERIOD -1 #define DFL_EXCHANGES 1 -#define DFL_MIN_VERSION SSL_MINOR_VERSION_1 +#define DFL_MIN_VERSION -1 #define DFL_MAX_VERSION -1 #define DFL_ARC4 -1 #define DFL_AUTH_MODE -1 @@ -316,8 +316,8 @@ USAGE_ETM \ "\n" \ " arc4=%%d default: (library default: 0)\n" \ - " min_version=%%s default: \"ssl3\"\n" \ - " max_version=%%s default: \"tls1_2\"\n" \ + " min_version=%%s default: (library default: tls1)\n" \ + " max_version=%%s default: (library default: tls1_2)\n" \ " force_version=%%s default: \"\" (none)\n" \ " options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \ "\n" \ @@ -1734,17 +1734,17 @@ int main( int argc, char *argv[] ) } #endif - if( opt.min_version != -1 ) + if( opt.min_version != DFL_MIN_VERSION ) { ret = ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version ); - if( ret != 0 && opt.min_version != DFL_MIN_VERSION ) + if( ret != 0 ) { polarssl_printf( " failed\n ! selected min_version is not available\n" ); goto exit; } } - if( opt.max_version != -1 ) + if( opt.max_version != DFL_MIN_VERSION ) { ret = ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version ); if( ret != 0 )