mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-23 00:05:35 +00:00
Change default min TLS version to TLS 1.0
This commit is contained in:
parent
d16df8f60a
commit
8c8be1ebbb
|
@ -41,6 +41,7 @@ Semi-API changes (technically public, morally private)
|
||||||
* Remove r and s from ecdsa_context
|
* Remove r and s from ecdsa_context
|
||||||
|
|
||||||
Default behavior changes
|
Default behavior changes
|
||||||
|
* The default minimum TLS version is now TLS 1.0.
|
||||||
* RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the
|
* RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the
|
||||||
default ciphersuite list returned by ssl_list_ciphersuites()
|
default ciphersuite list returned by ssl_list_ciphersuites()
|
||||||
* Support for receiving SSLv2 ClientHello is now disabled by default at
|
* Support for receiving SSLv2 ClientHello is now disabled by default at
|
||||||
|
|
|
@ -1718,7 +1718,7 @@ int ssl_set_max_version( ssl_context *ssl, int major, int minor );
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \brief Set the minimum accepted SSL/TLS protocol version
|
* \brief Set the minimum accepted SSL/TLS protocol version
|
||||||
* (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION)
|
* (Default: TLS 1.0)
|
||||||
*
|
*
|
||||||
* \note Input outside of the SSL_MAX_XXXXX_VERSION and
|
* \note Input outside of the SSL_MAX_XXXXX_VERSION and
|
||||||
* SSL_MIN_XXXXX_VERSION range is ignored.
|
* SSL_MIN_XXXXX_VERSION range is ignored.
|
||||||
|
|
|
@ -4953,8 +4953,8 @@ int ssl_init( ssl_context *ssl )
|
||||||
/*
|
/*
|
||||||
* Sane defaults
|
* Sane defaults
|
||||||
*/
|
*/
|
||||||
ssl->min_major_ver = SSL_MIN_MAJOR_VERSION;
|
ssl->min_major_ver = SSL_MAJOR_VERSION_3;
|
||||||
ssl->min_minor_ver = SSL_MIN_MINOR_VERSION;
|
ssl->min_minor_ver = SSL_MINOR_VERSION_1; /* TLS 1.0 */
|
||||||
ssl->max_major_ver = SSL_MAX_MAJOR_VERSION;
|
ssl->max_major_ver = SSL_MAX_MAJOR_VERSION;
|
||||||
ssl->max_minor_ver = SSL_MAX_MINOR_VERSION;
|
ssl->max_minor_ver = SSL_MAX_MINOR_VERSION;
|
||||||
|
|
||||||
|
|
|
@ -161,9 +161,6 @@ int main( void )
|
||||||
ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
|
ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
|
||||||
ssl_set_ca_chain( &ssl, &cacert, NULL, "mbed TLS Server 1" );
|
ssl_set_ca_chain( &ssl, &cacert, NULL, "mbed TLS Server 1" );
|
||||||
|
|
||||||
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
|
|
||||||
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
|
|
||||||
|
|
||||||
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
|
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
|
||||||
ssl_set_dbg( &ssl, my_debug, stdout );
|
ssl_set_dbg( &ssl, my_debug, stdout );
|
||||||
ssl_set_bio_timeout( &ssl, &server_fd, net_send, net_recv, NULL, 0 );
|
ssl_set_bio_timeout( &ssl, &server_fd, net_send, net_recv, NULL, 0 );
|
||||||
|
|
|
@ -83,7 +83,7 @@
|
||||||
#define DFL_ALLOW_LEGACY -2
|
#define DFL_ALLOW_LEGACY -2
|
||||||
#define DFL_RENEGOTIATE 0
|
#define DFL_RENEGOTIATE 0
|
||||||
#define DFL_EXCHANGES 1
|
#define DFL_EXCHANGES 1
|
||||||
#define DFL_MIN_VERSION SSL_MINOR_VERSION_1
|
#define DFL_MIN_VERSION -1
|
||||||
#define DFL_MAX_VERSION -1
|
#define DFL_MAX_VERSION -1
|
||||||
#define DFL_ARC4 -1
|
#define DFL_ARC4 -1
|
||||||
#define DFL_AUTH_MODE -1
|
#define DFL_AUTH_MODE -1
|
||||||
|
@ -250,8 +250,8 @@
|
||||||
USAGE_RECSPLIT \
|
USAGE_RECSPLIT \
|
||||||
"\n" \
|
"\n" \
|
||||||
" arc4=%%d default: (library default: 0)\n" \
|
" arc4=%%d default: (library default: 0)\n" \
|
||||||
" min_version=%%s default: \"\" (ssl3)\n" \
|
" min_version=%%s default: (library default: tls1)\n" \
|
||||||
" max_version=%%s default: \"\" (tls1_2)\n" \
|
" max_version=%%s default: (library default: tls1_2)\n" \
|
||||||
" force_version=%%s default: \"\" (none)\n" \
|
" force_version=%%s default: \"\" (none)\n" \
|
||||||
" options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \
|
" options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \
|
||||||
"\n" \
|
"\n" \
|
||||||
|
@ -1197,17 +1197,17 @@ int main( int argc, char *argv[] )
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if( opt.min_version != -1 )
|
if( opt.min_version != DFL_MIN_VERSION )
|
||||||
{
|
{
|
||||||
ret = ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version );
|
ret = ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version );
|
||||||
if( ret != 0 && opt.min_version != DFL_MIN_VERSION )
|
if( ret != 0 )
|
||||||
{
|
{
|
||||||
polarssl_printf( " failed\n ! selected min_version is not available\n" );
|
polarssl_printf( " failed\n ! selected min_version is not available\n" );
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if( opt.max_version != -1 )
|
if( opt.max_version != DFL_MAX_VERSION )
|
||||||
{
|
{
|
||||||
ret = ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version );
|
ret = ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version );
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
|
|
|
@ -258,10 +258,6 @@ int main( void )
|
||||||
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
|
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
|
||||||
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
|
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
|
||||||
|
|
||||||
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
|
|
||||||
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3,
|
|
||||||
SSL_MINOR_VERSION_1 );
|
|
||||||
|
|
||||||
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
|
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
|
||||||
ssl_set_dbg( &ssl, my_debug, stdout );
|
ssl_set_dbg( &ssl, my_debug, stdout );
|
||||||
ssl_set_bio_timeout( &ssl, &client_fd, net_send, net_recv, NULL, 0 );
|
ssl_set_bio_timeout( &ssl, &client_fd, net_send, net_recv, NULL, 0 );
|
||||||
|
|
|
@ -602,9 +602,6 @@ int main( int argc, char *argv[] )
|
||||||
* but makes interop easier in this simplified example */
|
* but makes interop easier in this simplified example */
|
||||||
ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
|
ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
|
||||||
|
|
||||||
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
|
|
||||||
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
|
|
||||||
|
|
||||||
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
|
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
|
||||||
ssl_set_dbg( &ssl, my_debug, stdout );
|
ssl_set_dbg( &ssl, my_debug, stdout );
|
||||||
ssl_set_bio_timeout( &ssl, &server_fd, net_send, net_recv, NULL, 0 );
|
ssl_set_bio_timeout( &ssl, &server_fd, net_send, net_recv, NULL, 0 );
|
||||||
|
|
|
@ -168,9 +168,6 @@ static void *handle_ssl_connection( void *data )
|
||||||
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
|
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
|
||||||
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
|
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
|
||||||
|
|
||||||
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
|
|
||||||
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
|
|
||||||
|
|
||||||
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
|
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
|
||||||
ssl_set_dbg( &ssl, my_mutexed_debug, stdout );
|
ssl_set_dbg( &ssl, my_mutexed_debug, stdout );
|
||||||
|
|
||||||
|
|
|
@ -197,9 +197,6 @@ int main( void )
|
||||||
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
|
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
|
||||||
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
|
ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
|
||||||
|
|
||||||
/* SSLv3 is deprecated, set minimum to TLS 1.0 */
|
|
||||||
ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
|
|
||||||
|
|
||||||
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
|
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
|
||||||
ssl_set_dbg( &ssl, my_debug, stdout );
|
ssl_set_dbg( &ssl, my_debug, stdout );
|
||||||
|
|
||||||
|
|
|
@ -99,7 +99,7 @@
|
||||||
#define DFL_RENEGO_DELAY -2
|
#define DFL_RENEGO_DELAY -2
|
||||||
#define DFL_RENEGO_PERIOD -1
|
#define DFL_RENEGO_PERIOD -1
|
||||||
#define DFL_EXCHANGES 1
|
#define DFL_EXCHANGES 1
|
||||||
#define DFL_MIN_VERSION SSL_MINOR_VERSION_1
|
#define DFL_MIN_VERSION -1
|
||||||
#define DFL_MAX_VERSION -1
|
#define DFL_MAX_VERSION -1
|
||||||
#define DFL_ARC4 -1
|
#define DFL_ARC4 -1
|
||||||
#define DFL_AUTH_MODE -1
|
#define DFL_AUTH_MODE -1
|
||||||
|
@ -316,8 +316,8 @@
|
||||||
USAGE_ETM \
|
USAGE_ETM \
|
||||||
"\n" \
|
"\n" \
|
||||||
" arc4=%%d default: (library default: 0)\n" \
|
" arc4=%%d default: (library default: 0)\n" \
|
||||||
" min_version=%%s default: \"ssl3\"\n" \
|
" min_version=%%s default: (library default: tls1)\n" \
|
||||||
" max_version=%%s default: \"tls1_2\"\n" \
|
" max_version=%%s default: (library default: tls1_2)\n" \
|
||||||
" force_version=%%s default: \"\" (none)\n" \
|
" force_version=%%s default: \"\" (none)\n" \
|
||||||
" options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \
|
" options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \
|
||||||
"\n" \
|
"\n" \
|
||||||
|
@ -1734,17 +1734,17 @@ int main( int argc, char *argv[] )
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if( opt.min_version != -1 )
|
if( opt.min_version != DFL_MIN_VERSION )
|
||||||
{
|
{
|
||||||
ret = ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version );
|
ret = ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version );
|
||||||
if( ret != 0 && opt.min_version != DFL_MIN_VERSION )
|
if( ret != 0 )
|
||||||
{
|
{
|
||||||
polarssl_printf( " failed\n ! selected min_version is not available\n" );
|
polarssl_printf( " failed\n ! selected min_version is not available\n" );
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if( opt.max_version != -1 )
|
if( opt.max_version != DFL_MIN_VERSION )
|
||||||
{
|
{
|
||||||
ret = ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version );
|
ret = ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version );
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
|
|
Loading…
Reference in a new issue