common.c (273114) | common.c (273124) |
---|---|
1/*- 2 * Copyright (c) 1998-2014 Dag-Erling Sm��rgrav 3 * Copyright (c) 2013 Michael Gmelin <freebsd@grem.de> 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: --- 14 unchanged lines hidden (view full) --- 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30#include <sys/cdefs.h> | 1/*- 2 * Copyright (c) 1998-2014 Dag-Erling Sm��rgrav 3 * Copyright (c) 2013 Michael Gmelin <freebsd@grem.de> 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: --- 14 unchanged lines hidden (view full) --- 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30#include <sys/cdefs.h> |
31__FBSDID("$FreeBSD: head/lib/libfetch/common.c 273114 2014-10-15 02:34:26Z des $"); | 31__FBSDID("$FreeBSD: head/lib/libfetch/common.c 273124 2014-10-15 07:35:50Z des $"); |
32 33#include <sys/param.h> 34#include <sys/socket.h> 35#include <sys/time.h> 36#include <sys/uio.h> 37 38#include <netinet/in.h> 39 --- 630 unchanged lines hidden (view full) --- 670static void 671fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose) 672{ 673 long ssl_ctx_options; 674 675 ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_TICKET; 676 if (getenv("SSL_ALLOW_SSL2") == NULL) 677 ssl_ctx_options |= SSL_OP_NO_SSLv2; | 32 33#include <sys/param.h> 34#include <sys/socket.h> 35#include <sys/time.h> 36#include <sys/uio.h> 37 38#include <netinet/in.h> 39 --- 630 unchanged lines hidden (view full) --- 670static void 671fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose) 672{ 673 long ssl_ctx_options; 674 675 ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_TICKET; 676 if (getenv("SSL_ALLOW_SSL2") == NULL) 677 ssl_ctx_options |= SSL_OP_NO_SSLv2; |
678 if (getenv("SSL_NO_SSL3") != NULL) | 678 if (getenv("SSL_ALLOW_SSL3") == NULL) |
679 ssl_ctx_options |= SSL_OP_NO_SSLv3; 680 if (getenv("SSL_NO_TLS1") != NULL) 681 ssl_ctx_options |= SSL_OP_NO_TLSv1; | 679 ssl_ctx_options |= SSL_OP_NO_SSLv3; 680 if (getenv("SSL_NO_TLS1") != NULL) 681 ssl_ctx_options |= SSL_OP_NO_TLSv1; |
682 if (getenv("SSL_NO_TLS1_1") != NULL) 683 ssl_ctx_options |= SSL_OP_NO_TLSv1_1; 684 if (getenv("SSL_NO_TLS1_2") != NULL) 685 ssl_ctx_options |= SSL_OP_NO_TLSv1_2; |
|
682 if (verbose) 683 fetch_info("SSL options: %lx", ssl_ctx_options); 684 SSL_CTX_set_options(ctx, ssl_ctx_options); 685} 686 687 688/* 689 * Configure peer verification based on environment. --- 125 unchanged lines hidden (view full) --- 815 /* Init the SSL library and context */ 816 if (!SSL_library_init()){ 817 fprintf(stderr, "SSL library init failed\n"); 818 return (-1); 819 } 820 821 SSL_load_error_strings(); 822 | 686 if (verbose) 687 fetch_info("SSL options: %lx", ssl_ctx_options); 688 SSL_CTX_set_options(ctx, ssl_ctx_options); 689} 690 691 692/* 693 * Configure peer verification based on environment. --- 125 unchanged lines hidden (view full) --- 819 /* Init the SSL library and context */ 820 if (!SSL_library_init()){ 821 fprintf(stderr, "SSL library init failed\n"); 822 return (-1); 823 } 824 825 SSL_load_error_strings(); 826 |
823 conn->ssl_meth = TLSv1_client_method(); | 827 conn->ssl_meth = SSLv23_client_method(); |
824 conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth); 825 SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY); 826 827 fetch_ssl_setup_transport_layer(conn->ssl_ctx, verbose); 828 if (!fetch_ssl_setup_peer_verification(conn->ssl_ctx, verbose)) 829 return (-1); 830 if (!fetch_ssl_setup_client_certificate(conn->ssl_ctx, verbose)) 831 return (-1); --- 36 unchanged lines hidden (view full) --- 868 fprintf(stderr, 869 "SSL certificate subject doesn't match host %s\n", 870 URL->host); 871 return (-1); 872 } 873 } 874 875 if (verbose) { | 828 conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth); 829 SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY); 830 831 fetch_ssl_setup_transport_layer(conn->ssl_ctx, verbose); 832 if (!fetch_ssl_setup_peer_verification(conn->ssl_ctx, verbose)) 833 return (-1); 834 if (!fetch_ssl_setup_client_certificate(conn->ssl_ctx, verbose)) 835 return (-1); --- 36 unchanged lines hidden (view full) --- 872 fprintf(stderr, 873 "SSL certificate subject doesn't match host %s\n", 874 URL->host); 875 return (-1); 876 } 877 } 878 879 if (verbose) { |
876 fetch_info("SSL connection established using %s", 877 SSL_get_cipher(conn->ssl)); | 880 fetch_info("%s connection established using %s", 881 SSL_get_version(conn->ssl), SSL_get_cipher(conn->ssl)); |
878 name = X509_get_subject_name(conn->ssl_cert); 879 str = X509_NAME_oneline(name, 0, 0); 880 fetch_info("Certificate subject: %s", str); 881 OPENSSL_free(str); 882 name = X509_get_issuer_name(conn->ssl_cert); 883 str = X509_NAME_oneline(name, 0, 0); 884 fetch_info("Certificate issuer: %s", str); 885 OPENSSL_free(str); --- 498 unchanged lines hidden --- | 882 name = X509_get_subject_name(conn->ssl_cert); 883 str = X509_NAME_oneline(name, 0, 0); 884 fetch_info("Certificate subject: %s", str); 885 OPENSSL_free(str); 886 name = X509_get_issuer_name(conn->ssl_cert); 887 str = X509_NAME_oneline(name, 0, 0); 888 fetch_info("Certificate issuer: %s", str); 889 OPENSSL_free(str); --- 498 unchanged lines hidden --- |