View Issue Details

Related ChangesetsJump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000440bareos-coreGeneralpublic2015-03-19 16:562015-06-01 16:24
Reportercviecco Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
Status closedResolutionfixed 
Summary0000440: Allow TLS 1.2 connections when using openssl
DescriptionAdding TLS 1.2 support will allow us to be more future-proof and have better ciphersuites such as as the use of ECDHE-ECDSA-AES256-GCM-SHA384.
Additional InformationThe attached patch allows tls 1.2. 1.1 and 1.0 (when bareos is compiled against openssl) while the broken sslv2 and sslv3.
TagsNo tags attached.

Relationships

child of 0000447 closedjoergs Release bareos-14.2.5 

Activities

cviecco

cviecco

2015-03-19 16:56

reporter  

bareos-tls1.2-openssl.diff (620 bytes)    
diff --git a/src/lib/tls_openssl.c b/src/lib/tls_openssl.c
index 39ab6c9..010e7c7 100644
--- a/src/lib/tls_openssl.c
+++ b/src/lib/tls_openssl.c
@@ -393,12 +393,13 @@ TLS_CONTEXT *new_tls_context(const char *ca_certfile,
    /*
     * Allocate our OpenSSL TLSv1 Context
     */
-   ctx->openssl = SSL_CTX_new(TLSv1_method());
+   ctx->openssl = SSL_CTX_new(SSLv23_method());
 
    if (!ctx->openssl) {
       openssl_post_errors(M_FATAL, _("Error initializing SSL context"));
       goto err;
    }
+   SSL_CTX_set_options(ctx->openssl, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
 
    /*
     * Set up pem encryption callback
bareos-tls1.2-openssl.diff (620 bytes)   
mvwieringen

mvwieringen

2015-03-21 17:42

developer   ~0001330

Ok looks straight forward will add it to the list of pending patches ready
to integrate soon.

I guess you used this approach as it has the advantage if TLS1.3 gets added
it probably also works while when you use TLSv12_method() you are not fully
backward compatible (no idea how long OpenSSL has this method)
pstorz

pstorz

2015-03-27 18:16

administrator   ~0001656

Fix committed to bareos master branch with changesetid 5154.
mvwieringen

mvwieringen

2015-05-29 18:06

developer   ~0001751

Fix committed to bareos bareos-14.2 branch with changesetid 5320.

Related Changesets

bareos: master a150cd1f

2015-03-19 21:19

cviecco


Committer: pstorz

Ported: N/A

Details Diff		 Allow TLS 1.2 connections when using openssl

Adding TLS 1.2 support will allow us to be more future-proof and have
better ciphersuites such as as the use of ECDHE-ECDSA-AES256-GCM-SHA384.
This patch allows tls 1.2. 1.1 and 1.0 while the broken sslv2 and
sslv3 are disabled.

Fixes 0000440: Allow TLS 1.2 connections when using openssl		 Affected Issues
0000440
mod - AUTHORS Diff File
mod - src/lib/tls_openssl.c Diff File

bareos: bareos-14.2 fc760fcc

2015-03-19 21:19

cviecco


Committer: mvwieringen

Ported: N/A

Details Diff		 Allow TLS 1.2 connections when using openssl

Adding TLS 1.2 support will allow us to be more future-proof and have
better ciphersuites such as as the use of ECDHE-ECDSA-AES256-GCM-SHA384.
This patch allows tls 1.2. 1.1 and 1.0 while the broken sslv2 and
sslv3 are disabled.

Fixes 0000440: Allow TLS 1.2 connections when using openssl		 Affected Issues
0000440
mod - AUTHORS Diff File
mod - src/lib/tls_openssl.c Diff File

Issue History

Date Modified Username Field Change
2015-03-19 16:56 cviecco New Issue
2015-03-19 16:56 cviecco File Added: bareos-tls1.2-openssl.diff
2015-03-21 17:42 mvwieringen Note Added: 0001330
2015-03-21 17:42 mvwieringen Assigned To => mvwieringen
2015-03-21 17:42 mvwieringen Status new => feedback
2015-03-27 18:16 pstorz Changeset attached => bareos master a150cd1f
2015-03-27 18:16 pstorz Note Added: 0001656
2015-03-27 18:16 pstorz Status feedback => resolved
2015-03-27 18:16 pstorz Resolution open => fixed
2015-03-31 15:24 mvwieringen adm Assigned To mvwieringen =>
2015-05-27 12:50 joergs Relationship added child of 0000447
2015-05-29 18:06 mvwieringen Changeset attached => bareos bareos-14.2 fc760fcc
2015-05-29 18:06 mvwieringen Note Added: 0001751
2015-06-01 16:24 joergs Status resolved => closed