View Issue Details

IDProjectCategoryView StatusLast Update
0000440bareos-coreGeneralpublic2015-06-01 16:24
Reportercviecco Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
Status closedResolutionfixed 
Summary0000440: Allow TLS 1.2 connections when using openssl
DescriptionAdding TLS 1.2 support will allow us to be more future-proof and have better ciphersuites such as as the use of ECDHE-ECDSA-AES256-GCM-SHA384.
Additional InformationThe attached patch allows tls 1.2. 1.1 and 1.0 (when bareos is compiled against openssl) while the broken sslv2 and sslv3.
TagsNo tags attached.
bareos-master: impactyes
bareos-master: actionfixed
bareos-19.2: impact
bareos-19.2: action
bareos-18.2: impact
bareos-18.2: action
bareos-17.2: impact
bareos-17.2: action
bareos-16.2: impact
bareos-16.2: action
bareos-15.2: impact
bareos-15.2: action
bareos-14.2: impactyes
bareos-14.2: actionfixed
bareos-13.2: impact
bareos-13.2: actionnone
bareos-12.4: impact
bareos-12.4: actionnone

Relationships

child of 0000447 closedjoergs Release bareos-14.2.5 

Activities

cviecco

cviecco

2015-03-19 16:56

reporter  

bareos-tls1.2-openssl.diff (620 bytes)   
diff --git a/src/lib/tls_openssl.c b/src/lib/tls_openssl.c
index 39ab6c9..010e7c7 100644
--- a/src/lib/tls_openssl.c
+++ b/src/lib/tls_openssl.c
@@ -393,12 +393,13 @@ TLS_CONTEXT *new_tls_context(const char *ca_certfile,
    /*
     * Allocate our OpenSSL TLSv1 Context
     */
-   ctx->openssl = SSL_CTX_new(TLSv1_method());
+   ctx->openssl = SSL_CTX_new(SSLv23_method());
 
    if (!ctx->openssl) {
       openssl_post_errors(M_FATAL, _("Error initializing SSL context"));
       goto err;
    }
+   SSL_CTX_set_options(ctx->openssl, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
 
    /*
     * Set up pem encryption callback
bareos-tls1.2-openssl.diff (620 bytes)   
mvwieringen

mvwieringen

2015-03-21 17:42

developer   ~0001330

Ok looks straight forward will add it to the list of pending patches ready
to integrate soon.

I guess you used this approach as it has the advantage if TLS1.3 gets added
it probably also works while when you use TLSv12_method() you are not fully
backward compatible (no idea how long OpenSSL has this method)
pstorz

pstorz

2015-03-27 18:16

administrator   ~0001656

Fix committed to bareos master branch with changesetid 5154.
mvwieringen

mvwieringen

2015-05-29 18:06

developer   ~0001751

Fix committed to bareos bareos-14.2 branch with changesetid 5320.

Related Changesets

bareos: master a150cd1f

2015-03-19 20:19:02

cviecco


Committer: pstorz

Ported: N/A

Details Diff
Allow TLS 1.2 connections when using openssl

Adding TLS 1.2 support will allow us to be more future-proof and have
better ciphersuites such as as the use of ECDHE-ECDSA-AES256-GCM-SHA384.
This patch allows tls 1.2. 1.1 and 1.0 while the broken sslv2 and
sslv3 are disabled.

Fixes 0000440: Allow TLS 1.2 connections when using openssl
Affected Issues
0000440
mod - AUTHORS Diff File
mod - src/lib/tls_openssl.c Diff File

bareos: bareos-14.2 fc760fcc

2015-03-19 20:19:02

cviecco


Committer: mvwieringen

Ported: N/A

Details Diff
Allow TLS 1.2 connections when using openssl

Adding TLS 1.2 support will allow us to be more future-proof and have
better ciphersuites such as as the use of ECDHE-ECDSA-AES256-GCM-SHA384.
This patch allows tls 1.2. 1.1 and 1.0 while the broken sslv2 and
sslv3 are disabled.

Fixes 0000440: Allow TLS 1.2 connections when using openssl
Affected Issues
0000440
mod - AUTHORS Diff File
mod - src/lib/tls_openssl.c Diff File

Issue History

Date Modified Username Field Change
2015-03-19 16:56 cviecco New Issue
2015-03-19 16:56 cviecco File Added: bareos-tls1.2-openssl.diff
2015-03-21 17:42 mvwieringen Note Added: 0001330
2015-03-21 17:42 mvwieringen Assigned To => mvwieringen
2015-03-21 17:42 mvwieringen Status new => feedback
2015-03-27 18:16 pstorz Changeset attached => bareos master a150cd1f
2015-03-27 18:16 pstorz Note Added: 0001656
2015-03-27 18:16 pstorz Status feedback => resolved
2015-03-27 18:16 pstorz Resolution open => fixed
2015-03-31 15:24 mvwieringen adm Assigned To mvwieringen =>
2015-05-27 12:50 joergs Relationship added child of 0000447
2015-05-27 12:50 joergs bareos-master: impact => yes
2015-05-27 12:50 joergs bareos-master: action => fixed
2015-05-27 12:50 joergs bareos-14.2: impact => yes
2015-05-27 12:50 joergs bareos-14.2: action => will care
2015-05-27 12:50 joergs bareos-13.2: action => none
2015-05-27 12:50 joergs bareos-12.4: action => none
2015-05-29 18:06 mvwieringen Changeset attached => bareos bareos-14.2 fc760fcc
2015-05-29 18:06 mvwieringen Note Added: 0001751
2015-06-01 16:24 joergs bareos-14.2: action will care => fixed
2015-06-01 16:24 joergs Status resolved => closed