Avoid errors with a priori inapplicable protocol bounds
The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
ignore TLS protocol version bounds when configurign DTLS-based contexts,
and conversely, silently ignore DTLS protocol version bounds when
configuring TLS-based contexts. The commands can be repeated to set
bounds of both types. The same applies with the corresponding
"min_protocol" and "max_protocol" command-line switches, in case some
application uses both TLS and DTLS.
SSL_CTX instances that are created for a fixed protocol version (e.g.
TLSv1_server_method()) also silently ignore version bounds. Previously
attempts to apply bounds to these protocol versions would result in an
error. Now only the "version-flexible" SSL_CTX instances are subject to
limits in configuration files in command-line options.
Expected to resolve #12394
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #12507
Viktor Dukhovni
3 years ago
| 7 | 7 | release branch. |
| 8 | 8 | |
| 9 | 9 | Changes between 1.1.1g and 1.1.1h [xx XXX xxxx] |
| 10 | ||
| 11 | *) The 'MinProtocol' and 'MaxProtocol' configuration commands now silently | |
| 12 | ignore TLS protocol version bounds when configuring DTLS-based contexts, and | |
| 13 | conversely, silently ignore DTLS protocol version bounds when configuring | |
| 14 | TLS-based contexts. The commands can be repeated to set bounds of both | |
| 15 | types. The same applies with the corresponding "min_protocol" and | |
| 16 | "max_protocol" command-line switches, in case some application uses both TLS | |
| 17 | and DTLS. | |
| 18 | ||
| 19 | SSL_CTX instances that are created for a fixed protocol version (e.g. | |
| 20 | TLSv1_server_method()) also silently ignore version bounds. Previously | |
| 21 | attempts to apply bounds to these protocol versions would result in an | |
| 22 | error. Now only the "version-flexible" SSL_CTX instances are subject to | |
| 23 | limits in configuration files in command-line options. | |
| 24 | [Viktor Dukhovni] | |
| 10 | 25 | |
| 11 | 26 | *) Handshake now fails if Extended Master Secret extension is dropped |
| 12 | 27 | on renegotiation. |
| 146 | 146 | =item B<-min_protocol>, B<-max_protocol> |
| 147 | 147 | |
| 148 | 148 | Sets the minimum and maximum supported protocol. |
| 149 | Currently supported protocol values are B<SSLv3>, B<TLSv1>, | |
| 150 | B<TLSv1.1>, B<TLSv1.2>, B<TLSv1.3> for TLS and B<DTLSv1>, B<DTLSv1.2> for DTLS, | |
| 151 | and B<None> for no limit. | |
| 152 | If either bound is not specified then only the other bound applies, | |
| 153 | if specified. | |
| 154 | To restrict the supported protocol versions use these commands rather | |
| 155 | than the deprecated alternative commands below. | |
| 149 | Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, | |
| 150 | B<TLSv1.2>, B<TLSv1.3> for TLS; B<DTLSv1>, B<DTLSv1.2> for DTLS, and B<None> | |
| 151 | for no limit. | |
| 152 | If either the lower or upper bound is not specified then only the other bound | |
| 153 | applies, if specified. | |
| 154 | If your application supports both TLS and DTLS you can specify any of these | |
| 155 | options twice, once with a bound for TLS and again with an appropriate bound | |
| 156 | for DTLS. | |
| 157 | To restrict the supported protocol versions use these commands rather than the | |
| 158 | deprecated alternative commands below. | |
| 156 | 159 | |
| 157 | 160 | =item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3> |
| 158 | 161 | |
| 369 | 372 | |
| 370 | 373 | Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, |
| 371 | 374 | B<TLSv1.2>, B<TLSv1.3>, B<DTLSv1> and B<DTLSv1.2>. |
| 372 | The value B<None> will disable the limit. | |
| 375 | The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds | |
| 376 | apply only to DTLS-based contexts. | |
| 377 | The command can be repeated with one instance setting a TLS bound, and the | |
| 378 | other setting a DTLS bound. | |
| 379 | The value B<None> applies to both types of contexts and disables the limits. | |
| 373 | 380 | |
| 374 | 381 | =item B<MaxProtocol> |
| 375 | 382 | |
| 377 | 384 | |
| 378 | 385 | Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, |
| 379 | 386 | B<TLSv1.2>, B<TLSv1.3>, B<DTLSv1> and B<DTLSv1.2>. |
| 380 | The value B<None> will disable the limit. | |
| 387 | The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds | |
| 388 | apply only to DTLS-based contexts. | |
| 389 | The command can be repeated with one instance setting a TLS bound, and the | |
| 390 | other setting a DTLS bound. | |
| 391 | The value B<None> applies to both types of contexts and disables the limits. | |
| 381 | 392 | |
| 382 | 393 | =item B<Protocol> |
| 383 | 394 | |
| 261 | 261 | ssl_conf = ssl_sect |
| 262 | 262 | |
| 263 | 263 | [ssl_sect] |
| 264 | ||
| 265 | 264 | system_default = system_default_sect |
| 266 | 265 | |
| 267 | 266 | [system_default_sect] |
| 268 | ||
| 269 | 267 | MinProtocol = TLSv1.2 |
| 270 | ||
| 268 | MinProtocol = DTLSv1.2 | |
| 271 | 269 | |
| 272 | 270 | =head1 NOTES |
| 273 | 271 | |
| 354 | 352 | Note: in the above example you will get an error in non FIPS capable versions |
| 355 | 353 | of OpenSSL. |
| 356 | 354 | |
| 357 | Simple OpenSSL library configuration to make TLS 1.3 the system-default | |
| 358 | minimum TLS version: | |
| 355 | Simple OpenSSL library configuration to make TLS 1.2 and DTLS 1.2 the | |
| 356 | system-default minimum TLS and DTLS versions, respectively: | |
| 359 | 357 | |
| 360 | 358 | # Toplevel section for openssl (including libssl) |
| 361 | 359 | openssl_conf = default_conf_section |
| 368 | 366 | system_default = system_default_section |
| 369 | 367 | |
| 370 | 368 | [system_default_section] |
| 371 | MinProtocol = TLSv1.3 | |
| 369 | MinProtocol = TLSv1.2 | |
| 370 | MinProtocol = DTLSv1.2 | |
| 371 | ||
| 372 | The minimum TLS protocol is applied to B<SSL_CTX> objects that are TLS-based, | |
| 373 | and the minimum DTLS protocol to those are DTLS-based. | |
| 374 | The same applies also to maximum versions set with B<MaxProtocol>. | |
| 372 | 375 | |
| 373 | 376 | More complex OpenSSL library configuration. Add OID and don't enter FIPS mode: |
| 374 | 377 | |
| 304 | 304 | const char *name; |
| 305 | 305 | int version; |
| 306 | 306 | }; |
| 307 | /* | |
| 308 | * Note: To avoid breaking previously valid configurations, we must retain | |
| 309 | * legacy entries in this table even if the underlying protocol is no | |
| 310 | * longer supported. This also means that the constants SSL3_VERSION, ... | |
| 311 | * need to be retained indefinitely. This table can only grow, never | |
| 312 | * shrink. | |
| 313 | */ | |
| 307 | 314 | static const struct protocol_versions versions[] = { |
| 308 | 315 | {"None", 0}, |
| 309 | 316 | {"SSLv3", SSL3_VERSION}, |
| 1655 | 1655 | */ |
| 1656 | 1656 | int ssl_set_version_bound(int method_version, int version, int *bound) |
| 1657 | 1657 | { |
| 1658 | int valid_tls; | |
| 1659 | int valid_dtls; | |
| 1660 | ||
| 1658 | 1661 | if (version == 0) { |
| 1659 | 1662 | *bound = version; |
| 1660 | 1663 | return 1; |
| 1661 | 1664 | } |
| 1665 | ||
| 1666 | valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION; | |
| 1667 | valid_dtls = | |
| 1668 | DTLS_VERSION_LE(version, DTLS_MAX_VERSION) && | |
| 1669 | DTLS_VERSION_GE(version, DTLS1_BAD_VER); | |
| 1670 | ||
| 1671 | if (!valid_tls && !valid_dtls) | |
| 1672 | return 0; | |
| 1662 | 1673 | |
| 1663 | 1674 | /*- |
| 1664 | 1675 | * Restrict TLS methods to TLS protocol versions. |
| 1670 | 1681 | * configurations. If the MIN (supported) version ever rises, the user's |
| 1671 | 1682 | * "floor" remains valid even if no longer available. We don't expect the |
| 1672 | 1683 | * MAX ceiling to ever get lower, so making that variable makes sense. |
| 1684 | * | |
| 1685 | * We ignore attempts to set bounds on version-inflexible methods, | |
| 1686 | * returning success. | |
| 1673 | 1687 | */ |
| 1674 | 1688 | switch (method_version) { |
| 1675 | 1689 | default: |
| 1676 | /* | |
| 1677 | * XXX For fixed version methods, should we always fail and not set any | |
| 1678 | * bounds, always succeed and not set any bounds, or set the bounds and | |
| 1679 | * arrange to fail later if they are not met? At present fixed-version | |
| 1680 | * methods are not subject to controls that disable individual protocol | |
| 1681 | * versions. | |
| 1682 | */ | |
| 1683 | return 0; | |
| 1690 | break; | |
| 1684 | 1691 | |
| 1685 | 1692 | case TLS_ANY_VERSION: |
| 1686 | if (version < SSL3_VERSION || version > TLS_MAX_VERSION) | |
| 1687 | return 0; | |
| 1693 | if (valid_tls) | |
| 1694 | *bound = version; | |
| 1688 | 1695 | break; |
| 1689 | 1696 | |
| 1690 | 1697 | case DTLS_ANY_VERSION: |
| 1691 | if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION) || | |
| 1692 | DTLS_VERSION_LT(version, DTLS1_BAD_VER)) | |
| 1693 | return 0; | |
| 1698 | if (valid_dtls) | |
| 1699 | *bound = version; | |
| 1694 | 1700 | break; |
| 1695 | 1701 | } |
| 1696 | ||
| 1697 | *bound = version; | |
| 1698 | 1702 | return 1; |
| 1699 | 1703 | } |
| 1700 | 1704 | |