Avoid errors with a priori inapplicable protocol bounds
The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
ignore TLS protocol version bounds when configurign DTLS-based contexts,
and conversely, silently ignore DTLS protocol version bounds when
configuring TLS-based contexts. The commands can be repeated to set
bounds of both types. The same applies with the corresponding
"min_protocol" and "max_protocol" command-line switches, in case some
application uses both TLS and DTLS.
SSL_CTX instances that are created for a fixed protocol version (e.g.
TLSv1_server_method()) also silently ignore version bounds. Previously
attempts to apply bounds to these protocol versions would result in an
error. Now only the "version-flexible" SSL_CTX instances are subject to
limits in configuration files in command-line options.
Expected to resolve #12394
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #12507
Viktor Dukhovni
3 years ago
7 | 7 | release branch. |
8 | 8 | |
9 | 9 | Changes between 1.1.1g and 1.1.1h [xx XXX xxxx] |
10 | ||
11 | *) The 'MinProtocol' and 'MaxProtocol' configuration commands now silently | |
12 | ignore TLS protocol version bounds when configuring DTLS-based contexts, and | |
13 | conversely, silently ignore DTLS protocol version bounds when configuring | |
14 | TLS-based contexts. The commands can be repeated to set bounds of both | |
15 | types. The same applies with the corresponding "min_protocol" and | |
16 | "max_protocol" command-line switches, in case some application uses both TLS | |
17 | and DTLS. | |
18 | ||
19 | SSL_CTX instances that are created for a fixed protocol version (e.g. | |
20 | TLSv1_server_method()) also silently ignore version bounds. Previously | |
21 | attempts to apply bounds to these protocol versions would result in an | |
22 | error. Now only the "version-flexible" SSL_CTX instances are subject to | |
23 | limits in configuration files in command-line options. | |
24 | [Viktor Dukhovni] | |
10 | 25 | |
11 | 26 | *) Handshake now fails if Extended Master Secret extension is dropped |
12 | 27 | on renegotiation. |
146 | 146 | =item B<-min_protocol>, B<-max_protocol> |
147 | 147 | |
148 | 148 | Sets the minimum and maximum supported protocol. |
149 | Currently supported protocol values are B<SSLv3>, B<TLSv1>, | |
150 | B<TLSv1.1>, B<TLSv1.2>, B<TLSv1.3> for TLS and B<DTLSv1>, B<DTLSv1.2> for DTLS, | |
151 | and B<None> for no limit. | |
152 | If either bound is not specified then only the other bound applies, | |
153 | if specified. | |
154 | To restrict the supported protocol versions use these commands rather | |
155 | than the deprecated alternative commands below. | |
149 | Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, | |
150 | B<TLSv1.2>, B<TLSv1.3> for TLS; B<DTLSv1>, B<DTLSv1.2> for DTLS, and B<None> | |
151 | for no limit. | |
152 | If either the lower or upper bound is not specified then only the other bound | |
153 | applies, if specified. | |
154 | If your application supports both TLS and DTLS you can specify any of these | |
155 | options twice, once with a bound for TLS and again with an appropriate bound | |
156 | for DTLS. | |
157 | To restrict the supported protocol versions use these commands rather than the | |
158 | deprecated alternative commands below. | |
156 | 159 | |
157 | 160 | =item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3> |
158 | 161 | |
369 | 372 | |
370 | 373 | Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, |
371 | 374 | B<TLSv1.2>, B<TLSv1.3>, B<DTLSv1> and B<DTLSv1.2>. |
372 | The value B<None> will disable the limit. | |
375 | The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds | |
376 | apply only to DTLS-based contexts. | |
377 | The command can be repeated with one instance setting a TLS bound, and the | |
378 | other setting a DTLS bound. | |
379 | The value B<None> applies to both types of contexts and disables the limits. | |
373 | 380 | |
374 | 381 | =item B<MaxProtocol> |
375 | 382 | |
377 | 384 | |
378 | 385 | Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>, |
379 | 386 | B<TLSv1.2>, B<TLSv1.3>, B<DTLSv1> and B<DTLSv1.2>. |
380 | The value B<None> will disable the limit. | |
387 | The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds | |
388 | apply only to DTLS-based contexts. | |
389 | The command can be repeated with one instance setting a TLS bound, and the | |
390 | other setting a DTLS bound. | |
391 | The value B<None> applies to both types of contexts and disables the limits. | |
381 | 392 | |
382 | 393 | =item B<Protocol> |
383 | 394 |
261 | 261 | ssl_conf = ssl_sect |
262 | 262 | |
263 | 263 | [ssl_sect] |
264 | ||
265 | 264 | system_default = system_default_sect |
266 | 265 | |
267 | 266 | [system_default_sect] |
268 | ||
269 | 267 | MinProtocol = TLSv1.2 |
270 | ||
268 | MinProtocol = DTLSv1.2 | |
271 | 269 | |
272 | 270 | =head1 NOTES |
273 | 271 | |
354 | 352 | Note: in the above example you will get an error in non FIPS capable versions |
355 | 353 | of OpenSSL. |
356 | 354 | |
357 | Simple OpenSSL library configuration to make TLS 1.3 the system-default | |
358 | minimum TLS version: | |
355 | Simple OpenSSL library configuration to make TLS 1.2 and DTLS 1.2 the | |
356 | system-default minimum TLS and DTLS versions, respectively: | |
359 | 357 | |
360 | 358 | # Toplevel section for openssl (including libssl) |
361 | 359 | openssl_conf = default_conf_section |
368 | 366 | system_default = system_default_section |
369 | 367 | |
370 | 368 | [system_default_section] |
371 | MinProtocol = TLSv1.3 | |
369 | MinProtocol = TLSv1.2 | |
370 | MinProtocol = DTLSv1.2 | |
371 | ||
372 | The minimum TLS protocol is applied to B<SSL_CTX> objects that are TLS-based, | |
373 | and the minimum DTLS protocol to those are DTLS-based. | |
374 | The same applies also to maximum versions set with B<MaxProtocol>. | |
372 | 375 | |
373 | 376 | More complex OpenSSL library configuration. Add OID and don't enter FIPS mode: |
374 | 377 |
304 | 304 | const char *name; |
305 | 305 | int version; |
306 | 306 | }; |
307 | /* | |
308 | * Note: To avoid breaking previously valid configurations, we must retain | |
309 | * legacy entries in this table even if the underlying protocol is no | |
310 | * longer supported. This also means that the constants SSL3_VERSION, ... | |
311 | * need to be retained indefinitely. This table can only grow, never | |
312 | * shrink. | |
313 | */ | |
307 | 314 | static const struct protocol_versions versions[] = { |
308 | 315 | {"None", 0}, |
309 | 316 | {"SSLv3", SSL3_VERSION}, |
1655 | 1655 | */ |
1656 | 1656 | int ssl_set_version_bound(int method_version, int version, int *bound) |
1657 | 1657 | { |
1658 | int valid_tls; | |
1659 | int valid_dtls; | |
1660 | ||
1658 | 1661 | if (version == 0) { |
1659 | 1662 | *bound = version; |
1660 | 1663 | return 1; |
1661 | 1664 | } |
1665 | ||
1666 | valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION; | |
1667 | valid_dtls = | |
1668 | DTLS_VERSION_LE(version, DTLS_MAX_VERSION) && | |
1669 | DTLS_VERSION_GE(version, DTLS1_BAD_VER); | |
1670 | ||
1671 | if (!valid_tls && !valid_dtls) | |
1672 | return 0; | |
1662 | 1673 | |
1663 | 1674 | /*- |
1664 | 1675 | * Restrict TLS methods to TLS protocol versions. |
1670 | 1681 | * configurations. If the MIN (supported) version ever rises, the user's |
1671 | 1682 | * "floor" remains valid even if no longer available. We don't expect the |
1672 | 1683 | * MAX ceiling to ever get lower, so making that variable makes sense. |
1684 | * | |
1685 | * We ignore attempts to set bounds on version-inflexible methods, | |
1686 | * returning success. | |
1673 | 1687 | */ |
1674 | 1688 | switch (method_version) { |
1675 | 1689 | default: |
1676 | /* | |
1677 | * XXX For fixed version methods, should we always fail and not set any | |
1678 | * bounds, always succeed and not set any bounds, or set the bounds and | |
1679 | * arrange to fail later if they are not met? At present fixed-version | |
1680 | * methods are not subject to controls that disable individual protocol | |
1681 | * versions. | |
1682 | */ | |
1683 | return 0; | |
1690 | break; | |
1684 | 1691 | |
1685 | 1692 | case TLS_ANY_VERSION: |
1686 | if (version < SSL3_VERSION || version > TLS_MAX_VERSION) | |
1687 | return 0; | |
1693 | if (valid_tls) | |
1694 | *bound = version; | |
1688 | 1695 | break; |
1689 | 1696 | |
1690 | 1697 | case DTLS_ANY_VERSION: |
1691 | if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION) || | |
1692 | DTLS_VERSION_LT(version, DTLS1_BAD_VER)) | |
1693 | return 0; | |
1698 | if (valid_dtls) | |
1699 | *bound = version; | |
1694 | 1700 | break; |
1695 | 1701 | } |
1696 | ||
1697 | *bound = version; | |
1698 | 1702 | return 1; |
1699 | 1703 | } |
1700 | 1704 |