From 962f887a64422c8e0a7f12131d8401211ef8cd74 Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Tue, 15 Apr 2014 13:06:58 +0200 Subject: allow the use of TLSv1 / TLSv1_1 again --- vchat-ssl.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'vchat-ssl.c') diff --git a/vchat-ssl.c b/vchat-ssl.c index 2b41432..0333aee 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c @@ -61,8 +61,8 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store ) X509_STORE *store = NULL; vc_x509verify_cb_t verify_callback = NULL; - /* Explicitly use TLSv1_2 (or maybe later) */ - if( !(ctx = SSL_CTX_new(TLSv1_2_client_method())) ) + /* Explicitly use TLSv1 (or maybe later) */ + if( !(ctx = SSL_CTX_new(TLSv1_client_method())) ) VC_CTX_ERR_EXIT(store, ctx); if( !(store = vc_x509store_create(vc_store)) ) @@ -70,8 +70,8 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store ) SSL_CTX_set_cert_store(ctx, store); store = NULL; - /* Disable A LOT of insecure protocols explicitly */ - SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1); + /* Disable some insecure protocols explicitly */ + SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"); SSL_CTX_set_verify_depth (ctx, 2); -- cgit v1.2.3 From 2cb919fee2df15cf82ec11fd32f59ef57436cd1b Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Tue, 15 Apr 2014 13:32:37 +0200 Subject: don't check cipher if SSL object not available --- vchat-ssl.c | 1 + 1 file changed, 1 insertion(+) (limited to 'vchat-ssl.c') diff --git a/vchat-ssl.c b/vchat-ssl.c index 0333aee..986187f 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c @@ -143,6 +143,7 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) /* Get cipher object */ BIO_get_ssl(ssl_conn, &sslp); + if (sslp) cipher = SSL_get_current_cipher(sslp); if (cipher) { char cipher_desc[TMPSTRSIZE]; -- cgit v1.2.3 From f98143f4d2774dc06b23655fd369075247aab4e9 Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Tue, 15 Apr 2014 13:33:13 +0200 Subject: disable RC4 explicitly --- vchat-ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'vchat-ssl.c') diff --git a/vchat-ssl.c b/vchat-ssl.c index 986187f..e571d85 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c @@ -72,7 +72,7 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store ) store = NULL; /* Disable some insecure protocols explicitly */ SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); - SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"); + SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:!RC4:@STRENGTH"); SSL_CTX_set_verify_depth (ctx, 2); -- cgit v1.2.3 From cc89915d8cc8361c29318ee954f4fff14d862cb7 Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Tue, 15 Apr 2014 15:26:54 +0200 Subject: use SSLv23_client_method & force cipherstring --- vchat-ssl.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'vchat-ssl.c') diff --git a/vchat-ssl.c b/vchat-ssl.c index e571d85..d4a6029 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c @@ -62,7 +62,7 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store ) vc_x509verify_cb_t verify_callback = NULL; /* Explicitly use TLSv1 (or maybe later) */ - if( !(ctx = SSL_CTX_new(TLSv1_client_method())) ) + if( !(ctx = SSL_CTX_new(SSLv23_client_method())) ) VC_CTX_ERR_EXIT(store, ctx); if( !(store = vc_x509store_create(vc_store)) ) @@ -71,8 +71,11 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store ) SSL_CTX_set_cert_store(ctx, store); store = NULL; /* Disable some insecure protocols explicitly */ - SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); - SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:!RC4:@STRENGTH"); + SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + if( OPENSSL_VERSION_NUMBER < 0x10000000L ) + SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-SHA"); + else + SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES256-GCM-SHA384"); SSL_CTX_set_verify_depth (ctx, 2); -- cgit v1.2.3 From 0171de7653dbc409f8a936e80a8c9bc3ab3d1bdb Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Wed, 16 Apr 2014 15:20:49 +0200 Subject: version 0.19 * fixed version string display * failing on SSL verify failures * removed ignssl option * reenabled ciphers options * added verifyssl option (cert verify depth) --- vchat-ssl.c | 36 ++++++++++++++++++++++-------------- 1 file changed, 22 insertions(+), 14 deletions(-) (limited to 'vchat-ssl.c') diff --git a/vchat-ssl.c b/vchat-ssl.c index d4a6029..999d6b8 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c @@ -32,7 +32,7 @@ #include "vchat.h" #include "vchat-ssl.h" -char *vchat_ssl_version = "$Id$"; +const char *vchat_ssl_version = "$Id$"; #define VC_CTX_ERR_EXIT(se, cx) do { \ snprintf(tmpstr, TMPSTRSIZE, "CREATE CTX: %s", \ @@ -72,12 +72,14 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store ) store = NULL; /* Disable some insecure protocols explicitly */ SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); - if( OPENSSL_VERSION_NUMBER < 0x10000000L ) + if (getstroption(CF_CIPHERSUITE)) + SSL_CTX_set_cipher_list(ctx, getstroption(CF_CIPHERSUITE)); + else if( OPENSSL_VERSION_NUMBER < 0x10000000L ) SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-SHA"); else SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES256-GCM-SHA384"); - SSL_CTX_set_verify_depth (ctx, 2); + SSL_CTX_set_verify_depth (ctx, getintoption(CF_VERIFYSSL)); if( !(verify_callback = vc_store->callback) ) verify_callback = vc_verify_callback; @@ -139,6 +141,7 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) BIO_push( ssl_conn, *conn ); *conn = ssl_conn; fflush(stdout); + if( BIO_do_handshake( *conn ) > 0 ) { /* Show information about cipher used */ const SSL *sslp = NULL; @@ -156,11 +159,14 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] Cipher not known / SSL object can't be queried!"); writecf(FS_ERR, tmpstr); } - return 0; + + /* Accept being connected, _if_ verification passed */ + if (sslp && SSL_get_verify_result(sslp) == X509_V_OK) + return 0; } } - snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", ERR_error_string (ERR_get_error (), NULL)); + snprintf(tmpstr, TMPSTRSIZE, "[SSL CONNECT ERROR] %s", ERR_error_string (ERR_get_error (), NULL)); writecf(FS_ERR, tmpstr); return 1; @@ -230,17 +236,11 @@ X509_STORE *vc_x509store_create(vc_x509store_t *vc_store) int vc_verify_callback(int ok, X509_STORE_CTX *store) { if(!ok) { - /* XXX handle action/abort */ - if(!(ok=getintoption(CF_IGNSSL))) - snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", + snprintf(tmpstr, TMPSTRSIZE, "[SSL VERIFY ERROR] %s", X509_verify_cert_error_string(store->error)); - else - snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s (ignored)", - X509_verify_cert_error_string(store->error)); - writecf(FS_ERR, tmpstr); } - return(ok); + return ok; } void vc_x509store_setflags(vc_x509store_t *store, int flags) @@ -326,6 +326,14 @@ void vc_cleanup_x509store(vc_x509store_t *s) free(s->use_keyfile); free(s->use_key); sk_X509_free(s->certs); - sk_X509_free(s->crls); + sk_X509_CRL_free(s->crls); sk_X509_free(s->use_certs); } + +const char *vchat_ssl_version_external = "OpenSSL implementation; version unknown"; +void vchat_ssl_get_version_external() +{ + char tmpstr[TMPSTRSIZE]; + snprintf(tmpstr, TMPSTRSIZE, "%s with %s", SSLeay_version(SSLEAY_VERSION), SSLeay_version(SSLEAY_CFLAGS)); + vchat_ssl_version_external = strdup(tmpstr); +} -- cgit v1.2.3 From edba804a0cbd19e5c971c55661bcf83967573906 Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Wed, 16 Apr 2014 15:28:51 +0200 Subject: fix version strings --- vchat-ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'vchat-ssl.c') diff --git a/vchat-ssl.c b/vchat-ssl.c index 999d6b8..68e3699 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c @@ -32,7 +32,7 @@ #include "vchat.h" #include "vchat-ssl.h" -const char *vchat_ssl_version = "$Id$"; +const char *vchat_ssl_version = "vchat-ssl.c $Id$"; #define VC_CTX_ERR_EXIT(se, cx) do { \ snprintf(tmpstr, TMPSTRSIZE, "CREATE CTX: %s", \ -- cgit v1.2.3 From 3297473435ad53b6691d6c772f83457a72134c48 Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Wed, 16 Apr 2014 16:27:00 +0200 Subject: store & verify server cert fingerprint --- vchat-ssl.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 70 insertions(+), 5 deletions(-) (limited to 'vchat-ssl.c') diff --git a/vchat-ssl.c b/vchat-ssl.c index 68e3699..d240cbd 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c @@ -153,16 +153,81 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) cipher = SSL_get_current_cipher(sslp); if (cipher) { char cipher_desc[TMPSTRSIZE]; - snprintf(tmpstr, TMPSTRSIZE, "[SSL CIPHER] %s", SSL_CIPHER_description(cipher, cipher_desc, TMPSTRSIZE)); + snprintf(tmpstr, TMPSTRSIZE, "[SSL CIPHER ] %s", SSL_CIPHER_description(cipher, cipher_desc, TMPSTRSIZE)); writecf(FS_SERV, tmpstr); } else { - snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] Cipher not known / SSL object can't be queried!"); + snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR ] Cipher not known / SSL object can't be queried!"); writecf(FS_ERR, tmpstr); } /* Accept being connected, _if_ verification passed */ - if (sslp && SSL_get_verify_result(sslp) == X509_V_OK) - return 0; + if (sslp) { + long result = SSL_get_verify_result(sslp); + + /* show & verify fingerprint */ + if (result == X509_V_OK) { + X509 *peercert = SSL_get_peer_certificate(sslp); + + /* FIXME: this IS bad code */ + char new_fingerprint[TMPSTRSIZE] = ""; + char old_fingerprint[TMPSTRSIZE] = ""; + FILE *fingerprint_file = NULL; + + unsigned int fingerprint_len; + unsigned char fingerprint_bin[EVP_MAX_MD_SIZE]; + + /* show basic information about peer cert */ + snprintf(tmpstr, TMPSTRSIZE, "[SSL SUBJECT ] %s", X509_NAME_oneline(X509_get_subject_name(peercert),0,0)); + writecf(FS_SERV, tmpstr); + snprintf(tmpstr, TMPSTRSIZE, "[SSL ISSUER ] %s", X509_NAME_oneline(X509_get_issuer_name(peercert),0,0)); + writecf(FS_SERV, tmpstr); + + /* calculate fingerprint */ + if (X509_digest(peercert,EVP_sha1(),fingerprint_bin,&fingerprint_len)) { + char shorttmpstr[3] = "XX"; + int j; + for (j=0; j<(int)fingerprint_len; j++) { + if (j) + strncat(new_fingerprint, ":", TMPSTRSIZE); + snprintf(shorttmpstr, 3, "%02X", fingerprint_bin[j]); + strncat(new_fingerprint, shorttmpstr, TMPSTRSIZE); + } + snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from server: %s", new_fingerprint); + writecf(FS_SERV, tmpstr); + } + + // we don't need the peercert anymore + X509_free(peercert); + + fingerprint_file = fopen(tilde_expand(getstroption(CF_FINGERPRINT)), "r"); + if (fingerprint_file) { + fgets(old_fingerprint, TMPSTRSIZE, fingerprint_file); + fclose(fingerprint_file); + + /* verify fingerprint matches stored version */ + if (!strncmp(new_fingerprint, old_fingerprint, TMPSTRSIZE)) + return 0; + else { + snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from %s: %s", getstroption(CF_FINGERPRINT), old_fingerprint); + writecf(FS_ERR, tmpstr); + writecf(FS_ERR, "[SSL CONNECT ERROR] Fingerprint mismatch! Server cert updated?"); + return 1; + } + } else { + /* FIXME: there might be other errors than missing file */ + fingerprint_file = fopen(tilde_expand(getstroption(CF_FINGERPRINT)), "w"); + if (!fingerprint_file) { + snprintf (tmpstr, TMPSTRSIZE, "Can't write fingerprint file, %s.", strerror(errno)); + writecf(FS_ERR, tmpstr); + } else { + fputs(new_fingerprint, fingerprint_file); + fclose(fingerprint_file); + writecf(FS_SERV, "Stored fingerprint."); + return 0; + } + } + } + } } } @@ -236,7 +301,7 @@ X509_STORE *vc_x509store_create(vc_x509store_t *vc_store) int vc_verify_callback(int ok, X509_STORE_CTX *store) { if(!ok) { - snprintf(tmpstr, TMPSTRSIZE, "[SSL VERIFY ERROR] %s", + snprintf(tmpstr, TMPSTRSIZE, "[SSL VERIFY ERROR ] %s", X509_verify_cert_error_string(store->error)); writecf(FS_ERR, tmpstr); } -- cgit v1.2.3