mirror of
https://repo.or.cz/socat.git
synced 2025-01-22 02:44:09 +00:00
Disable option openssl-method
This commit is contained in:
parent
181228cf53
commit
14f3e4fed8
8 changed files with 56 additions and 12 deletions
6
CHANGES
6
CHANGES
|
@ -55,6 +55,12 @@ corrections:
|
|||
TCP6:127.0.0.1:80
|
||||
Thanks to Nicolas Fournil for reporting this issue.
|
||||
|
||||
porting:
|
||||
OpenSSL functions TLS1_client_method() and similar are
|
||||
deprecated. Socat now uses recommended TLS_client_method(). The old
|
||||
functions and dependend option openssl-method can still be
|
||||
used when configuring socat with --enable-openssl-method
|
||||
|
||||
testing:
|
||||
test.sh: Show a warning when phase-1 (insecure phase) of a security
|
||||
test fails
|
||||
|
|
|
@ -433,6 +433,10 @@
|
|||
/* Define if you have the HAVE_SSL_CTX_set_default_verify_paths function */
|
||||
#undef HAVE_SSL_CTX_set_default_verify_paths
|
||||
|
||||
/* Define if you have the TLS client and server method functions. not in old openssl? */
|
||||
#undef HAVE_TLS_client_method
|
||||
#undef HAVE_TLS_server_method
|
||||
|
||||
/* Define if you have the SSLv3 client and server method functions. not in new openssl */
|
||||
#undef HAVE_SSLv3_client_method
|
||||
#undef HAVE_SSLv3_server_method
|
||||
|
@ -625,6 +629,7 @@
|
|||
#undef WITH_PTY
|
||||
#undef WITH_EXT2
|
||||
#undef WITH_OPENSSL
|
||||
#undef WITH_OPENSSL_METHOD
|
||||
#define WITH_STREAMS 1
|
||||
#undef WITH_FIPS
|
||||
#undef OPENSSL_FIPS
|
||||
|
|
14
configure.in
14
configure.in
|
@ -568,6 +568,16 @@ if test -n "$WITH_OPENSSL"; then
|
|||
fi
|
||||
fi
|
||||
|
||||
if test -n "$WITH_OPENSSL"; then
|
||||
AC_MSG_CHECKING(whether to include OpenSSL method option)
|
||||
AC_ARG_ENABLE(openssl-method, [ --enable-openssl-method enable OpenSSL method option],
|
||||
[case "$enableval" in
|
||||
no) AC_MSG_RESULT(no);;
|
||||
*) AC_DEFINE(WITH_OPENSSL_METHOD) WITH_OPENSSL_METHOD=1; AC_MSG_RESULT(yes);;
|
||||
esac],
|
||||
[AC_MSG_RESULT(no)])
|
||||
fi
|
||||
|
||||
# check for fips support
|
||||
AC_MSG_CHECKING(whether to include openssl fips support)
|
||||
AC_ARG_ENABLE(fips, [ --enable-fips enable OpenSSL FIPS support],
|
||||
|
@ -1425,6 +1435,9 @@ AC_CHECK_FUNC(SSLv2_server_method, AC_DEFINE(HAVE_SSLv2_server_method), AC_CHECK
|
|||
dnl
|
||||
AC_CHECK_FUNC(SSL_CTX_set_default_verify_paths, AC_DEFINE(HAVE_SSL_CTX_set_default_verify_paths))
|
||||
|
||||
AC_CHECK_FUNC(TLS_client_method, AC_DEFINE(HAVE_TLS_client_method), AC_CHECK_LIB(crypt, TLS_client_method, [LIBS=-lcrypt $LIBS]))
|
||||
AC_CHECK_FUNC(TLS_server_method, AC_DEFINE(HAVE_TLS_server_method), AC_CHECK_LIB(crypt, TLS_server_method, [LIBS=-lcrypt $LIBS]))
|
||||
if test -n "$WITH_OPENSSL_METHOD"; then
|
||||
AC_CHECK_FUNC(SSLv3_client_method, AC_DEFINE(HAVE_SSLv3_client_method), AC_CHECK_LIB(crypt, SSLv3_client_method, [LIBS=-lcrypt $LIBS]))
|
||||
AC_CHECK_FUNC(SSLv3_server_method, AC_DEFINE(HAVE_SSLv3_server_method), AC_CHECK_LIB(crypt, SSLv3_server_method, [LIBS=-lcrypt $LIBS]))
|
||||
AC_CHECK_FUNC(SSLv23_client_method, AC_DEFINE(HAVE_SSLv23_client_method), AC_CHECK_LIB(crypt, SSLv23_client_method, [LIBS=-lcrypt $LIBS]))
|
||||
|
@ -1437,6 +1450,7 @@ AC_CHECK_FUNC(TLSv1_2_client_method, AC_DEFINE(HAVE_TLSv1_2_client_method), AC_C
|
|||
AC_CHECK_FUNC(TLSv1_2_server_method, AC_DEFINE(HAVE_TLSv1_2_server_method), AC_CHECK_LIB(crypt, TLSv1_2_server_method, [LIBS=-lcrypt $LIBS]))
|
||||
AC_CHECK_FUNC(DTLSv1_client_method, AC_DEFINE(HAVE_DTLSv1_client_method), AC_CHECK_LIB(crypt, DTLSv1_client_method, [LIBS=-lcrypt $LIBS]))
|
||||
AC_CHECK_FUNC(DTLSv1_server_method, AC_DEFINE(HAVE_DTLSv1_server_method), AC_CHECK_LIB(crypt, DTLSv1_server_method, [LIBS=-lcrypt $LIBS]))
|
||||
fi # $WITH_OPENSSL_METHOD
|
||||
AC_CHECK_FUNC(RAND_egd, AC_DEFINE(HAVE_RAND_egd), AC_CHECK_LIB(crypt, RAND_egd, [LIBS=-lcrypt $LIBS]))
|
||||
AC_CHECK_FUNC(DH_set0_pqg, AC_DEFINE(HAVE_DH_set0_pqg), AC_CHECK_LIB(crypt, DH_set0_pqg, [LIBS=-lcrypt $LIBS]))
|
||||
AC_CHECK_FUNC(ASN1_STRING_get0_data, AC_DEFINE(HAVE_ASN1_STRING_get0_data), AC_CHECK_LIB(crypt, ASN1_STRING_get0_data, [LIBS=-lcrypt $LIBS]))
|
||||
|
|
10
doc/socat.yo
10
doc/socat.yo
|
@ -506,7 +506,6 @@ label(ADDRESS_OPENSSL_CONNECT)dit(bf(tt(OPENSSL:<host>:<port>)))
|
|||
Option groups: link(FD)(GROUP_FD),link(SOCKET)(GROUP_SOCKET),link(IP4)(GROUP_IP4),link(IP6)(GROUP_IP6),link(TCP)(GROUP_TCP),link(OPENSSL)(GROUP_OPENSSL),link(RETRY)(GROUP_RETRY) nl()
|
||||
Useful options:
|
||||
link(cipher)(OPTION_OPENSSL_CIPHERLIST),
|
||||
link(method)(OPTION_OPENSSL_METHOD),
|
||||
link(verify)(OPTION_OPENSSL_VERIFY),
|
||||
link(commonname)(OPTION_OPENSSL_COMMONNAME)
|
||||
link(cafile)(OPTION_OPENSSL_CAFILE),
|
||||
|
@ -535,7 +534,6 @@ label(ADDRESS_OPENSSL_LISTEN)dit(bf(tt(OPENSSL-LISTEN:<port>)))
|
|||
Useful options:
|
||||
link(pf)(OPTION_PROTOCOL_FAMILY),
|
||||
link(cipher)(OPTION_OPENSSL_CIPHERLIST),
|
||||
link(method)(OPTION_OPENSSL_METHOD),
|
||||
link(verify)(OPTION_OPENSSL_VERIFY),
|
||||
link(commonname)(OPTION_OPENSSL_COMMONNAME)
|
||||
link(cafile)(OPTION_OPENSSL_CAFILE),
|
||||
|
@ -2633,17 +2631,19 @@ label(OPTION_OPENSSL_CIPHERLIST)dit(bf(tt(cipher=<cipherlist>)))
|
|||
Note that the peer must support the selected property, or the negotiation
|
||||
will fail.
|
||||
label(OPTION_OPENSSL_METHOD)dit(bf(tt(method=<ssl-method>)))
|
||||
This option is based on deprecated functions and is only available when
|
||||
socat() was build with option tt(--with-openssl-method).
|
||||
Sets the protocol version to be used. Valid strings (not case sensitive)
|
||||
are:
|
||||
startdit()
|
||||
dit(tt(SSL2)) Select SSL protocol version 2.
|
||||
dit(tt(SSL3)) Select SSL protocol version 3.
|
||||
dit(tt(SSL23)) Select the best available SSL or TLS protocol. This is the default when
|
||||
this option is not provided.
|
||||
dit(tt(SSL23)) Select the best available SSL or TLS protocol.
|
||||
dit(tt(TLS1)) Select TLS protocol version 1.
|
||||
dit(tt(TLS1.1)) Select TLS protocol version 1.1.
|
||||
dit(tt(TLS1.2)) Select TLS protocol version 1.2.
|
||||
dit(tt(DTLS1)) Select DTLS protocol version 1.
|
||||
When this option is not provided OpenSSL negotiates the mothod with its
|
||||
peer.
|
||||
enddit()
|
||||
label(OPTION_OPENSSL_VERIFY)dit(bf(tt(verify=<bool>)))
|
||||
Controls check of the peer's certificate. Default is 1 (true). Disabling
|
||||
|
|
4
sslcls.c
4
sslcls.c
|
@ -91,6 +91,7 @@ const SSL_METHOD *sycSSLv23_server_method(void) {
|
|||
return result;
|
||||
}
|
||||
|
||||
#if HAVE_TLSv1_client_method
|
||||
const SSL_METHOD *sycTLSv1_client_method(void) {
|
||||
const SSL_METHOD *result;
|
||||
Debug("TLSv1_client_method()");
|
||||
|
@ -98,7 +99,9 @@ const SSL_METHOD *sycTLSv1_client_method(void) {
|
|||
Debug1("TLSv1_client_method() -> %p", result);
|
||||
return result;
|
||||
}
|
||||
#endif
|
||||
|
||||
#if HAVE_TLSv1_server_method
|
||||
const SSL_METHOD *sycTLSv1_server_method(void) {
|
||||
const SSL_METHOD *result;
|
||||
Debug("TLSv1_server_method()");
|
||||
|
@ -106,6 +109,7 @@ const SSL_METHOD *sycTLSv1_server_method(void) {
|
|||
Debug1("TLSv1_server_method() -> %p", result);
|
||||
return result;
|
||||
}
|
||||
#endif
|
||||
|
||||
#if HAVE_TLSv1_1_client_method
|
||||
const SSL_METHOD *sycTLSv1_1_client_method(void) {
|
||||
|
|
14
test.sh
14
test.sh
|
@ -12411,14 +12411,17 @@ if ! eval $NUMCOND; then :;
|
|||
elif ! testaddrs openssl >/dev/null; then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
elif ! socat -hhh |grep -q "^[[:space:]]*openssl-method[[:space:]]"; then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}Option openssl-method not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
else
|
||||
gentestcert testsrv
|
||||
tf="$td/test$N.stdout"
|
||||
te="$td/test$N.stderr"
|
||||
tdiff="$td/test$N.diff"
|
||||
da="test$N $(date) $RANDOM"
|
||||
CMD0="$SOCAT $opts OPENSSL-LISTEN:$PORT,reuseaddr,method=$method,cert=testsrv.pem,verify=0 PIPE"
|
||||
CMD1="$SOCAT $opts - OPENSSL-CONNECT:$LOCALHOST:$PORT,method=$method,verify=0"
|
||||
CMD0="$SOCAT $opts OPENSSL-LISTEN:$PORT,reuseaddr,openssl-method=$method,cert=testsrv.pem,verify=0 PIPE"
|
||||
CMD1="$SOCAT $opts - OPENSSL-CONNECT:$LOCALHOST:$PORT,opensslmethod=$method,verify=0"
|
||||
printf "test $F_n $TEST... " $N
|
||||
if [ "$method" = DTLS1 -a "$(echo -e "$OPENSSL_VERSION\n1.0.2" |sort -V |tail -n 1)" = "$OPENSSL_VERSION_GOOD" ]; then
|
||||
$PRINTF "${YELLOW}might hang, skipping${NORMAL}\n"
|
||||
|
@ -12468,14 +12471,17 @@ if ! eval $NUMCOND; then :;
|
|||
elif ! testaddrs openssl >/dev/null; then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
elif ! socat -hhh |grep -q "^[[:space:]]*openssl-method[[:space:]]"; then
|
||||
$PRINTF "test $F_n $TEST... ${YELLOW}Option openssl-method not available${NORMAL}\n" $N
|
||||
numCANT=$((numCANT+1))
|
||||
else
|
||||
gentestcert testsrv
|
||||
tf="$td/test$N.stdout"
|
||||
te="$td/test$N.stderr"
|
||||
tdiff="$td/test$N.diff"
|
||||
da="test$N $(date) $RANDOM"
|
||||
CMD0="$SOCAT $opts OPENSSL-LISTEN:$PORT,reuseaddr,method=$method,cert=testsrv.pem,verify=0 PIPE"
|
||||
CMD1="$SOCAT $opts - OPENSSL-CONNECT:$LOCALHOST:$PORT,method=$method,verify=0"
|
||||
CMD0="$SOCAT $opts OPENSSL-LISTEN:$PORT,reuseaddr,openssl-method=$method,cert=testsrv.pem,verify=0 PIPE"
|
||||
CMD1="$SOCAT $opts - OPENSSL-CONNECT:$LOCALHOST:$PORT,openssl-method=$method,verify=0"
|
||||
printf "test $F_n $TEST... " $N
|
||||
if [ "$method" = DTLS1 -a "$(echo -e "$OPENSSL_VERSION\n1.0.2" |sort -V |tail -n 1)" = "$OPENSSL_VERSION_GOOD" ]; then
|
||||
$PRINTF "${YELLOW}might hang, skipping${NORMAL}\n"
|
||||
|
|
|
@ -101,7 +101,9 @@ const struct addrdesc addr_openssl_listen = {
|
|||
|
||||
/* both client and server */
|
||||
const struct optdesc opt_openssl_cipherlist = { "openssl-cipherlist", "ciphers", OPT_OPENSSL_CIPHERLIST, GROUP_OPENSSL, PH_SPEC, TYPE_STRING, OFUNC_SPEC };
|
||||
#if WITH_OPENSSL_METHOD
|
||||
const struct optdesc opt_openssl_method = { "openssl-method", "method", OPT_OPENSSL_METHOD, GROUP_OPENSSL, PH_SPEC, TYPE_STRING, OFUNC_SPEC };
|
||||
#endif
|
||||
const struct optdesc opt_openssl_verify = { "openssl-verify", "verify", OPT_OPENSSL_VERIFY, GROUP_OPENSSL, PH_SPEC, TYPE_BOOL, OFUNC_SPEC };
|
||||
const struct optdesc opt_openssl_certificate = { "openssl-certificate", "cert", OPT_OPENSSL_CERTIFICATE, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC };
|
||||
const struct optdesc opt_openssl_key = { "openssl-key", "key", OPT_OPENSSL_KEY, GROUP_OPENSSL, PH_SPEC, TYPE_FILENAME, OFUNC_SPEC };
|
||||
|
@ -806,7 +808,9 @@ int
|
|||
Error1("openssl-method=\"%s\": method unknown or not provided by library", me_str);
|
||||
}
|
||||
} else {
|
||||
#if HAVE_SSLv23_client_method
|
||||
#if HAVE_TLS_client_method
|
||||
method = TLS_client_method();
|
||||
#elif HAVE_SSLv23_client_method
|
||||
method = sycSSLv23_client_method();
|
||||
#elif HAVE_TLSv1_2_client_method
|
||||
method = sycTLSv1_2_client_method();
|
||||
|
@ -826,7 +830,6 @@ int
|
|||
if (me_str != 0) {
|
||||
if (false) {
|
||||
; /* for canonical reasons */
|
||||
|
||||
#if HAVE_SSLv2_server_method
|
||||
} else if (!strcasecmp(me_str, "SSL2")) {
|
||||
method = sycSSLv2_server_method();
|
||||
|
@ -859,7 +862,9 @@ int
|
|||
Error1("openssl-method=\"%s\": method unknown or not provided by library", me_str);
|
||||
}
|
||||
} else {
|
||||
#if HAVE_SSLv23_server_method
|
||||
#if HAVE_TLS_server_method
|
||||
method = TLS_server_method();
|
||||
#elif HAVE_SSLv23_server_method
|
||||
method = sycSSLv23_server_method();
|
||||
#elif HAVE_TLSv1_2_server_method
|
||||
method = sycTLSv1_2_server_method();
|
||||
|
|
|
@ -879,7 +879,9 @@ const struct optname optionnames[] = {
|
|||
#ifdef IP_ADD_MEMBERSHIP
|
||||
IF_IP ("membership", &opt_ip_add_membership)
|
||||
#endif
|
||||
#if WITH_OPENSSL_METHOD
|
||||
IF_OPENSSL("method", &opt_openssl_method)
|
||||
#endif
|
||||
IF_TERMIOS("min", &opt_vmin)
|
||||
IF_ANY ("mode", &opt_perm)
|
||||
#ifdef TCP_MAXSEG
|
||||
|
@ -1109,7 +1111,9 @@ const struct optname optionnames[] = {
|
|||
IF_OPENSSL("openssl-fips", &opt_openssl_fips)
|
||||
#endif
|
||||
IF_OPENSSL("openssl-key", &opt_openssl_key)
|
||||
#if WITH_OPENSSL_METHOD
|
||||
IF_OPENSSL("openssl-method", &opt_openssl_method)
|
||||
#endif
|
||||
IF_OPENSSL("openssl-pseudo", &opt_openssl_pseudo)
|
||||
IF_OPENSSL("openssl-verify", &opt_openssl_verify)
|
||||
IF_TERMIOS("opost", &opt_opost)
|
||||
|
|
Loading…
Reference in a new issue