From 082894dcada015ec7db4b6685baba93420ef511a Mon Sep 17 00:00:00 2001 From: dmiller Date: Tue, 12 May 2026 21:53:50 +0000 Subject: [PATCH] Try to loosen OpenSSL security. Fixes #583 --- nsock/src/nsock_ssl.c | 33 ++++++++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 5 deletions(-) diff --git a/nsock/src/nsock_ssl.c b/nsock/src/nsock_ssl.c index 26e9a7f57..794007b3f 100644 --- a/nsock/src/nsock_ssl.c +++ b/nsock/src/nsock_ssl.c @@ -90,6 +90,12 @@ static void nsock_ssl_atexit(void) { nsock_ssl_state = NSOCK_SSL_STATE_ATEXIT; } + +#define HAVE_SSL_CTX_SET_SECURITY_LEVEL 1 +static int nsock_allowall_cb(const SSL *s, const SSL_CTX *ctx, + int op, int bits, int nid, void *other, void *ex) { + return 1; +} #endif void nsp_ssl_cleanup(struct npool *nsp) { @@ -198,14 +204,31 @@ static nsock_ssl_ctx nsock_pool_ssl_init_helper(SSL_CTX *ctx, int flags) { * SSLv2-compatible SSLv23_client_method. */ SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); - SSL_CTX_set_options(ctx, flags & NSOCK_SSL_MAX_SPEED ? - SSL_OP_ALL : SSL_OP_ALL|SSL_OP_NO_SSLv2); + if (flags & NSOCK_SSL_MAX_SPEED) { + SSL_CTX_set_options(ctx, SSL_OP_ALL); - if (!SSL_CTX_set_cipher_list(ctx, flags & NSOCK_SSL_MAX_SPEED ? - CIPHERS_FAST : CIPHERS_SECURE)) - fatal("Unable to set OpenSSL cipher list: %s", + if (!SSL_CTX_set_cipher_list(ctx, CIPHERS_FAST)) + fatal("Unable to set OpenSSL cipher list: %s", ERR_error_string(ERR_get_error(), NULL)); +#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL + /* Attempt to allow all connections */ + SSL_CTX_set_security_level(ctx, 0); + SSL_CTX_set_security_callback(ctx, nsock_allowall_cb); +#endif + } + else { + SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2); + + if (!SSL_CTX_set_cipher_list(ctx, CIPHERS_SECURE)) + fatal("Unable to set OpenSSL cipher list: %s", + ERR_error_string(ERR_get_error(), NULL)); +#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL + /* This is stricter than default, but still quite loose */ + SSL_CTX_set_security_level(ctx, 2); +#endif + } + return ctx; }