CERBERUS/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2026-05-13 08:46:45 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Try to loosen OpenSSL security. Fixes #583
Some checks are pending
nmap multiplatform autobuilds / build (arm64, gcc, ubuntu-latest-gcc-arm64, ubuntu-latest) (push) Waiting to run
Details
nmap multiplatform autobuilds / build (clang, freebsd-15-clang, ubuntu-latest) (push) Waiting to run
Details
nmap multiplatform autobuilds / build (clang, macos-15-clang, macos-15) (push) Waiting to run
Details
nmap multiplatform autobuilds / build (clang, macos-26-clang, macos-26) (push) Waiting to run
Details
nmap multiplatform autobuilds / build (clang, netbsd-10-clang, ubuntu-latest) (push) Waiting to run
Details
nmap multiplatform autobuilds / build (clang, openbsd-7-clang, ubuntu-latest) (push) Waiting to run
Details
nmap multiplatform autobuilds / build (clang, solaris-11-clang, ubuntu-latest) (push) Waiting to run
Details
nmap multiplatform autobuilds / build (clang, ubuntu-latest-clang, ubuntu-latest) (push) Waiting to run
Details
nmap multiplatform autobuilds / build (egcc, openbsd-7-gcc, ubuntu-latest) (push) Waiting to run
Details
nmap multiplatform autobuilds / build (gcc, freebsd-15-gcc, ubuntu-latest) (push) Waiting to run
Details
nmap multiplatform autobuilds / build (gcc, netbsd-10-gcc, ubuntu-latest) (push) Waiting to run
Details
nmap multiplatform autobuilds / build (gcc, solaris-11-gcc, ubuntu-latest) (push) Waiting to run
Details
nmap multiplatform autobuilds / build (gcc, ubuntu-latest-gcc, ubuntu-latest) (push) Waiting to run
Details
nmap multiplatform autobuilds / build (msvc, windows-latest-msvc, windows-latest) (push) Waiting to run
Details

Browse source
This commit is contained in:
dmiller 2026-05-12 21:53:50 +00:00
parent 1263089a52
commit 082894dcad
1 changed files with 28 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

33
nsock/src/nsock_ssl.c
View file

@ -90,6 +90,12 @@ static void nsock_ssl_atexit(void)
{ {
nsock_ssl_state = NSOCK_SSL_STATE_ATEXIT; nsock_ssl_state = NSOCK_SSL_STATE_ATEXIT;
} }
#define HAVE_SSL_CTX_SET_SECURITY_LEVEL 1
static int nsock_allowall_cb(const SSL *s, const SSL_CTX *ctx,
int op, int bits, int nid, void *other, void *ex) {
return 1;
}
#endif #endif
void nsp_ssl_cleanup(struct npool *nsp) void nsp_ssl_cleanup(struct npool *nsp)
{ {
@ -198,14 +204,31 @@ static nsock_ssl_ctx nsock_pool_ssl_init_helper(SSL_CTX *ctx, int flags) {
* SSLv2-compatible SSLv23_client_method. */ * SSLv2-compatible SSLv23_client_method. */
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(ctx, flags & NSOCK_SSL_MAX_SPEED ? if (flags & NSOCK_SSL_MAX_SPEED) {
SSL_OP_ALL : SSL_OP_ALL|SSL_OP_NO_SSLv2); SSL_CTX_set_options(ctx, SSL_OP_ALL);
if (!SSL_CTX_set_cipher_list(ctx, flags & NSOCK_SSL_MAX_SPEED ? if (!SSL_CTX_set_cipher_list(ctx, CIPHERS_FAST))
CIPHERS_FAST : CIPHERS_SECURE)) fatal("Unable to set OpenSSL cipher list: %s",
fatal("Unable to set OpenSSL cipher list: %s",
ERR_error_string(ERR_get_error(), NULL)); ERR_error_string(ERR_get_error(), NULL));
#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
/* Attempt to allow all connections */
SSL_CTX_set_security_level(ctx, 0);
SSL_CTX_set_security_callback(ctx, nsock_allowall_cb);
#endif
}
else {
SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2);
if (!SSL_CTX_set_cipher_list(ctx, CIPHERS_SECURE))
fatal("Unable to set OpenSSL cipher list: %s",
ERR_error_string(ERR_get_error(), NULL));
#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
/* This is stricter than default, but still quite loose */
SSL_CTX_set_security_level(ctx, 2);
#endif
}
return ctx; return ctx;
} }