winhttp: disable TLSv1.1/1.2 by default
Marcus Meissner
marcus at jet.franken.de
Sun Aug 26 10:46:09 CDT 2012
On Sun, Aug 26, 2012 at 11:50:15AM +0900, Hiroshi Miura wrote:
>
> Windows 7 disables TLSv1.1/1.2 by default.
> This patch intend to behave same as Windows.
Please do not... The newer TLSv1.x fix some shortcomings
of the older TLS versions.
Is there a specific problem you see?
Otherwise, I object.
Ciao, MArcus
> Signed-off-by: Hiroshi Miura <miurahr at linux.com>
> ---
> dlls/winhttp/net.c | 74
> ++++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 74 insertions(+)
>
>
>
> diff --git a/dlls/winhttp/net.c b/dlls/winhttp/net.c
> index 5ec4e1a..03cf9b7 100644
> --- a/dlls/winhttp/net.c
> +++ b/dlls/winhttp/net.c
> @@ -52,6 +52,7 @@
> #include "winbase.h"
> #include "winhttp.h"
> #include "wincrypt.h"
> +#include "winreg.h"
>
> #include "winhttp_private.h"
>
> @@ -109,8 +110,10 @@ MAKE_FUNCPTR( SSL_load_error_strings );
> MAKE_FUNCPTR( SSLv23_method );
> MAKE_FUNCPTR( SSL_CTX_free );
> MAKE_FUNCPTR( SSL_CTX_new );
> +MAKE_FUNCPTR( SSL_CTX_ctrl );
> MAKE_FUNCPTR( SSL_new );
> MAKE_FUNCPTR( SSL_free );
> +MAKE_FUNCPTR( SSL_ctrl );
> MAKE_FUNCPTR( SSL_set_fd );
> MAKE_FUNCPTR( SSL_connect );
> MAKE_FUNCPTR( SSL_shutdown );
> @@ -408,12 +411,66 @@ static int netconn_secure_verify( int preverify_ok, X509_STORE_CTX *ctx )
> }
> return ret;
> }
> +
> +static long get_tls_option(void) {
> + long tls_option;
> + DWORD type, val, size;
> + HKEY hkey,tls12_client,tls11_client;
> + LONG res;
> + const WCHAR Schannel_Prot[] = { /* SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCANNEL\\Protocols */
> + 'S','Y','S','T','E','M','\\',
> + 'C','u','r','r','e','n','t','C','o','n','t','r','o','l','S','e','t','\\',
> + 'C','o','n','t','r','o','l','\\',
> + 'S','e','c','u','r','i','t','y','P','r','o','v','i','d','e','r','s','\\',
> + 'S','C','H','A','N','N','E','L','\\',
> + 'P','r','o','t','o','c','o','l','s',0 };
> + const WCHAR TLS12_Client[] = {'T','L','S',' ','1','.','2','\\','C','l','i','e','n','t',0};
> + const WCHAR TLS11_Client[] = {'T','L','S',' ','1','.','1','\\','C','l','i','e','n','t',0};
> + const WCHAR DisabledByDefault[] = {'D','i','s','a','b','l','e','d','B','y','D','e','f','a','u','l','t',0};
> +
> + tls_option = SSL_OP_NO_SSLv2; /* disable SSLv2 for security reason, and secur32/Schannel(GnuTLS) don't support it */
> + res = RegOpenKeyExW(HKEY_LOCAL_MACHINE,
> + Schannel_Prot,
> + 0, KEY_READ, &hkey);
> + if (res != ERROR_SUCCESS) {
> + tls_option |= SSL_OP_NO_TLSv1_2;
> + tls_option |= SSL_OP_NO_TLSv1_1;
> + goto end;
> + }
> + if (RegOpenKeyExW(hkey, TLS12_Client, 0, KEY_READ, &tls12_client) == ERROR_SUCCESS) {
> + size = sizeof(DWORD);
> + if (RegQueryValueExW(tls12_client, DisabledByDefault, NULL, &type, (LPBYTE) &val, &size) || type != REG_DWORD) {
> + tls_option |= SSL_OP_NO_TLSv1_2;
> + } else {
> + tls_option |= val?SSL_OP_NO_TLSv1_2:0;
> + }
> + RegCloseKey(tls12_client);
> + } else {
> + tls_option |= SSL_OP_NO_TLSv1_2;
> + }
> + if (RegOpenKeyExW(hkey, TLS11_Client, 0, KEY_READ, &tls11_client) == ERROR_SUCCESS) {
> + size = sizeof(DWORD);
> + if (RegQueryValueExW(tls11_client, DisabledByDefault, NULL, &type, (LPBYTE) &val, &size) || type != REG_DWORD) {
> + tls_option |= SSL_OP_NO_TLSv1_1;
> + } else {
> + tls_option |= val?SSL_OP_NO_TLSv1_1:0;
> + }
> + RegCloseKey(tls11_client);
> + } else {
> + tls_option |= SSL_OP_NO_TLSv1_1;
> + }
> + RegCloseKey(hkey);
> +
> +end:
> + return tls_option;
> +}
> #endif
>
> BOOL netconn_init( netconn_t *conn, BOOL secure )
> {
> #if defined(SONAME_LIBSSL) && defined(SONAME_LIBCRYPTO)
> int i;
> + long tls_option;
> #endif
>
> conn->socket = -1;
> @@ -453,8 +510,10 @@ BOOL netconn_init( netconn_t *conn, BOOL secure )
> LOAD_FUNCPTR( SSLv23_method );
> LOAD_FUNCPTR( SSL_CTX_free );
> LOAD_FUNCPTR( SSL_CTX_new );
> + LOAD_FUNCPTR (SSL_CTX_ctrl);
> LOAD_FUNCPTR( SSL_new );
> LOAD_FUNCPTR( SSL_free );
> + LOAD_FUNCPTR( SSL_ctrl );
> LOAD_FUNCPTR( SSL_set_fd );
> LOAD_FUNCPTR( SSL_connect );
> LOAD_FUNCPTR( SSL_shutdown );
> @@ -494,11 +553,20 @@ BOOL netconn_init( netconn_t *conn, BOOL secure )
> LOAD_FUNCPTR( sk_num );
> #undef LOAD_FUNCPTR
>
> +#define pSSL_CTX_set_options(ctx,op) \
> + pSSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)
> +#define pSSL_set_options(ssl,op) \
> + pSSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)
> +
> pSSL_library_init();
> pSSL_load_error_strings();
>
> method = pSSLv23_method();
> ctx = pSSL_CTX_new( method );
> +
> + tls_option = get_tls_option();
> + pSSL_CTX_set_options(ctx, tls_option);
> +
> if (!pSSL_CTX_set_default_verify_paths( ctx ))
> {
> ERR("SSL_CTX_set_default_verify_paths failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
> @@ -676,12 +744,18 @@ BOOL netconn_connect( netconn_t *conn, const struct sockaddr *sockaddr, unsigned
> BOOL netconn_secure_connect( netconn_t *conn, WCHAR *hostname )
> {
> #ifdef SONAME_LIBSSL
> + long tls_option;
> +
> if (!(conn->ssl_conn = pSSL_new( ctx )))
> {
> ERR("SSL_new failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
> set_last_error( ERROR_OUTOFMEMORY );
> goto fail;
> }
> +
> + tls_option = get_tls_option();
> + pSSL_set_options(conn->ssl_conn, tls_option);
> +
> if (!pSSL_set_ex_data( conn->ssl_conn, hostname_idx, hostname ))
> {
> ERR("SSL_set_ex_data failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
>
>
>
More information about the wine-devel
mailing list