proxmox-mirrors/libgit2
1
0
Fork 0
mirror of https://git.proxmox.com/git/libgit2 synced 2025-05-09 22:39:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

ssl: dump the SSL ciphers in favour of TLS

Browse Source 
All versions of SSL are considered deprecated now, so let's ask OpenSSl
to only use TLSv1. We still ask it to load those ciphers for
compatibility with servers which want to use an older hello but will use
TLS for encryption.

For good measure we also disable compression, which can be exploitable,
if the OpenSSL version supports it.
This commit is contained in:
Carlos Martín Nieto 2014-10-18 15:52:10 +02:00
parent 12e1803188
commit f0f9737094
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/global.c
View File

@ -71,7 +71,20 @@ static void init_ssl(void)
#ifdef GIT_SSL #ifdef GIT_SSL
SSL_load_error_strings(); SSL_load_error_strings();
OpenSSL_add_ssl_algorithms(); OpenSSL_add_ssl_algorithms();
/*
* Load SSLv{2,3} and TLSv1 so that we can talk with servers
* which use the SSL hellos, which are often used for
* compatibility. We then disable SSL so we only allow OpenSSL
* to speak TLSv1 to perform the encryption itself.
*/
git__ssl_ctx = SSL_CTX_new(SSLv23_method()); git__ssl_ctx = SSL_CTX_new(SSLv23_method());
SSL_CTX_set_options(git__ssl_ctx,
SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3
/* Older OpenSSL and MacOS OpenSSL doesn't have this */
# ifdef SSL_OP_NO_COMPRESSION
| SSL_OP_NO_COMPRESSION
# endif
);
SSL_CTX_set_mode(git__ssl_ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_mode(git__ssl_ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_verify(git__ssl_ctx, SSL_VERIFY_NONE, NULL); SSL_CTX_set_verify(git__ssl_ctx, SSL_VERIFY_NONE, NULL);
if (!SSL_CTX_set_default_verify_paths(git__ssl_ctx)) { if (!SSL_CTX_set_default_verify_paths(git__ssl_ctx)) {