summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Eneas U de Queiroz [Mon, 5 Aug 2019 20:07:48 +0000 (17:07 -0300)]
Revise supported ciphersuites
CBC ciphersuites have been under scrutiny because of the many padding
oracle vulnerabilities that keep popping up; it seems that we won't be
able to patch up the inherent wakness of MAC-then-encrypt forever. They
have been blacklisted by HTTP/2, and recently dropped from Mozilla's
Security/Serverside TLS intermediate compatibility list:
https://wiki.mozilla.org/Security/Server_Side_TLS
This commit removes ECDSA-CBC ciphersuites. Basically, you can choose a
level of ciphersuite security, using the private-key type as a switch:
For RSA keys, CBC and RSA-key exchange ciphers will be enabled--mostly
matching Mozilla's Old backward compatibility list.
If you use an EC private key, then only ephemeral-key, authenticated
ciphers will be used, along the lines of what Mozilla's Intermediate
compatibility list prescribes.
The order does not match Mozilla's list 100% because in most embedded
systems, the server is going to be the least-capable machine. So,
chacha20-poly1305 is moved ahead of AES, and the cipher preference is
always given to the server. Also, DHE ciphers are not used for server.
The client list had the order changed to prioritize authenticated
ciphers, so DHE-chacha and DHE-GCM were moved ahead of ECDHE-CBC.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Eneas U de Queiroz [Mon, 5 Aug 2019 20:07:47 +0000 (17:07 -0300)]
wolfssl, openssl: use TLS 1.3, set ciphersuites
For wolfssl, instead of hard-coding TLS 1.2, use generic method and
disable older protocols, adding the necessary ciphersuites.
Openssl already had TLS 1.3 compatiblity, but its ciphersuite ordering
needs a separate call, so this sets the ciphersuite preference when
using TLS 1.3.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Eneas U de Queiroz [Wed, 1 Aug 2018 13:59:13 +0000 (10:59 -0300)]
ustream-ssl: mbedtls: use chacha-poly ciphersuites
These ciphersuites were added in mbedtls v2.12.0,
so we may add them to the ustream-ssl ciphersuite list.
They were already part of the list for openssl and wolfssl.
Chacha20-Poly1305 is a 256-bit cipher with AEAD, much faster than AES on
CPUs without special AES instructions (the case for most embedded
chips).
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Eneas U de Queiroz via openwrt-devel [Fri, 27 Jul 2018 19:11:36 +0000 (19:11 +0000)]
openssl, wolfssl: match mbedTLS ciphersuite list
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Use the same ciphersuite list as mbedTLS.
wolfssl was not honoring setting the minimum protocol with
SSL_CTX_set_options, so we must use TLSv1_2_server_method.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Eneas U de Queiroz via openwrt-devel [Sat, 16 Jun 2018 04:04:52 +0000 (04:04 +0000)]
ustream-ssl: Revised security on mbedtls
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
I've revised the security options, and made them more uniform across the
ssl libraries.
- use only TLS 1.2 in server mode
- changed the ciphersuite ordering
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Eneas U de Queiroz via openwrt-devel [Sat, 16 Jun 2018 04:05:14 +0000 (04:05 +0000)]
ustream-ssl: add openssl-1.1.0 compatibility
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Patch to compile ustream-ssl with openssl-1.1.0, maintaining
compatibility with openssl 1.0.2.
Fixed flag handling in ustream-io-openssl.c.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Daniel Golle [Thu, 24 May 2018 16:44:27 +0000 (18:44 +0200)]
don't use SSL_CTX_set_ecdh_auto with wolfSSL
SSL_CTX_set_ecdh_auto() isn't support by wolfSSL (yet).
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Hauke Mehrtens [Mon, 21 May 2018 12:05:50 +0000 (14:05 +0200)]
mbedtls: Fix setting allowed cipher suites
The cipher suites should be set after the default settings are done,
otherwise the settings will be overwritten with the defaults later on
again.
Also make the list of supported cipher suites match what Chrome tries to
use.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hauke Mehrtens [Mon, 21 May 2018 12:02:44 +0000 (14:02 +0200)]
mbedtls: Add support for a session cache
This allows the client to reuse the settings from a previous session and
no full key exchange is needed.
The partially key exchange takes less than 0.1 seconds compared to over
a second needed for a full key exchange.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Rosen Penev [Sun, 1 Apr 2018 01:37:29 +0000 (18:37 -0700)]
ustream-ssl: Remove RC4 from ciphersuite in server mode.
SSLlabs complains that RC4 is enabled as it is insecure, thereby capping the grade to B.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Rosen Penev [Sun, 1 Apr 2018 01:37:28 +0000 (18:37 -0700)]
ustream-ssl: Enable ECDHE with OpenSSL.
When used with LuCI, SSLlabs complains that Forward Secrecy is not enabled and thus caps the score to a B.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Felix Fietkau [Mon, 9 Jan 2017 13:38:12 +0000 (14:38 +0100)]
remove polarssl support
polarssl (aka mbedTLS 1.3) has been EOL since end of 2016
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Florian Fainelli [Fri, 1 Jul 2016 23:04:51 +0000 (16:04 -0700)]
cmake: Find libubox/ustream.h header file
Add a CMake FIND_PATH and INCLUDE_DIRECTORIES searching for
libubox/ustream-ssl.h. Some external toolchains which do not include
standard locations would fail to find the header otherwise.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Karl Palsson [Mon, 6 Jun 2016 15:49:22 +0000 (15:49 +0000)]
ustream-ssl: cyassl compatibility with build time options
Adds a HAVE_CYASSL definition to be consistent with polar/mbedtls.
Uses that definition to include the wolfssl build time options.
This enables the correct pullin of the "remainder" of the wolfssl openssl
compatibility options, if they were enabled in the build of wolfssl in the
first place.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Felix Fietkau [Sun, 21 Feb 2016 20:28:58 +0000 (21:28 +0100)]
openssl: keep compatibility with older TLS/SSL protocols
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Sun, 21 Feb 2016 08:10:46 +0000 (09:10 +0100)]
openssl: force TLS v1.2 instead of v1
Fixes some connection issues
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Tue, 26 Jan 2016 00:06:12 +0000 (01:06 +0100)]
openssl: use 1.0.2 openssl API for host name validation
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Sat, 23 Jan 2016 18:37:57 +0000 (19:37 +0100)]
polarssl: fix handling SSL close notification
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Sat, 23 Jan 2016 18:37:13 +0000 (19:37 +0100)]
mbedtls: fix handling SSL close notification
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Tue, 19 Jan 2016 22:33:01 +0000 (23:33 +0100)]
mbedtls: sync with polarssl ciphersuite changes
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Tue, 19 Jan 2016 22:30:38 +0000 (23:30 +0100)]
polarssl: enable DHE in default client ciphersuite
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Fri, 15 Jan 2016 23:04:45 +0000 (00:04 +0100)]
polarssl: init certificate storage
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Fri, 15 Jan 2016 23:04:12 +0000 (00:04 +0100)]
polarssl: fix memory leak
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Fri, 15 Jan 2016 19:42:25 +0000 (20:42 +0100)]
add mbedtls variant
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Fri, 15 Jan 2016 17:29:31 +0000 (18:29 +0100)]
polarssl: remove support for version 1.2
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Fri, 15 Jan 2016 17:09:42 +0000 (18:09 +0100)]
polarssl: disable RC4 support (for security reasons)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Alexander Couzens [Thu, 6 Aug 2015 11:01:34 +0000 (13:01 +0200)]
ustream-ssl: make ustream_ssl.server_name const
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
Jo-Philipp Wich [Tue, 9 Jun 2015 16:50:08 +0000 (18:50 +0200)]
polarssl: add mising string include
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Luka Perkov [Sat, 11 Apr 2015 21:43:03 +0000 (23:43 +0200)]
polarssl: fix long writes
Enable to write more data then defined in SSL_MAX_CONTENT_LEN.
Signed-off-by: Luka Perkov <luka@openwrt.org>
Felix Fietkau [Mon, 30 Mar 2015 12:55:47 +0000 (14:55 +0200)]
polarssl: fix return code of entropy function
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Yousong Zhou [Tue, 11 Nov 2014 10:34:01 +0000 (18:34 +0800)]
cmake: Do not hardcode /opt/local/include for Apple.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Yousong Zhou [Tue, 11 Nov 2014 10:33:59 +0000 (18:33 +0800)]
examples: add .notify_write callback.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Christoph Ziebuhr [Mon, 1 Dec 2014 13:41:36 +0000 (14:41 +0100)]
Add support for Server Name Indication
Signed-off-by: Christoph Ziebuhr <chris@codefrickler.de>
Christoph Ziebuhr [Mon, 1 Dec 2014 13:41:35 +0000 (14:41 +0100)]
openssl: Fix host_pattern_match
Signed-off-by: Christoph Ziebuhr <chris@codefrickler.de>
Christoph Ziebuhr [Mon, 1 Dec 2014 13:41:34 +0000 (14:41 +0100)]
Fix ustream_ssl_poll
Signed-off-by: Christoph Ziebuhr <chris@codefrickler.de>
Felix Fietkau [Thu, 3 Apr 2014 21:15:04 +0000 (23:15 +0200)]
openssl: set quiet shutdown flag to ensure that shutdown always succeeds
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Thu, 3 Apr 2014 21:14:05 +0000 (23:14 +0200)]
openssl: un-inline ustream_ssl_session_free
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Thu, 3 Apr 2014 14:57:38 +0000 (16:57 +0200)]
openssl: fix subjectAltNames leak
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Thu, 3 Apr 2014 14:53:40 +0000 (16:53 +0200)]
openssl: free peer certificate after validating it
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Tue, 25 Mar 2014 15:03:44 +0000 (16:03 +0100)]
add missing include files
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Tue, 25 Mar 2014 15:03:27 +0000 (16:03 +0100)]
openssl: disable host CN checks for cyassl (TODO)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Tue, 25 Mar 2014 09:14:14 +0000 (10:14 +0100)]
polarssl: check us->notify_verify_error for NULL before calling it
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Tue, 25 Mar 2014 08:45:28 +0000 (09:45 +0100)]
ustream-example-client: fix usage information
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Tue, 25 Mar 2014 08:02:39 +0000 (09:02 +0100)]
implement certificate validation (including CN verification)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Fri, 21 Mar 2014 23:39:02 +0000 (00:39 +0100)]
fix CyaSSL build
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Mon, 17 Mar 2014 22:21:53 +0000 (23:21 +0100)]
Write pending data after connecting
fixes issues with incoming writes before the ssl negotiation is complete
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Sat, 15 Mar 2014 15:16:24 +0000 (16:16 +0100)]
add client example code
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Sat, 15 Mar 2014 15:01:06 +0000 (16:01 +0100)]
polarssl: enable client side ssl verification if a certificate was loaded
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Sat, 15 Mar 2014 13:23:49 +0000 (14:23 +0100)]
give the main context a type instead of making it void *
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Sat, 15 Mar 2014 12:59:07 +0000 (13:59 +0100)]
ustream-ssl: always check connection at the beginning of a session
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Sat, 15 Mar 2014 12:29:28 +0000 (13:29 +0100)]
ustream-server-example: close connection on error
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Sat, 15 Mar 2014 12:26:32 +0000 (13:26 +0100)]
example: rename to ustream-example-server
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Sat, 15 Mar 2014 12:19:01 +0000 (13:19 +0100)]
polarssl: fix error check on write
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Fri, 14 Mar 2014 13:20:59 +0000 (14:20 +0100)]
polarssl: add support for version 1.3
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Jo-Philipp Wich [Wed, 30 Oct 2013 12:53:45 +0000 (13:53 +0100)]
Add version detection of CyaSSL and make the cyassl backend compatible with both legacy and current CyaSSL versions
Felix Fietkau [Wed, 25 Sep 2013 07:06:36 +0000 (09:06 +0200)]
avoid installing internal header files
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Wed, 24 Jul 2013 16:36:11 +0000 (18:36 +0200)]
polarssl: disable perfect forward secrecy, it slows down each connection handshake by about 130 ms of cpu-bound activity
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Tue, 18 Jun 2013 10:47:18 +0000 (12:47 +0200)]
consume all data after a socket write error
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Mon, 4 Feb 2013 21:13:24 +0000 (22:13 +0100)]
add polarssl support
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Mon, 4 Feb 2013 16:41:54 +0000 (17:41 +0100)]
split cyassl and openssl sources, add ssl library abstraction
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Mon, 4 Feb 2013 19:25:22 +0000 (20:25 +0100)]
example: ignore SIGPIPE
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Wed, 23 Jan 2013 14:24:08 +0000 (15:24 +0100)]
build: remove install prefix override
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Tue, 22 Jan 2013 14:24:28 +0000 (15:24 +0100)]
fix read polling by putting the buffer prepare in a loop
allow user to process more than a single buffer's worth of data in one call
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Tue, 22 Jan 2013 12:38:35 +0000 (13:38 +0100)]
add s->poll wrapper
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Sun, 13 Jan 2013 08:59:58 +0000 (09:59 +0100)]
use libm with cyassl
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Sun, 13 Jan 2013 08:52:34 +0000 (09:52 +0100)]
remove commented out include/link directories
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Sun, 13 Jan 2013 08:41:55 +0000 (09:41 +0100)]
add copyright info and license
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Fri, 4 Jan 2013 22:17:35 +0000 (23:17 +0100)]
fix compile errors on linux
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Fri, 4 Jan 2013 17:27:05 +0000 (18:27 +0100)]
return -1/0 instead of ssl specific return codes when setting crt/key files
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Fri, 4 Jan 2013 16:37:49 +0000 (17:37 +0100)]
only export one symbol from the lib, containing a struct with all functions. useful for using ustream-ssl as a plugin
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Felix Fietkau [Thu, 27 Dec 2012 18:09:41 +0000 (19:09 +0100)]
install headers and library
Felix Fietkau [Tue, 23 Oct 2012 15:59:52 +0000 (17:59 +0200)]
fix logic inversion
Felix Fietkau [Tue, 23 Oct 2012 02:01:09 +0000 (04:01 +0200)]
Initial import