dovecot-2.2: openssl: optionally disable TLS compression

Thu Jul 3 16:19:13 UTC 2014

details:   http://hg.dovecot.org/dovecot-2.2/rev/cea292767b95
changeset: 17585:cea292767b95
user:      Phil Carmody <phil at dovecot.fi>
date:      Thu Jul 03 19:17:16 2014 +0300
description:
openssl: optionally disable TLS compression
Make ssl compression optional, but enabled by default. Other ssl options
might be tweakable in the future, so have a single ssl_options string,
and explode it into individual flags. (Compare postfix configuration.)
Based on an idea by Andreas Schulze <sca at andreasschulze.de>

Signed-off-by: Phil Carmody <phil at dovecot.fi>

diffstat:

 src/lib-master/master-service-ssl-settings.c    |  22 +++++++++++++++++++++-
 src/lib-master/master-service-ssl-settings.h    |   7 +++++++
 src/lib-master/master-service-ssl.c             |   1 +
 src/lib-ssl-iostream/iostream-openssl-context.c |   8 ++++++--
 src/lib-ssl-iostream/iostream-ssl.h             |   1 +
 src/login-common/ssl-proxy-openssl.c            |  10 +++++++---
 6 files changed, 43 insertions(+), 6 deletions(-)

diffs (154 lines):

diff -r 7a60541913e9 -r cea292767b95 src/lib-master/master-service-ssl-settings.c

--- a/src/lib-master/master-service-ssl-settings.c	Thu Jul 03 19:12:02 2014 +0300
+++ b/src/lib-master/master-service-ssl-settings.c	Thu Jul 03 19:17:16 2014 +0300
@@ -28,6 +28,7 @@
 	DEF(SET_BOOL, ssl_require_crl),
 	DEF(SET_BOOL, verbose_ssl),
 	DEF(SET_BOOL, ssl_prefer_server_ciphers),
+	DEF(SET_STR, ssl_options), /* parsed as a string to set bools */
 
 	SETTING_DEFINE_LIST_END
 };
@@ -49,7 +50,8 @@
 	.ssl_verify_client_cert = FALSE,
 	.ssl_require_crl = TRUE,
 	.verbose_ssl = FALSE,
-	.ssl_prefer_server_ciphers = FALSE
+	.ssl_prefer_server_ciphers = FALSE,
+	.ssl_options = "",
 };
 
 const struct setting_parser_info master_service_ssl_setting_parser_info = {
@@ -98,6 +100,24 @@
 		*error_r = "ssl_verify_client_cert set, but ssl_ca not";
 		return FALSE;
 	}
+
+	/* Now explode the ssl_options string into individual flags */
+	/* First set them all to defaults */
+	set->parsed_opts.compression = TRUE;
+
+	/* Then modify anything specified in the string */
+	const char **opts = t_strsplit_spaces(set->ssl_options, ", ");
+	const char *opt;
+	while ((opt = *opts++) != NULL) {
+		if (strcasecmp(opt, "no_compression") == 0) {
+			set->parsed_opts.compression = FALSE;
+		} else {
+			*error_r = t_strdup_printf("ssl_options: unknown flag: '%s'",
+						   opt);
+			return FALSE;
+		}
+	}
+
 	return TRUE;
 #endif
 }
diff -r 7a60541913e9 -r cea292767b95 src/lib-master/master-service-ssl-settings.h
--- a/src/lib-master/master-service-ssl-settings.h	Thu Jul 03 19:12:02 2014 +0300
+++ b/src/lib-master/master-service-ssl-settings.h	Thu Jul 03 19:17:16 2014 +0300
@@ -13,10 +13,17 @@
 	const char *ssl_protocols;
 	const char *ssl_cert_username_field;
 	const char *ssl_crypto_device;
+	const char *ssl_options;
+
 	bool ssl_verify_client_cert;
 	bool ssl_require_crl;
 	bool verbose_ssl;
 	bool ssl_prefer_server_ciphers;
+
+	/* These are derived from ssl_options, not set directly */
+	struct {
+		bool compression;
+	} parsed_opts;
 };
 
 extern const struct setting_parser_info master_service_ssl_setting_parser_info;
diff -r 7a60541913e9 -r cea292767b95 src/lib-master/master-service-ssl.c
--- a/src/lib-master/master-service-ssl.c	Thu Jul 03 19:12:02 2014 +0300
+++ b/src/lib-master/master-service-ssl.c	Thu Jul 03 19:17:16 2014 +0300
@@ -120,6 +120,7 @@
 	ssl_set.verbose = set->verbose_ssl;
 	ssl_set.verify_remote_cert = set->ssl_verify_client_cert;
 	ssl_set.prefer_server_ciphers = set->ssl_prefer_server_ciphers;
+	ssl_set.compression = set->parsed_opts.compression;
 
 	if (ssl_iostream_context_init_server(&ssl_set, &service->ssl_ctx,
 					     &error) < 0) {
diff -r 7a60541913e9 -r cea292767b95 src/lib-ssl-iostream/iostream-openssl-context.c
--- a/src/lib-ssl-iostream/iostream-openssl-context.c	Thu Jul 03 19:12:02 2014 +0300
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c	Thu Jul 03 19:17:16 2014 +0300
@@ -499,12 +499,16 @@
 				 const struct ssl_iostream_settings *set,
 				 const char **error_r)
 {
+	long ssl_ops = SSL_OP_NO_SSLv2 |
+		(SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+
 	ctx->pool = pool_alloconly_create("ssl iostream context", 4096);
 
 	/* enable all SSL workarounds, except empty fragments as it
 	   makes SSL more vulnerable against attacks */
-	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2 |
-			    (SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS));
+	if (!set->compression)
+		ssl_ops |= SSL_OP_NO_COMPRESSION;
+	SSL_CTX_set_options(ctx->ssl_ctx, ssl_ops);
 #ifdef SSL_MODE_RELEASE_BUFFERS
 	SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
 #endif
diff -r 7a60541913e9 -r cea292767b95 src/lib-ssl-iostream/iostream-ssl.h
--- a/src/lib-ssl-iostream/iostream-ssl.h	Thu Jul 03 19:12:02 2014 +0300
+++ b/src/lib-ssl-iostream/iostream-ssl.h	Thu Jul 03 19:17:16 2014 +0300
@@ -18,6 +18,7 @@
 	bool verify_remote_cert; /* neither/both */
 	bool require_valid_cert; /* stream-only */
 	bool prefer_server_ciphers;
+	bool compression;
 };
 
 /* Returns 0 if ok, -1 and sets error_r if failed. The returned error string
diff -r 7a60541913e9 -r cea292767b95 src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c	Thu Jul 03 19:12:02 2014 +0300
+++ b/src/login-common/ssl-proxy-openssl.c	Thu Jul 03 19:17:16 2014 +0300
@@ -101,6 +101,7 @@
 	const char *protocols;
 	bool verify_client_cert;
 	bool prefer_server_ciphers;
+	bool compression;
 };
 
 static int extdata_index;
@@ -640,6 +641,7 @@
 		login_set->auth_ssl_require_client_cert ||
 		login_set->auth_ssl_username_from_cert;
 	lookup_ctx.prefer_server_ciphers = set->ssl_prefer_server_ciphers;
+	lookup_ctx.compression = set->parsed_opts.compression;
 
 	ctx = hash_table_lookup(ssl_servers, &lookup_ctx);
 	if (ctx == NULL)
@@ -1011,11 +1013,12 @@
 {
 	X509_STORE *store;
 	STACK_OF(X509_NAME) *xnames = NULL;
-
 	/* enable all SSL workarounds, except empty fragments as it
 	   makes SSL more vulnerable against attacks */
-	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL &
-			    ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+	long ssl_ops = SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+	if (!set->parsed_opts.compression)
+		ssl_ops |= SSL_OP_NO_COMPRESSION;
+	SSL_CTX_set_options(ssl_ctx, ssl_ops);
 
 #ifdef SSL_MODE_RELEASE_BUFFERS
 	SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
@@ -1286,6 +1289,7 @@
 		login_set->auth_ssl_require_client_cert ||
 		login_set->auth_ssl_username_from_cert;
 	ctx->prefer_server_ciphers = ssl_set->ssl_prefer_server_ciphers;
+	ctx->compression = ssl_set->parsed_opts.compression;
 
 	ctx->ctx = ssl_ctx = SSL_CTX_new(SSLv23_server_method());
 	if (ssl_ctx == NULL)
