From 381c8a6e362435ff427757083d9b09c2e949779f Mon Sep 17 00:00:00 2001 From: "yang.yu" Date: Tue, 22 Mar 2022 17:25:58 +0800 Subject: [PATCH 1/5] feat: add options SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS and SSL_OP_TLS_BLOCK_PADDING_BUG --- ctx.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ctx.go b/ctx.go index 33befc40..23db9a4f 100644 --- a/ctx.go +++ b/ctx.go @@ -372,6 +372,8 @@ const ( CipherServerPreference Options = C.SSL_OP_CIPHER_SERVER_PREFERENCE NoSessionResumptionOrRenegotiation Options = C.SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION NoTicket Options = C.SSL_OP_NO_TICKET + DontInsertEmptyFragments Options = C.SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + TLSBlockPaddingBug Options = C.SSL_OP_TLS_BLOCK_PADDING_BUG ) // SetOptions sets context options. See From 2ad8cbf5e1566062c2825755515f3feb10312bfe Mon Sep 17 00:00:00 2001 From: "yang.yu" Date: Wed, 23 Mar 2022 21:06:59 +0800 Subject: [PATCH 2/5] feat: add openssl version --- init.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/init.go b/init.go index 17dc6f38..2a58b239 100644 --- a/init.go +++ b/init.go @@ -115,3 +115,5 @@ func errorFromErrorQueue() error { } return errors.New(fmt.Sprintf("SSL errors: %s", strings.Join(errs, "\n"))) } + +const OpenSSLVersion string = C.OPENSSL_VERSION_TEXT From c4356602440120ef6e9a4ab1193bbc6d1c9c5c58 Mon Sep 17 00:00:00 2001 From: yywing <386542536@qq.com> Date: Wed, 23 Mar 2022 22:46:41 +0800 Subject: [PATCH 3/5] feat: support SSL_OP_NO_TLSv1_n --- ctx.go | 5 +++++ shim.h | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/ctx.go b/ctx.go index 23db9a4f..59915340 100644 --- a/ctx.go +++ b/ctx.go @@ -369,11 +369,16 @@ const ( NoSSLv2 Options = C.SSL_OP_NO_SSLv2 NoSSLv3 Options = C.SSL_OP_NO_SSLv3 NoTLSv1 Options = C.SSL_OP_NO_TLSv1 + NoTLSv1_1 Options = C.SSL_OP_NO_TLSv1_1 + NoTLSv1_2 Options = C.SSL_OP_NO_TLSv1_2 CipherServerPreference Options = C.SSL_OP_CIPHER_SERVER_PREFERENCE NoSessionResumptionOrRenegotiation Options = C.SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION NoTicket Options = C.SSL_OP_NO_TICKET DontInsertEmptyFragments Options = C.SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS TLSBlockPaddingBug Options = C.SSL_OP_TLS_BLOCK_PADDING_BUG + + // NoTLSv1_3 is only valid if you are using OpenSSL 1.1.1 or newer + NoTLSv1_3 Options = C.SSL_OP_NO_TLSv1_3 ) // SetOptions sets context options. See diff --git a/shim.h b/shim.h index b792822b..cc483798 100644 --- a/shim.h +++ b/shim.h @@ -37,6 +37,10 @@ #define SSL_OP_NO_COMPRESSION 0 #endif +#ifndef SSL_OP_NO_TLSv1_3 +#define SSL_OP_NO_TLSv1_3 0 +#endif + /* shim methods */ extern int X_shim_init(); From 2128fe4cf8cc23c7cf241af75512fb541a76167c Mon Sep 17 00:00:00 2001 From: "yang.yu" Date: Fri, 25 Mar 2022 13:30:48 +0800 Subject: [PATCH 4/5] feat: add tls check flag --- init.go | 4 ++++ shim.h | 12 ++++++++++++ 2 files changed, 16 insertions(+) diff --git a/init.go b/init.go index 2a58b239..480adcd7 100644 --- a/init.go +++ b/init.go @@ -117,3 +117,7 @@ func errorFromErrorQueue() error { } const OpenSSLVersion string = C.OPENSSL_VERSION_TEXT + +// 1 for enable +const SSL3Enable int = C.X_SSL3_ENABLE +const TLS1Enable int = C.X_TLS1_ENABLE diff --git a/shim.h b/shim.h index cc483798..08ca63c6 100644 --- a/shim.h +++ b/shim.h @@ -33,6 +33,18 @@ #define SSL_MODE_RELEASE_BUFFERS 0 #endif +#ifndef OPENSSL_NO_SSL3_METHOD +#define X_SSL3_ENABLE 1 +#else +#define X_SSL3_ENABLE 0 +#endif + +#ifndef OPENSSL_NO_TLS1_METHOD +#define X_TLS1_ENABLE 1 +#else +#define X_TLS1_ENABLE 0 +#endif + #ifndef SSL_OP_NO_COMPRESSION #define SSL_OP_NO_COMPRESSION 0 #endif From 32a94b5df7506851b3e34d27458c2bdcde583c40 Mon Sep 17 00:00:00 2001 From: "yang.yu" Date: Fri, 25 Mar 2022 13:38:06 +0800 Subject: [PATCH 5/5] feat: no load config --- shim.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shim.c b/shim.c index 6e680841..36f3e5c8 100644 --- a/shim.c +++ b/shim.c @@ -375,7 +375,7 @@ int X_PEM_write_bio_PrivateKey_traditional(BIO *bio, EVP_PKEY *key, const EVP_CI int X_shim_init() { int rc = 0; - OPENSSL_config(NULL); + OPENSSL_no_config(); ENGINE_load_builtin_engines(); SSL_load_error_strings(); SSL_library_init();