char const *comment;
} libssl_defect_t;
-/* Record critical defects in libssl here (newest first)*/
+/* Record critical defects in libssl here, new versions of OpenSSL to older versions of OpenSSL. */
static libssl_defect_t libssl_defects[] =
{
{
- .low = 0x010001000, /* 1.0.1 */
- .high = 0x01000106f, /* 1.0.1f */
- .id = "CVE-2014-0160",
- .name = "Heartbleed",
- .comment = "For more information see http://heartbleed.com"
+ .low = 0x01010101f, /* 1.1.0a */
+ .high = 0x01010101f, /* 1.1.0a */
+ .id = "CVE-2016-6309",
+ .name = "OCSP status request extension",
+ .comment = "For more information see https://www.openssl.org/news/secadv/20160926.txt"
},
{
- .low = 0x01000100f, /* 1.0.1 */
- .high = 0x01000114f, /* 1.0.1t */
+ .low = 0x01010100f, /* 1.1.0 */
+ .high = 0x01010100f, /* 1.1.0 */
.id = "CVE-2016-6304",
.name = "OCSP status request extension",
.comment = "For more information see https://www.openssl.org/news/secadv/20160922.txt"
},
{
+ .low = 0x01000209f, /* 1.0.2i */
+ .high = 0x01000209f, /* 1.0.2i */
+ .id = "CVE-2016-7052",
+ .name = "OCSP status request extension",
+ .comment = "For more information see https://www.openssl.org/news/secadv/20160926.txt"
+ },
+ {
.low = 0x01000200f, /* 1.0.2 */
.high = 0x01000208f, /* 1.0.2h */
.id = "CVE-2016-6304",
.comment = "For more information see https://www.openssl.org/news/secadv/20160922.txt"
},
{
- .low = 0x01010100f, /* 1.1.0 */
- .high = 0x01010100f, /* 1.1.0 */
+ .low = 0x01000100f, /* 1.0.1 */
+ .high = 0x01000114f, /* 1.0.1t */
.id = "CVE-2016-6304",
.name = "OCSP status request extension",
.comment = "For more information see https://www.openssl.org/news/secadv/20160922.txt"
},
+ {
+ .low = 0x010001000, /* 1.0.1 */
+ .high = 0x01000106f, /* 1.0.1f */
+ .id = "CVE-2014-0160",
+ .name = "Heartbleed",
+ .comment = "For more information see http://heartbleed.com"
+ },
};
#endif /* ENABLE_OPENSSL_VERSION_CHECK */
return ssn;
}
-
/** Create a new TLS session
*
* Configures a new TLS session, configuring options, setting callbacks etc...
bool bad = false;
size_t i;
+ return 0; /* Painless Security customization */
+
if (strcmp(acknowledged, "yes") == 0) return 0;
/* Check for bad versions */
/*
* If the CVE is acknowledged, allow it.
*/
- if (strcmp(acknowledged, defect->name) == 0) return 0;
+ if (!bad && (strcmp(acknowledged, defect->id) == 0)) return 0;
ERROR("Refusing to start with libssl version %s (in range %s)",
ssl_version(), ssl_version_range(defect->low, defect->high));
ERROR("Security advisory %s (%s)", defect->id, defect->name);
ERROR("%s", defect->comment);
- INFO("Once you have verified libssl has been correctly patched, "
- "set security.allow_vulnerable_openssl = '%s'", defect->id);
+ /*
+ * Only warn about the first one...
+ */
+ if (!bad) {
+ INFO("Once you have verified libssl has been correctly patched, "
+ "set security.allow_vulnerable_openssl = '%s'", defect->id);
- bad = true;
+ bad = true;
+ }
}
}