NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
bin/58878: bozohttpd rejects tls1.1 and tls1.2 by default
>Number: 58878
>Category: bin
>Synopsis: bozohttpd rejects tls1.1 and tls1.2 by default
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Dec 06 01:05:00 +0000 2024
>Originator: Taylor R Campbell
>Release: current, 10
>Organization:
The NetBozo1.3 Foundation
>Environment:
>Description:
Since merging support for restricting TLS versions as part of https://gnats.netbsd.org/55830, bozohttpd(8) has defaulted to _rejecting_ TLSv1.1 and TLSv1.2 by default, accepting only TLSv1.3.
79 /* Default to TLS 1.3. */
80 struct {
81 unsigned proto;
82 const char *name;
83 } protos[] = {
84 { TLS1_3_VERSION, "TLSv1.3" },
85 { TLS1_2_VERSION, "TLSv1.2" },
86 { TLS1_1_VERSION, "TLSv1.1" },
87 { 0, NULL },
88 };
89
90 static int
91 bozo_ssl_proto(const char *name)
92 {
93 unsigned i;
94
95 if (name)
96 for (i = 0; protos[0].proto != 0; i++)
97 if (strcasecmp(name, protos[i].name) == 0)
98 return protos[i].proto;
99 return protos[0].proto;
100 }
https://nxr.netbsd.org/xref/src/libexec/httpd/ssl-bozo.c?r=1.34#79
265 proto = bozo_ssl_proto(httpd->ssl_min_proto);
266
267 if (!SSL_CTX_set_min_proto_version(sslinfo->ssl_context, proto))
https://nxr.netbsd.org/xref/src/libexec/httpd/ssl-bozo.c?r=1.34#265
Thus, if you don't specify `bozohttpd -m TLSv1.1', bozohttpd will reject TLSv1.1 and TLSv1.2.
>How-To-Repeat:
1. run bozohttpd at example.com
2. curl --head --tls-max 1.1 https://example.com
>Fix:
Yes, please!
I think it would be reasonable to defer the default choice to OpenSSL instead of insisting on TLSv1.3. (While TLSv1.3 is certainly better than 1.1 and 1.2, there are plenty clients that still use those -- like Fastly... They aren't quite as obsolete as SSLv2 or SSLv3 are today.)
Home |
Main Index |
Thread Index |
Old Index