From fe85238ef758d1adead72be009d07c597fdba0bb Mon Sep 17 00:00:00 2001 From: Jung-uk Kim Date: Tue, 24 Nov 2020 22:10:33 +0000 Subject: [PATCH] Remove support for SSLv3 from fetch(3). Support for SSLv3 was already removed from OpenSSL (r361392). Differential Revision: https://reviews.freebsd.org/D24947 --- lib/libfetch/common.c | 4 +--- lib/libfetch/fetch.3 | 8 ++------ 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c index 7b08391b4799..628ab69612f7 100644 --- a/lib/libfetch/common.c +++ b/lib/libfetch/common.c @@ -1054,9 +1054,7 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose) { long ssl_ctx_options; - ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_TICKET; - if (getenv("SSL_ALLOW_SSL3") == NULL) - ssl_ctx_options |= SSL_OP_NO_SSLv3; + ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_SSLv3 | SSL_OP_NO_TICKET; if (getenv("SSL_NO_TLS1") != NULL) ssl_ctx_options |= SSL_OP_NO_TLSv1; if (getenv("SSL_NO_TLS1_1") != NULL) diff --git a/lib/libfetch/fetch.3 b/lib/libfetch/fetch.3 index fe99e56da71c..cb37c08593d6 100644 --- a/lib/libfetch/fetch.3 +++ b/lib/libfetch/fetch.3 @@ -26,7 +26,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 28, 2019 +.Dd November 24, 2020 .Dt FETCH 3 .Os .Sh NAME @@ -465,12 +465,10 @@ By default allows TLSv1 and newer when negotiating the connecting with the remote peer. You can change this behavior by setting the -.Ev SSL_ALLOW_SSL3 -environment variable to allow SSLv3 and .Ev SSL_NO_TLS1 , .Ev SSL_NO_TLS1_1 and .Ev SSL_NO_TLS1_2 -to disable TLS 1.0, 1.1 and 1.2 respectively. +environment variables to disable TLS 1.0, 1.1 and 1.2 respectively. .Sh AUTHENTICATION Apart from setting the appropriate environment variables and specifying the user name and password in the URL or the @@ -675,8 +673,6 @@ IPv6 addresses must enclose the address in brackets. If no port is specified, the default is 1080. This setting will supercede a connection to an .Ev HTTP_PROXY . -.It Ev SSL_ALLOW_SSL3 -Allow SSL version 3 when negotiating the connection (not recommended). .It Ev SSL_CA_CERT_FILE CA certificate bundle containing trusted CA certificates. Default value: See HTTPS SCHEME above.