svn commit: r368000 - head/lib/libfetch
Jung-uk Kim
jkim at FreeBSD.org
Tue Nov 24 22:10:34 UTC 2020
Author: jkim
Date: Tue Nov 24 22:10:33 2020
New Revision: 368000
URL: https://svnweb.freebsd.org/changeset/base/368000
Log:
Remove support for SSLv3 from fetch(3).
Support for SSLv3 was already removed from OpenSSL (r361392).
Differential Revision: https://reviews.freebsd.org/D24947
Modified:
head/lib/libfetch/common.c
head/lib/libfetch/fetch.3
Modified: head/lib/libfetch/common.c
==============================================================================
--- head/lib/libfetch/common.c Tue Nov 24 21:45:38 2020 (r367999)
+++ head/lib/libfetch/common.c Tue Nov 24 22:10:33 2020 (r368000)
@@ -1054,9 +1054,7 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verb
{
long ssl_ctx_options;
- ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_TICKET;
- if (getenv("SSL_ALLOW_SSL3") == NULL)
- ssl_ctx_options |= SSL_OP_NO_SSLv3;
+ ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_SSLv3 | SSL_OP_NO_TICKET;
if (getenv("SSL_NO_TLS1") != NULL)
ssl_ctx_options |= SSL_OP_NO_TLSv1;
if (getenv("SSL_NO_TLS1_1") != NULL)
Modified: head/lib/libfetch/fetch.3
==============================================================================
--- head/lib/libfetch/fetch.3 Tue Nov 24 21:45:38 2020 (r367999)
+++ head/lib/libfetch/fetch.3 Tue Nov 24 22:10:33 2020 (r368000)
@@ -26,7 +26,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd August 28, 2019
+.Dd November 24, 2020
.Dt FETCH 3
.Os
.Sh NAME
@@ -465,12 +465,10 @@ By default
allows TLSv1 and newer when negotiating the connecting with the remote
peer.
You can change this behavior by setting the
-.Ev SSL_ALLOW_SSL3
-environment variable to allow SSLv3 and
.Ev SSL_NO_TLS1 ,
.Ev SSL_NO_TLS1_1 and
.Ev SSL_NO_TLS1_2
-to disable TLS 1.0, 1.1 and 1.2 respectively.
+environment variables to disable TLS 1.0, 1.1 and 1.2 respectively.
.Sh AUTHENTICATION
Apart from setting the appropriate environment variables and
specifying the user name and password in the URL or the
@@ -675,8 +673,6 @@ IPv6 addresses must enclose the address in brackets.
If no port is specified, the default is 1080.
This setting will supercede a connection to an
.Ev HTTP_PROXY .
-.It Ev SSL_ALLOW_SSL3
-Allow SSL version 3 when negotiating the connection (not recommended).
.It Ev SSL_CA_CERT_FILE
CA certificate bundle containing trusted CA certificates.
Default value: See HTTPS SCHEME above.
More information about the svn-src-all
mailing list