On Sun, Aug 26, 2012 at 11:50:15AM +0900, Hiroshi Miura wrote:

Windows 7 disables TLSv1.1/1.2 by default. This patch intend to behave same as Windows.

Please do not... The newer TLSv1.x fix some shortcomings of the older TLS versions. Is there a specific problem you see? Otherwise, I object. Ciao, MArcus

Signed-off-by: Hiroshi Miura <miurahr(a)linux.com> --- dlls/winhttp/net.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+)

diff --git a/dlls/winhttp/net.c b/dlls/winhttp/net.c index 5ec4e1a..03cf9b7 100644 --- a/dlls/winhttp/net.c +++ b/dlls/winhttp/net.c @@ -52,6 +52,7 @@ #include "winbase.h" #include "winhttp.h" #include "wincrypt.h" +#include "winreg.h"

#include "winhttp_private.h"

@@ -109,8 +110,10 @@ MAKE_FUNCPTR( SSL_load_error_strings ); MAKE_FUNCPTR( SSLv23_method ); MAKE_FUNCPTR( SSL_CTX_free ); MAKE_FUNCPTR( SSL_CTX_new ); +MAKE_FUNCPTR( SSL_CTX_ctrl ); MAKE_FUNCPTR( SSL_new ); MAKE_FUNCPTR( SSL_free ); +MAKE_FUNCPTR( SSL_ctrl ); MAKE_FUNCPTR( SSL_set_fd ); MAKE_FUNCPTR( SSL_connect ); MAKE_FUNCPTR( SSL_shutdown ); @@ -408,12 +411,66 @@ static int netconn_secure_verify( int preverify_ok, X509_STORE_CTX *ctx ) } return ret; } + +static long get_tls_option(void) { + long tls_option; + DWORD type, val, size; + HKEY hkey,tls12_client,tls11_client; + LONG res; + const WCHAR Schannel_Prot[] = { /* SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCANNEL\\Protocols */ + 'S','Y','S','T','E','M','\\', + 'C','u','r','r','e','n','t','C','o','n','t','r','o','l','S','e','t','\\', + 'C','o','n','t','r','o','l','\\', + 'S','e','c','u','r','i','t','y','P','r','o','v','i','d','e','r','s','\\', + 'S','C','H','A','N','N','E','L','\\', + 'P','r','o','t','o','c','o','l','s',0 }; + const WCHAR TLS12_Client[] = {'T','L','S',' ','1','.','2','\\','C','l','i','e','n','t',0}; + const WCHAR TLS11_Client[] = {'T','L','S',' ','1','.','1','\\','C','l','i','e','n','t',0}; + const WCHAR DisabledByDefault[] = {'D','i','s','a','b','l','e','d','B','y','D','e','f','a','u','l','t',0}; + + tls_option = SSL_OP_NO_SSLv2; /* disable SSLv2 for security reason, and secur32/Schannel(GnuTLS) don't support it */ + res = RegOpenKeyExW(HKEY_LOCAL_MACHINE, + Schannel_Prot, + 0, KEY_READ, &hkey); + if (res != ERROR_SUCCESS) { + tls_option |= SSL_OP_NO_TLSv1_2; + tls_option |= SSL_OP_NO_TLSv1_1; + goto end; + } + if (RegOpenKeyExW(hkey, TLS12_Client, 0, KEY_READ, &tls12_client) == ERROR_SUCCESS) { + size = sizeof(DWORD); + if (RegQueryValueExW(tls12_client, DisabledByDefault, NULL, &type, (LPBYTE) &val, &size) || type != REG_DWORD) { + tls_option |= SSL_OP_NO_TLSv1_2; + } else { + tls_option |= val?SSL_OP_NO_TLSv1_2:0; + } + RegCloseKey(tls12_client); + } else { + tls_option |= SSL_OP_NO_TLSv1_2; + } + if (RegOpenKeyExW(hkey, TLS11_Client, 0, KEY_READ, &tls11_client) == ERROR_SUCCESS) { + size = sizeof(DWORD); + if (RegQueryValueExW(tls11_client, DisabledByDefault, NULL, &type, (LPBYTE) &val, &size) || type != REG_DWORD) { + tls_option |= SSL_OP_NO_TLSv1_1; + } else { + tls_option |= val?SSL_OP_NO_TLSv1_1:0; + } + RegCloseKey(tls11_client); + } else { + tls_option |= SSL_OP_NO_TLSv1_1; + } + RegCloseKey(hkey); + +end: + return tls_option; +} #endif

BOOL netconn_init( netconn_t *conn, BOOL secure ) { #if defined(SONAME_LIBSSL) && defined(SONAME_LIBCRYPTO) int i; + long tls_option; #endif

conn->socket = -1; @@ -453,8 +510,10 @@ BOOL netconn_init( netconn_t *conn, BOOL secure ) LOAD_FUNCPTR( SSLv23_method ); LOAD_FUNCPTR( SSL_CTX_free ); LOAD_FUNCPTR( SSL_CTX_new ); + LOAD_FUNCPTR (SSL_CTX_ctrl); LOAD_FUNCPTR( SSL_new ); LOAD_FUNCPTR( SSL_free ); + LOAD_FUNCPTR( SSL_ctrl ); LOAD_FUNCPTR( SSL_set_fd ); LOAD_FUNCPTR( SSL_connect ); LOAD_FUNCPTR( SSL_shutdown ); @@ -494,11 +553,20 @@ BOOL netconn_init( netconn_t *conn, BOOL secure ) LOAD_FUNCPTR( sk_num ); #undef LOAD_FUNCPTR

+#define pSSL_CTX_set_options(ctx,op) \ + pSSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL) +#define pSSL_set_options(ssl,op) \ + pSSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL) + pSSL_library_init(); pSSL_load_error_strings();

method = pSSLv23_method(); ctx = pSSL_CTX_new( method ); + + tls_option = get_tls_option(); + pSSL_CTX_set_options(ctx, tls_option); + if (!pSSL_CTX_set_default_verify_paths( ctx )) { ERR("SSL_CTX_set_default_verify_paths failed: %s\n", pERR_error_string( pERR_get_error(), 0 )); @@ -676,12 +744,18 @@ BOOL netconn_connect( netconn_t *conn, const struct sockaddr *sockaddr, unsigned BOOL netconn_secure_connect( netconn_t *conn, WCHAR *hostname ) { #ifdef SONAME_LIBSSL + long tls_option; + if (!(conn->ssl_conn = pSSL_new( ctx ))) { ERR("SSL_new failed: %s\n", pERR_error_string( pERR_get_error(), 0 )); set_last_error( ERROR_OUTOFMEMORY ); goto fail; } + + tls_option = get_tls_option(); + pSSL_set_options(conn->ssl_conn, tls_option); + if (!pSSL_set_ex_data( conn->ssl_conn, hostname_idx, hostname )) { ERR("SSL_set_ex_data failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));