github
/
aria2
mirror of https://github.com/aria2/aria2
1
0
Fork 0
Code Issues Releases Wiki Activity

Warn about insecure SSL connections. 

Fixed GH-313
pull/314/head
Nils Maier 2014-12-12 09:57:25 +01:00
parent 811c0f758d
commit c5c38bf3a4
5 changed files with 87 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/AppleTLSSession.cc
View File

@ -43,6 +43,7 @@
#include "LogFactory.h" #include "LogFactory.h"
#include "a2functional.h" #include "a2functional.h"
#include "fmt.h" #include "fmt.h"
#include "message.h"
#define ioErr -36 #define ioErr -36
#define paramErr -50 #define paramErr -50
@ -85,7 +86,7 @@ static inline const char* protoToString(SSLProtocol proto)
case kSSLProtocol2: case kSSLProtocol2:
return "SSLv2 (!)"; return "SSLv2 (!)";
case kSSLProtocol3: case kSSLProtocol3:
return "SSLv3"; return "SSLv3 (!)";
case kTLSProtocol1: case kTLSProtocol1:
return "TLSv1"; return "TLSv1";
case kTLSProtocol11: case kTLSProtocol11:
@ -731,6 +732,17 @@ int AppleTLSSession::tlsConnect(const std::string& hostname,
hostname.c_str(), hostname.c_str(),
protoToString(proto), protoToString(proto),
suiteToString(suite).c_str())); suiteToString(suite).c_str()));
switch (proto) {
case kSSLProtocol2:
case kSSLProtocol3: {
std::string protoAndSuite = protoToString(proto);
protoAndSuite += " " + suiteToString(suite);
A2_LOG_WARN(fmt(MSG_WARN_OLD_TLS_CONNECTION, protoAndSuite.c_str()));
break;
}
default:
break;
}
return TLS_ERR_OK; return TLS_ERR_OK;
} }

21
src/LibgnutlsTLSSession.cc
View File

@ -39,6 +39,9 @@
#include "TLSContext.h" #include "TLSContext.h"
#include "util.h" #include "util.h"
#include "SocketCore.h" #include "SocketCore.h"
#include "LogFactory.h"
#include "fmt.h"
#include "message.h"
namespace aria2 { namespace aria2 {
@ -297,6 +300,24 @@ int GnuTLSSession::tlsConnect(const std::string& hostname,
return TLS_ERR_ERROR; return TLS_ERR_ERROR;
} }
} }
auto proto = gnutls_protocol_get_version(sslSession_);
switch(proto) {
case GNUTLS_SSL3: {
std::string protoAndSuite = gnutls_protocol_get_name(proto);
protoAndSuite += " ";
protoAndSuite += gnutls_cipher_suite_get_name(
gnutls_kx_get(sslSession_),
gnutls_cipher_get(sslSession_),
gnutls_mac_get(sslSession_)
);
A2_LOG_WARN(fmt(MSG_WARN_OLD_TLS_CONNECTION, protoAndSuite.c_str()));
break;
}
default:
break;
}
return TLS_ERR_OK; return TLS_ERR_OK;
} }

20
src/LibsslTLSSession.cc
View File

@ -267,6 +267,26 @@ int OpenSSLTLSSession::tlsConnect(const std::string& hostname,
return TLS_ERR_ERROR; return TLS_ERR_ERROR;
} }
} }
switch(SSL_version(ssl_)) {
case SSL3_VERSION:
case SSL2_VERSION: {
std::string protoAndSuite = "Unknown";
auto cipher = SSL_get_current_cipher(ssl_);
if(cipher) {
auto buf = make_unique<char[]>(256);
auto cipherstr = SSL_CIPHER_description(cipher, buf.get(), 256);
if(cipherstr) {
protoAndSuite = cipherstr;
}
}
A2_LOG_WARN(fmt(MSG_WARN_OLD_TLS_CONNECTION, protoAndSuite.c_str()));
break;
}
default:
break;
}
return TLS_ERR_OK; return TLS_ERR_OK;
} }

30
src/WinTLSSession.cc
View File

@ -119,6 +119,17 @@ inline static std::string getCipherSuite(CtxtHandle* handle)
return "Unknown"; return "Unknown";
} }
inline static uint32_t getProtocolVersion(CtxtHandle* handle)
{
WinSecPkgContext_CipherInfo info = {SECPKGCONTEXT_CIPHERINFO_V1};
if (QueryContextAttributes(handle, SECPKG_ATTR_CIPHER_INFO, &info) ==
SEC_E_OK) {
return info.dwProtocol;
}
// XXX Assume the best?!
return std::numeric_limits<uint32_t>::max();
}
} // namespace } // namespace
namespace aria2 { namespace aria2 {
@ -808,14 +819,31 @@ restart:
} }
// Fall through // Fall through
case st_handshake_done: case st_handshake_done: {
// All ready now :D // All ready now :D
state_ = st_connected; state_ = st_connected;
A2_LOG_INFO( A2_LOG_INFO(
fmt("WinTLS: connected with: %s", getCipherSuite(&handle_).c_str())); fmt("WinTLS: connected with: %s", getCipherSuite(&handle_).c_str()));
auto proto = getProtocolVersion(&handle_);
if (proto < 0x301) {
std::string protoAndSuite;
switch (proto) {
case 0x300:
protoAndSuite = "SSLv3";
break;
default:
protoAndSuite = "Unknown";
break;
}
protoAndSuite += " " + getCipherSuite(&handle_);
A2_LOG_WARN(fmt(MSG_WARN_OLD_TLS_CONNECTION, protoAndSuite.c_str()));
}
return TLS_ERR_OK; return TLS_ERR_OK;
} }
}
A2_LOG_ERROR("WinTLS: Unreachable reached during tlsConnect! This is a bug!"); A2_LOG_ERROR("WinTLS: Unreachable reached during tlsConnect! This is a bug!");
state_ = st_error; state_ = st_error;
return TLS_ERR_ERROR; return TLS_ERR_ERROR;

4
src/message.h
View File

@ -183,6 +183,10 @@
#define MSG_WARN_NO_CA_CERT \ #define MSG_WARN_NO_CA_CERT \
_("You may encounter the certificate verification error with HTTPS server." \ _("You may encounter the certificate verification error with HTTPS server." \
" See --ca-certificate and --check-certificate option.") " See --ca-certificate and --check-certificate option.")
#define MSG_WARN_OLD_TLS_CONNECTION \
_("aria2c had to connect to the server using an old and vulnerable cipher" \
" suite. The integrity and confidentiality of the connection might be" \
" compromised.\nProtocol and cipher suite: %s")
#define MSG_SHOW_FILES _("Printing the contents of file '%s'...") #define MSG_SHOW_FILES _("Printing the contents of file '%s'...")
#define MSG_NOT_TORRENT_METALINK _("This file is neither Torrent nor Metalink" \ #define MSG_NOT_TORRENT_METALINK _("This file is neither Torrent nor Metalink" \
" file. Skipping.") " file. Skipping.")