From 5f859d8a98abbb69aaa4f2bbb3b26de10fe4318a Mon Sep 17 00:00:00 2001 From: Artem Boldariev Date: Tue, 30 Nov 2021 10:42:23 +0200 Subject: [PATCH] TLS context handling code: Fix an abort on ancient OpenSSL version There was a logical bug when setting a list of enabled TLS protocols, which may lead to a crash (an abort()) on systems with ancient OpenSSL versions. The problem was due to the fact that we were INSIST()ing on supporting all of the TLS versions, while checking only for mentioned in the configuration was implied. --- lib/isc/tls.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/lib/isc/tls.c b/lib/isc/tls.c index a59bb4f2ad..d59e90ded6 100644 --- a/lib/isc/tls.c +++ b/lib/isc/tls.c @@ -453,14 +453,18 @@ isc_tlsctx_set_protocols(isc_tlsctx_t *ctx, const uint32_t tls_versions) { for (uint32_t tls_ver = ISC_TLS_PROTO_VER_1_2; tls_ver < ISC_TLS_PROTO_VER_UNDEFINED; tls_ver <<= 1) { - /* Only supported versions should ever be passed to the - * function. The configuration file was not verified - * properly, if we are trying to enable an unsupported - * TLS version */ - INSIST(isc_tls_protocol_supported(tls_ver)); if ((tls_versions & tls_ver) == 0) { set_options |= get_tls_version_disable_bit(tls_ver); } else { + /* + * Only supported versions should ever be passed to the + * function SSL_CTX_clear_options. For example, in order + * to enable TLS v1.2, we have to clear + * SSL_OP_NO_TLSv1_2. Insist that the configuration file + * was verified properly, so we are not trying to enable + * an unsupported TLS version. + */ + INSIST(isc_tls_protocol_supported(tls_ver)); clear_options |= get_tls_version_disable_bit(tls_ver); } versions &= ~(tls_ver);