summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorChris Wilson <chris+github@qwirx.com>2019-06-02 21:51:27 +0100
committerReinhard Tartler <siretart@tauware.de>2019-06-07 05:55:39 -0400
commit8ed804d9d2c587a9c8e925209619d7dc84e63423 (patch)
treebba8d105d185673c94d0b12b1f984ba131afae52 /lib
parent4489eb94ed896477c4b01d4c4329b45c9134f894 (diff)
[PATCH] Minimal fix for Debian bug 907135 [#36]
Unfortunately, the changes required to implement the full solution to Debian bug 907135 were quite large and could not be reviewed in time for Debian 10's release date. This would have meant that Box Backup was not available at all in Debian 10. Therefore we have developed a workaround specifically for Debian 10 users (this patch), which contains only the minimal changes needed to: * reduce the security level for Box Backup to 1 (the previous default), * overriding the system default; ensure that all newly generated certificates * meet the new security requirements that will later be imposed. This interim version will hopefully be replaced by a version from the master branch that supports the SSLSecurityLevel configuration option, which we hope to see in debian-backports as soon as possible, and we recommend that anyone using the interim version upgrade to this master version as soon as possible. See https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates#workaround-2 for more details. Gbp-Pq: Name openssl1.1.patch
Diffstat (limited to 'lib')
-rw-r--r--lib/common/BoxPortsAndFiles.h.in4
-rw-r--r--lib/common/Test.h2
-rw-r--r--lib/server/TLSContext.cpp9
3 files changed, 15 insertions, 0 deletions
diff --git a/lib/common/BoxPortsAndFiles.h.in b/lib/common/BoxPortsAndFiles.h.in
index 047a828f..8978cd4c 100644
--- a/lib/common/BoxPortsAndFiles.h.in
+++ b/lib/common/BoxPortsAndFiles.h.in
@@ -20,6 +20,10 @@
// directory within the RAIDFILE root for the backup store daemon
#define BOX_RAIDFILE_ROOT_BBSTORED "backup"
+// default security level if SSLSecurityLevel is not specified: see
+// https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates
+const int BOX_DEFAULT_SSL_SECURITY_LEVEL = 1;
+
// configuration file paths
#ifdef WIN32
// no default config file path, use these macros to call
diff --git a/lib/common/Test.h b/lib/common/Test.h
index 4b5cef61..32f8220d 100644
--- a/lib/common/Test.h
+++ b/lib/common/Test.h
@@ -23,6 +23,7 @@
#define BBACKUPQUERY "..\\..\\bin\\bbackupquery\\bbackupquery.exe"
#define BBSTOREACCOUNTS "..\\..\\bin\\bbstoreaccounts\\bbstoreaccounts.exe"
#define TEST_RETURN(actual, expected) TEST_EQUAL(expected, actual);
+#define TEST_RETURN_COMMAND(actual, expected, command) TEST_EQUAL_LINE(expected, actual, command);
#else
#define BBACKUPCTL "../../bin/bbackupctl/bbackupctl"
#define BBACKUPD "../../bin/bbackupd/bbackupd"
@@ -30,6 +31,7 @@
#define BBACKUPQUERY "../../bin/bbackupquery/bbackupquery"
#define BBSTOREACCOUNTS "../../bin/bbstoreaccounts/bbstoreaccounts"
#define TEST_RETURN(actual, expected) TEST_EQUAL((expected << 8), actual);
+#define TEST_RETURN_COMMAND(actual, expected, command) TEST_EQUAL_LINE((expected << 8), actual, command);
#endif
extern int num_failures;
diff --git a/lib/server/TLSContext.cpp b/lib/server/TLSContext.cpp
index 1a6d4a53..d3f41f45 100644
--- a/lib/server/TLSContext.cpp
+++ b/lib/server/TLSContext.cpp
@@ -14,6 +14,7 @@
#include "autogen_ConnectionException.h"
#include "autogen_ServerException.h"
+#include "BoxPortsAndFiles.h"
#include "CryptoUtils.h"
#include "SSLLib.h"
#include "TLSContext.h"
@@ -84,6 +85,14 @@ void TLSContext::Initialise(bool AsServer, const char *CertificatesFile, const c
THROW_EXCEPTION(ServerException, TLSAllocationFailed)
}
+#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+ BOX_WARNING("This version of Box Backup overrides the system-wide SSLSecurityLevel for "
+ "backwards compatibility. Please upgrade as soon as possible. See "
+ "https://github.com/boxbackup/boxbackup/wiki/WeakSSLCertificates#workaround-2 "
+ "for details");
+ SSL_CTX_set_security_level(mpContext, BOX_DEFAULT_SSL_SECURITY_LEVEL);
+#endif
+
// Setup our identity
if(::SSL_CTX_use_certificate_chain_file(mpContext, CertificatesFile) != 1)
{