disable SSLv3 by default

configure.ac

@@ -887,6 +887,19 @@ else
 fi
 
 
+# SSLv3
+AC_ARG_ENABLE([sslv3],
+    [  --enable-sslv3         Enable SSL version 3.0 (default: disabled)],
+    [ ENABLED_SSLV3=$enableval ],
+    [ ENABLED_SSLV3=no]
+    )
+
+if test "$ENABLED_SSLV3" = "yes"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALLOW_SSLV3"
+fi
+
+
 # STACK SIZE info for examples
 AC_ARG_ENABLE([stacksize],
     [  --enable-stacksize      Enable stack size info on examples (default: disabled)],
@@ -2128,6 +2141,10 @@ AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \
       [AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"
        ENABLED_OLD_TLS=no])
 
+AS_IF([test "x$ENABLED_MAXSTRENGTH" = "xyes" && \
+       test "x$ENABLED_SSLV3" = "xyes"],
+      [AC_MSG_ERROR([Cannot use Max Strength and SSLv3 at the same time.])])
+
 
 # OPTIMIZE FLAGS
 if test "$GCC" = "yes"
@@ -2359,6 +2376,7 @@ echo "   * STUNNEL:                   $ENABLED_STUNNEL"
 echo "   * ERROR_STRINGS:             $ENABLED_ERROR_STRINGS"
 echo "   * DTLS:                      $ENABLED_DTLS"
 echo "   * Old TLS Versions:          $ENABLED_OLD_TLS"
+echo "   * SSL version 3.0:           $ENABLED_SSLV3"
 echo "   * OCSP:                      $ENABLED_OCSP"
 echo "   * CRL:                       $ENABLED_CRL"
 echo "   * CRL-MONITOR:               $ENABLED_CRL_MONITOR"

examples/client/client.c

@@ -530,10 +530,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 
     switch (version) {
 #ifndef NO_OLD_TLS
+    #ifdef WOLFSSL_ALLOW_SSLV3
         case 0:
             method = wolfSSLv3_client_method();
             break;
-                
+    #endif
 
     #ifndef NO_TLS
         case 1:

examples/echoclient/echoclient.c

@@ -111,8 +111,10 @@ void echoclient_test(void* args)
     method  = DTLSv1_2_client_method();
 #elif  !defined(NO_TLS)
     method = CyaSSLv23_client_method();
-#else
+#elif defined(WOLFSSL_ALLOW_SSLV3)
     method = SSLv3_client_method();
+#else
+    #error "no valid client method type"
 #endif
     ctx    = SSL_CTX_new(method);
 

examples/echoserver/echoserver.c

@@ -132,8 +132,10 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args)
     method  = CyaDTLSv1_2_server_method();
 #elif  !defined(NO_TLS)
     method = CyaSSLv23_server_method();
-#else
+#elif defined(WOLFSSL_ALLOW_SSLV3)
     method = CyaSSLv3_server_method();
+#else
+    #error "no valid server method built in"
 #endif
     ctx    = CyaSSL_CTX_new(method);
     /* CyaSSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); */

examples/server/server.c

@@ -407,9 +407,11 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
 
     switch (version) {
 #ifndef NO_OLD_TLS
+    #ifdef WOLFSSL_ALLOW_SSLV3
         case 0:
             method = SSLv3_server_method();
             break;
+    #endif
 
     #ifndef NO_TLS
         case 1:

src/internal.c

@@ -2371,7 +2371,7 @@ DtlsMsg* DtlsMsgInsert(DtlsMsg* head, DtlsMsg* item)
 
 #endif /* WOLFSSL_DTLS */
 
-#ifndef NO_OLD_TLS
+#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
 
 ProtocolVersion MakeSSLv3(void)
 {
@@ -2382,7 +2382,7 @@ ProtocolVersion MakeSSLv3(void)
     return pv;
 }
 
-#endif /* NO_OLD_TLS */
+#endif /* WOLFSSL_ALLOW_SSLV3 && !NO_OLD_TLS */
 
 
 #ifdef WOLFSSL_DTLS

src/sniffer.c

@@ -1118,7 +1118,7 @@ static int SetNamedPrivateKey(const char* name, const char* address, int port,
         sniffer->server = serverIp;
         sniffer->port = port;
 
-        sniffer->ctx = SSL_CTX_new(SSLv3_client_method());
+        sniffer->ctx = SSL_CTX_new(TLSv1_client_method());
         if (!sniffer->ctx) {
             SetError(MEMORY_STR, error, NULL, 0);
 #ifdef HAVE_SNI

src/ssl.c

@@ -1765,7 +1765,7 @@ int wolfSSL_set_group_messages(WOLFSSL* ssl)
 static int SetMinVersionHelper(byte* minVersion, int version)
 {
     switch (version) {
-#ifndef NO_OLD_TLS
+#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
         case WOLFSSL_SSLV3:
             *minVersion = SSLv3_MINOR;
             break;
@@ -1836,7 +1836,7 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version)
     }
 
     switch (version) {
-#ifndef NO_OLD_TLS
+#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
         case WOLFSSL_SSLV3:
             ssl->version = MakeSSLv3();
             break;
@@ -3026,16 +3026,16 @@ static int ProcessChainBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
 static INLINE WOLFSSL_METHOD* cm_pick_method(void)
 {
     #ifndef NO_WOLFSSL_CLIENT
-        #ifdef NO_OLD_TLS
-            return wolfTLSv1_2_client_method();
-        #else
+        #if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
             return wolfSSLv3_client_method();
+        #else
+            return wolfTLSv1_2_client_method();
         #endif
     #elif !defined(NO_WOLFSSL_SERVER)
-        #ifdef NO_OLD_TLS
-            return wolfTLSv1_2_server_method();
-        #else
+        #if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
             return wolfSSLv3_server_method();
+        #else
+            return wolfTLSv1_2_server_method();
         #endif
     #else
         return NULL;
@@ -5335,7 +5335,7 @@ int wolfSSL_dtls_got_timeout(WOLFSSL* ssl)
 /* client only parts */
 #ifndef NO_WOLFSSL_CLIENT
 
-    #ifndef NO_OLD_TLS
+    #if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
     WOLFSSL_METHOD* wolfSSLv3_client_method(void)
     {
         WOLFSSL_METHOD* method =
@@ -5623,7 +5623,7 @@ int wolfSSL_dtls_got_timeout(WOLFSSL* ssl)
 /* server only parts */
 #ifndef NO_WOLFSSL_SERVER
 
-    #ifndef NO_OLD_TLS
+    #if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
     WOLFSSL_METHOD* wolfSSLv3_server_method(void)
     {
         WOLFSSL_METHOD* method =

tests/api.c

@@ -101,8 +101,10 @@ static void test_wolfSSL_Method_Allocators(void)
             TEST_METHOD_ALLOCATOR(a, AssertNull)
 
 #ifndef NO_OLD_TLS
-    TEST_VALID_METHOD_ALLOCATOR(wolfSSLv3_server_method);
-    TEST_VALID_METHOD_ALLOCATOR(wolfSSLv3_client_method);
+    #ifdef WOLFSSL_ALLOW_SSLV3
+        TEST_VALID_METHOD_ALLOCATOR(wolfSSLv3_server_method);
+        TEST_VALID_METHOD_ALLOCATOR(wolfSSLv3_client_method);
+    #endif
     TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_server_method);
     TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_client_method);
     TEST_VALID_METHOD_ALLOCATOR(wolfTLSv1_1_server_method);

tests/suites.c

@@ -36,7 +36,7 @@
 #define MAX_COMMAND_SZ 240
 #define MAX_SUITE_SZ 80 
 #define NOT_BUILT_IN -123
-#ifdef NO_OLD_TLS
+#if defined(NO_OLD_TLS) || !defined(WOLFSSL_ALLOW_SSLV3)
     #define VERSION_TOO_OLD -124
 #endif
 
@@ -52,6 +52,28 @@ static char flagSep[] = " ";
 static char svrPort[] = "0";
 
 
+#ifndef WOLFSSL_ALLOW_SSLV3
+/* if the protocol version is sslv3 return 1, else 0 */
+static int IsSslVersion(const char* line)
+{
+    const char* find = "-v ";
+    char* begin = strstr(line, find);
+
+    if (begin) {
+        int version = -1;
+
+        begin += 3;
+
+        version = atoi(begin);
+
+        if (version == 0)
+            return 1;
+    }
+
+    return 0;
+}
+#endif /* !WOLFSSL_ALLOW_SSLV3 */
+
 #ifdef NO_OLD_TLS
 /* if the protocol version is less than tls 1.2 return 1, else 0 */
 static int IsOldTlsVersion(const char* line)
@@ -168,6 +190,15 @@ static int execute_test_case(int svr_argc, char** svr_argv,
         return NOT_BUILT_IN;
     }
 
+#ifndef WOLFSSL_ALLOW_SSLV3
+    if (IsSslVersion(commandLine) == 1) {
+        #ifdef DEBUG_SUITE_TESTS
+            printf("protocol version on line %s is too old\n", commandLine);
+        #endif
+        return VERSION_TOO_OLD;
+    }
+#endif
+
 #ifdef NO_OLD_TLS
     if (IsOldTlsVersion(commandLine) == 1) {
         #ifdef DEBUG_SUITE_TESTS