fhem.pl: add sslVersion (Forum #39094)

git-svn-id: https://svn.fhem.de/fhem/trunk@8952 2b470e98-0d58-463d-a4d8-8e2adae1ed80
2025-01-31 06:39:11 +00:00 · 2015-07-13 12:30:26 +00:00 · 2015-07-13 12:30:26 +00:00 · fa7b98957b
commit fa7b98957b
parent 9e5f174fb7
7 changed files with 42 additions and 5 deletions
--- a/fhem/FHEM/01_FHEMWEB.pm
+++ b/fhem/FHEM/01_FHEMWEB.pm
@ -164,6 +164,7 @@ FHEMWEB_Initialize($)
    reverseLogs:0,1
    roomIcons
    sortRooms
+    sslVersion
    smallscreen:unused
    smallscreenCommands:0,1
    stylesheetPrefix
@ -3395,6 +3396,9 @@ FW_widgetOverride($$)
        smallscreen landscape mode.
        </li><br>

+     <li>sslVersion<br>
+        See the global attribute sslVersion.
+        </li><br>

    </ul>
  </ul>
@ -4105,6 +4109,10 @@ FW_widgetOverride($$)
        Smallscreen Landscape Modus angezeigt.
        </li><br>

+     <li>sslVersion<br>
+        Siehe das global Attribut sslVersion.
+        </li><br>
+
    </ul>
  </ul>

--- a/fhem/FHEM/98_telnet.pm
+++ b/fhem/FHEM/98_telnet.pm
@ -22,7 +22,7 @@ telnet_Initialize($)
  $hash->{NotifyFn}= "telnet_SecurityCheck";
  $hash->{AttrList} = "globalpassword password prompt ".
                        "allowfrom SSL connectTimeout connectInterval ".
-                        "encoding:utf8,latin1";
+                        "encoding:utf8,latin1 sslVersion";
  $hash->{ActivateInformFn} = "telnet_ActivateInform";

  my %lhash = ( Fn=>"CommandTelnetEncoding",
@ -471,9 +471,13 @@ telnet_ActivateInform($;$)

    <a name="encoding"></a>
    <li>encoding<br>
-        Sets the encoding for the data send to the client. Possible values are latin1 and utf8. Default is utf8.
+        Sets the encoding for the data send to the client. Possible values are
+        latin1 and utf8. Default is utf8.
        </li><br>

+     <li>sslVersion<br>
+        See the global attribute sslVersion.
+        </li><br>

  </ul>

@ -634,6 +638,9 @@ telnet_ActivateInform($;$)
        M&ouml;gliche Werte sind utf8 und latin1. Standardwert ist utf8. 
    </li><br>

+     <li>sslVersion<br>
+        Siehe das global Attribut sslVersion.
+        </li><br>

  </ul>

--- a/fhem/FHEM/HttpUtils.pm
+++ b/fhem/FHEM/HttpUtils.pm
@ -185,9 +185,11 @@ HttpUtils_Connect2($)
      Log3 $hash, $hash->{loglevel}, $@;
    } else {
      $hash->{conn}->blocking(1);
+      my $sslVersion = AttrVal($hash->{NAME}, "sslVersion", 
+                       AttrVal("global", "sslVersion", "SSLv23:!SSLv3:!SSLv2"));
      IO::Socket::SSL->start_SSL($hash->{conn}, {
          Timeout     => $hash->{timeout},
-          SSL_version => 'SSLv23:!SSLv3:!SSLv2', #Forum #27565
+          SSL_version => $sslVersion
        }) || undef $hash->{conn};
    }
  }
--- a/fhem/FHEM/TcpServerUtils.pm
+++ b/fhem/FHEM/TcpServerUtils.pm
@ -83,6 +83,10 @@ TcpServer_Accept($$)
  #$clientinfo[0]->blocking(0);  # Forum #24799

  if($hash->{SSL}) {
+    # Forum #27565: SSLv23:!SSLv3:!SSLv2', #35004: TLSv12:!SSLv3
+    my $sslVersion = AttrVal($hash->{NAME}, "sslVersion", 
+                     AttrVal("global", "sslVersion", "TLSv12:!SSLv3"));
+
    # Certs directory must be in the modpath, i.e. at the same level as the
    # FHEM directory
    my $mp = AttrVal("global", "modpath", ".");
@ -90,8 +94,7 @@ TcpServer_Accept($$)
      SSL_server    => 1, 
      SSL_key_file  => "$mp/certs/server-key.pem",
      SSL_cert_file => "$mp/certs/server-cert.pem",
-      #SSL_version   => 'SSLv23:!SSLv3:!SSLv2', #Forum #27565
-      SSL_version => 'TLSv12:!SSLv3', # Forum  #35004
+      SSL_version => $sslVersion,
      SSL_cipher_list => 'HIGH:!RC4:!eNULL:!aNULL',
      Timeout       => 4,
      });
--- a/fhem/docs/commandref_frame.html
+++ b/fhem/docs/commandref_frame.html
@ -1456,6 +1456,14 @@ The following local attributes are used by a wider range of devices:
        overview and by xmllist.
    </li><br>

+    <a name="sslVersion"></a>
+    <li>sslVersion<br>
+        Specifies the accepted cryptography algorithms by all modules using the
+        TcpServices helper module. The current default TLSv12:!SSLv3 is thought
+        to be more secure than the previously used SSLv23:!SSLv3:!SSLv2, but it
+        causes problems with some not updated web services.
+    </li><br>
+
    <a name="stacktrace"></a>
    <li>stacktrace<br>
        if set (to 1), dump a stacktrace to the log for each "PERL WARNING".
--- a/fhem/docs/commandref_frame_DE.html
+++ b/fhem/docs/commandref_frame_DE.html
@ -1552,6 +1552,14 @@ Die folgenden lokalen Attribute werden von mehreren Ger&auml;ten verwendet:
      xmllist Befehl, und bei der FHEMWEB Raumansicht gepr&uuml;ft.
    </li><br>

+    <a name="sslVersion"></a>
+    <li>sslVersion<br>
+        Setzt die akzeptierten Crypto-Algorithmen im TcpServices Hilfsmodul.
+        Die Voreinstellung TLSv12:!SSLv3 wird als sicherer erachtet als die
+        vorherige SSLv23:!SSLv3:!SSLv2, aber sie kann Probleme mit nicht
+        ausreichend aktualisierten Netzwerk-Diensten verursachen.
+    </li><br>
+
    <a name="stacktrace"></a>
    <li>stacktrace<br>
        Falls gesetzt (auf 1), schreibt ins FHEM-Log zus&auml;tzlich zu jedem
--- a/fhem/fhem.pl
+++ b/fhem/fhem.pl
@ -281,6 +281,7 @@ my @globalAttrList = qw(
  restoreDirs
  sendStatistics:onUpdate,manually,never
  showInternalValues:1,0
+  sslVersion
  stacktrace:1,0
  statefile
  title