AST-2016-001 http: Provide greater control of TLS and set modern defaults.

This change exposes the configuration of various aspects of the TLS support and sets the default to the modern standards. The TLS cipher is now set to the best values according to the Mozilla OpSec team, different TLS versions can now be disabled, and the cipher order can be forced to be that of the server instead of the client. ASTERISK-24972 #close Change-Id: I0a10f2883f7559af5e48dee0901251dbf30d45b8
author: Joshua Colp <jcolp@digium.com> 2016-02-03 14:05:20 -0400
committer: Kevin Harwell <kharwell@digium.com> 2016-02-03 15:10:16 -0600
commit: 0de74fad5597ba12ec68bcc935330a612ee255d6 (patch)
tree: 562dd3c4d61e873505d2bdf5e108da3c3a459805 /include/asterisk
parent: ae1f728f0f7f816a3e697a0c039046f23ec9ccf3 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/include/asterisk/tcptls.h b/include/asterisk/tcptls.h
index a3f3f2884..3c5f4504c 100644
--- a/include/asterisk/tcptls.h
+++ b/include/asterisk/tcptls.h
@@ -87,7 +87,15 @@ enum ast_ssl_flags {
 	/*! Use SSLv3 for outgoing client connections */
 	AST_SSL_SSLV3_CLIENT = (1 << 4),
 	/*! Use TLSv1 for outgoing client connections */
-	AST_SSL_TLSV1_CLIENT = (1 << 5)
+	AST_SSL_TLSV1_CLIENT = (1 << 5),
+	/*! Use server cipher order instead of the client order */
+	AST_SSL_SERVER_CIPHER_ORDER = (1 << 6),
+	/*! Disable TLSv1 support */
+	AST_SSL_DISABLE_TLSV1 = (1 << 7),
+	/*! Disable TLSv1.1 support */
+	AST_SSL_DISABLE_TLSV11 = (1 << 8),
+	/*! Disable TLSv1.2 support */
+	AST_SSL_DISABLE_TLSV12 = (1 << 9),
 };
 
 struct ast_tls_config {
author	Joshua Colp <jcolp@digium.com>	2016-02-03 14:05:20 -0400
committer	Kevin Harwell <kharwell@digium.com>	2016-02-03 15:10:16 -0600
commit	0de74fad5597ba12ec68bcc935330a612ee255d6 (patch)
tree	562dd3c4d61e873505d2bdf5e108da3c3a459805 /include/asterisk
parent	ae1f728f0f7f816a3e697a0c039046f23ec9ccf3 (diff)