diff options
| author | Joshua Colp <jcolp@digium.com> | 2016-02-03 14:05:20 -0400 |
|---|---|---|
| committer | Kevin Harwell <kharwell@digium.com> | 2016-02-03 15:07:56 -0600 |
| commit | f8acadde2c1fcd36fa56bb39bf6058d7116f0962 (patch) | |
| tree | a942b93bd86fe1d2131b0f3e02476eea493a5c96 /main/http.c | |
| parent | 73159cb45f26e5f52605beb826cd955538912458 (diff) | |
AST-2016-001 http: Provide greater control of TLS and set modern defaults.
This change exposes the configuration of various aspects of the TLS
support and sets the default to the modern standards.
The TLS cipher is now set to the best values according to the
Mozilla OpSec team, different TLS versions can now be disabled, and
the cipher order can be forced to be that of the server instead of
the client.
ASTERISK-24972 #close
Change-Id: I0a10f2883f7559af5e48dee0901251dbf30d45b8
Diffstat (limited to 'main/http.c')
| -rw-r--r-- | main/http.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/main/http.c b/main/http.c index 26e218ba0..c343cb236 100644 --- a/main/http.c +++ b/main/http.c @@ -2102,10 +2102,13 @@ static int __ast_http_load(int reload) } http_tls_cfg.pvtfile = ast_strdup(""); + /* Apply modern intermediate settings according to the Mozilla OpSec team as of July 30th, 2015 but disable TLSv1 */ + ast_set_flag(&http_tls_cfg.flags, AST_SSL_DISABLE_TLSV1 | AST_SSL_SERVER_CIPHER_ORDER); + if (http_tls_cfg.cipher) { ast_free(http_tls_cfg.cipher); } - http_tls_cfg.cipher = ast_strdup(""); + http_tls_cfg.cipher = ast_strdup("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"); AST_RWLIST_WRLOCK(&uri_redirects); while ((redirect = AST_RWLIST_REMOVE_HEAD(&uri_redirects, entry))) { @@ -2131,8 +2134,6 @@ static int __ast_http_load(int reload) && strcasecmp(v->name, "tlsdontverifyserver") && strcasecmp(v->name, "tlsclientmethod") && strcasecmp(v->name, "sslclientmethod") - && strcasecmp(v->name, "tlscipher") - && strcasecmp(v->name, "sslcipher") && !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) { continue; } |