diff options
| author | Mark Michelson <mmichelson@digium.com> | 2016-02-04 16:17:55 -0600 |
|---|---|---|
| committer | Mark Michelson <mmichelson@digium.com> | 2016-02-04 16:57:38 -0600 |
| commit | 6a799cd78f0f26f26afab8b123e04f16c0308c36 (patch) | |
| tree | e99ef58fbfebb3498caba80a6153b9b6cb0e824e /main/tcptls.c | |
| parent | c5e7d5c10587ba19c8f0d56d6f5b291624e9a234 (diff) | |
Check for OpenSSL defines before trying to use them.
The SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 defines did not exist prior
to OpenSSL version 1.0.1. A recent commit attempts to, by default, set
these options, which can cause problems on systems with older OpenSSL
installations.
This commit adds a configure script check for those defines and will not
attempt to make use of those if they do not exist. We will print a
warning urging the user to upgrade their OpenSSL installation if those
defines are not present.
Change-Id: I6a2eb9a43fd0738b404d8f6f2cf4b5c22d9d752d
Diffstat (limited to 'main/tcptls.c')
| -rw-r--r-- | main/tcptls.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/main/tcptls.c b/main/tcptls.c index 6f37724d9..34baf9a0e 100644 --- a/main/tcptls.c +++ b/main/tcptls.c @@ -818,12 +818,17 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client) if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) { ssl_opts |= SSL_OP_NO_TLSv1; } +#if defined(HAVE_SSL_OP_NO_TLSV1_1) && defined(HAVE_SSL_OP_NO_TLSV1_2) if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) { ssl_opts |= SSL_OP_NO_TLSv1_1; } if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) { ssl_opts |= SSL_OP_NO_TLSv1_2; } +#else + ast_log(LOG_WARNING, "Your version of OpenSSL leaves you potentially vulnerable " + "to the SSL BEAST attack. Please upgrade to OpenSSL 1.0.1 or later\n"); +#endif SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts); |