diff options
author | Mark Michelson <mmichelson@digium.com> | 2016-02-04 16:17:55 -0600 |
---|---|---|
committer | Mark Michelson <mmichelson@digium.com> | 2016-02-04 16:57:46 -0600 |
commit | 3b426a8b09c127941b29600271184583f2199a19 (patch) | |
tree | 26bc40d4985b99f1e52e7e7f13aa5eab320c545f /main | |
parent | c0a8ecc8c00ed675a038a34bfb27a3e5b093055d (diff) |
Check for OpenSSL defines before trying to use them.
The SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 defines did not exist prior
to OpenSSL version 1.0.1. A recent commit attempts to, by default, set
these options, which can cause problems on systems with older OpenSSL
installations.
This commit adds a configure script check for those defines and will not
attempt to make use of those if they do not exist. We will print a
warning urging the user to upgrade their OpenSSL installation if those
defines are not present.
Change-Id: I6a2eb9a43fd0738b404d8f6f2cf4b5c22d9d752d
Diffstat (limited to 'main')
-rw-r--r-- | main/tcptls.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/main/tcptls.c b/main/tcptls.c index 394179463..f56e0aa70 100644 --- a/main/tcptls.c +++ b/main/tcptls.c @@ -875,12 +875,17 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client) if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) { ssl_opts |= SSL_OP_NO_TLSv1; } +#if defined(HAVE_SSL_OP_NO_TLSV1_1) && defined(HAVE_SSL_OP_NO_TLSV1_2) if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) { ssl_opts |= SSL_OP_NO_TLSv1_1; } if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) { ssl_opts |= SSL_OP_NO_TLSv1_2; } +#else + ast_log(LOG_WARNING, "Your version of OpenSSL leaves you potentially vulnerable " + "to the SSL BEAST attack. Please upgrade to OpenSSL 1.0.1 or later\n"); +#endif SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts); |