AST-2014-011: Fix POODLE security issues

There are two aspects to the vulnerability: (1) res_jabber/res_xmpp use SSLv3 only. This patch updates the module to use TLSv1+. At this time, it does not refactor res_jabber/res_xmpp to use the TCP/TLS core, which should be done as an improvement at a latter date. (2) The TCP/TLS core, when tlsclientmethod/sslclientmethod is left unspecified, will default to the OpenSSL SSLv23_method. This method allows for all ecnryption methods, including SSLv2/SSLv3. A MITM can exploit this by forcing a fallback to SSLv3, which leaves the server vulnerable to POODLE. This patch adds WARNINGS if a user uses SSLv2/SSLv3 in their configuration, and explicitly disables SSLv2/SSLv3 if using SSLv23_method. For TLS clients, Asterisk will default to TLSv1+ and WARN if SSLv2 or SSLv3 is explicitly chosen. For TLS servers, Asterisk will no longer support SSLv2 or SSLv3. Much thanks to abelbeck for reporting the vulnerability and providing a patch for the res_jabber/res_xmpp modules. Review: https://reviewboard.asterisk.org/r/4096/ ASTERISK-24425 #close Reported by: abelbeck Tested by: abelbeck, opsmonitor, gtjoseph patches: asterisk-1.8-jabber-tls.patch uploaded by abelbeck (License 5903) asterisk-11-jabber-xmpp-tls.patch uploaded by abelbeck (License 5903) AST-2014-011-1.8.diff uploaded by mjordan (License 6283) AST-2014-011-11.diff uploaded by mjordan (License 6283) ........ Merged revisions 425987 from http://svn.asterisk.org/svn/asterisk/branches/12 ........ Merged revisions 425991 from http://svn.asterisk.org/svn/asterisk/branches/13 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@426003 65c4cc65-6c06-0410-ace0-fbb531ad65f3
author: Matthew Jordan <mjordan@digium.com> 2014-10-20 14:20:15 +0000
committer: Matthew Jordan <mjordan@digium.com> 2014-10-20 14:20:15 +0000
commit: dad0334cf1b907252dbd6a7ab54e66292983c889 (patch)
tree: c113c0e0d37a2e63062c6c8e2acf92d2f49f17aa /res/res_xmpp.c
parent: 5e10e369b182c7c05a9d802fe1ead92b21dc2839 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/res/res_xmpp.c b/res/res_xmpp.c
index b3c374871..3cb6fc572 100644
--- a/res/res_xmpp.c
+++ b/res/res_xmpp.c
@@ -2637,6 +2637,7 @@ static int xmpp_client_requested_tls(struct ast_xmpp_client *client, struct ast_
 {
 #ifdef HAVE_OPENSSL
 	int sock;
+	long ssl_opts;
 #endif
 
 	if (!strcmp(iks_name(node), "success")) {
@@ -2655,11 +2656,14 @@ static int xmpp_client_requested_tls(struct ast_xmpp_client *client, struct ast_
 	ast_log(LOG_ERROR, "Somehow we managed to try to start TLS negotiation on client '%s' without OpenSSL support, disconnecting\n", client->name);
 	return -1;
 #else
-	client->ssl_method = SSLv3_method();
+	client->ssl_method = SSLv23_method();
 	if (!(client->ssl_context = SSL_CTX_new((SSL_METHOD *) client->ssl_method))) {
 		goto failure;
 	}
 
+	ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+	SSL_CTX_set_options(client->ssl_context, ssl_opts);
+
 	if (!(client->ssl_session = SSL_new(client->ssl_context))) {
 		goto failure;
 	}
author	Matthew Jordan <mjordan@digium.com>	2014-10-20 14:20:15 +0000
committer	Matthew Jordan <mjordan@digium.com>	2014-10-20 14:20:15 +0000
commit	dad0334cf1b907252dbd6a7ab54e66292983c889 (patch)
tree	c113c0e0d37a2e63062c6c8e2acf92d2f49f17aa /res/res_xmpp.c
parent	5e10e369b182c7c05a9d802fe1ead92b21dc2839 (diff)