diff options
| -rw-r--r-- | configs/samples/http.conf.sample | 20 | ||||
| -rw-r--r-- | include/asterisk/tcptls.h | 10 | ||||
| -rw-r--r-- | main/http.c | 7 | ||||
| -rw-r--r-- | main/tcptls.c | 30 |
4 files changed, 59 insertions, 8 deletions
diff --git a/configs/samples/http.conf.sample b/configs/samples/http.conf.sample index 1d23a67f6..342dff483 100644 --- a/configs/samples/http.conf.sample +++ b/configs/samples/http.conf.sample @@ -90,6 +90,26 @@ bindaddr=127.0.0.1 ; private in same .pem file. ; openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem ; +; tlscipher= ; The list of allowed ciphers +; ; if none are specified the following cipher +; ; list will be used instead: +; ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384: +; ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256: +; kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA: +; ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384: +; ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA: +; DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA: +; AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA: +; AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH: +; !EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA +; +; tlsdisablev1=yes ; Disable TLSv1 support - if not set this defaults to "yes" +; tlsdisablev11=yes ; Disable TLSv1.1 support - if not set this defaults to "no" +; tlsdisablev12=yes ; Disable TLSv1.2 support - if not set this defaults to "no" +; +; tlsservercipherorder=yes ; Use the server preference order instead of the client order +; ; Defaults to "yes" +; ; The post_mappings section maps URLs to real paths on the filesystem. If a ; POST is done from within an authenticated manager session to one of the ; configured POST mappings, then any files in the POST will be placed in the diff --git a/include/asterisk/tcptls.h b/include/asterisk/tcptls.h index 0e8d9d042..e1a632cca 100644 --- a/include/asterisk/tcptls.h +++ b/include/asterisk/tcptls.h @@ -86,7 +86,15 @@ enum ast_ssl_flags { /*! Use SSLv3 for outgoing client connections */ AST_SSL_SSLV3_CLIENT = (1 << 4), /*! Use TLSv1 for outgoing client connections */ - AST_SSL_TLSV1_CLIENT = (1 << 5) + AST_SSL_TLSV1_CLIENT = (1 << 5), + /*! Use server cipher order instead of the client order */ + AST_SSL_SERVER_CIPHER_ORDER = (1 << 6), + /*! Disable TLSv1 support */ + AST_SSL_DISABLE_TLSV1 = (1 << 7), + /*! Disable TLSv1.1 support */ + AST_SSL_DISABLE_TLSV11 = (1 << 8), + /*! Disable TLSv1.2 support */ + AST_SSL_DISABLE_TLSV12 = (1 << 9), }; struct ast_tls_config { diff --git a/main/http.c b/main/http.c index 26e218ba0..c343cb236 100644 --- a/main/http.c +++ b/main/http.c @@ -2102,10 +2102,13 @@ static int __ast_http_load(int reload) } http_tls_cfg.pvtfile = ast_strdup(""); + /* Apply modern intermediate settings according to the Mozilla OpSec team as of July 30th, 2015 but disable TLSv1 */ + ast_set_flag(&http_tls_cfg.flags, AST_SSL_DISABLE_TLSV1 | AST_SSL_SERVER_CIPHER_ORDER); + if (http_tls_cfg.cipher) { ast_free(http_tls_cfg.cipher); } - http_tls_cfg.cipher = ast_strdup(""); + http_tls_cfg.cipher = ast_strdup("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"); AST_RWLIST_WRLOCK(&uri_redirects); while ((redirect = AST_RWLIST_REMOVE_HEAD(&uri_redirects, entry))) { @@ -2131,8 +2134,6 @@ static int __ast_http_load(int reload) && strcasecmp(v->name, "tlsdontverifyserver") && strcasecmp(v->name, "tlsclientmethod") && strcasecmp(v->name, "sslclientmethod") - && strcasecmp(v->name, "tlscipher") - && strcasecmp(v->name, "sslcipher") && !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) { continue; } diff --git a/main/tcptls.c b/main/tcptls.c index 1b0c26ad2..6f37724d9 100644 --- a/main/tcptls.c +++ b/main/tcptls.c @@ -759,7 +759,8 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client) return 0; #else int disable_ssl = 0; - + long ssl_opts = 0; + if (!cfg->enabled) { return 0; } @@ -807,11 +808,24 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client) * them. SSLv23_*_method supports TLSv1+. */ if (disable_ssl) { - long ssl_opts; + ssl_opts |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + } + + if (ast_test_flag(&cfg->flags, AST_SSL_SERVER_CIPHER_ORDER)) { + ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE; + } - ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; - SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts); + if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) { + ssl_opts |= SSL_OP_NO_TLSv1; } + if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) { + ssl_opts |= SSL_OP_NO_TLSv1_1; + } + if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) { + ssl_opts |= SSL_OP_NO_TLSv1_2; + } + + SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts); SSL_CTX_set_verify(cfg->ssl_ctx, ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE, @@ -1164,6 +1178,14 @@ int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_ ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT); ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT); } + } else if (!strcasecmp(varname, "tlsservercipherorder")) { + ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_SERVER_CIPHER_ORDER); + } else if (!strcasecmp(varname, "tlsdisablev1")) { + ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV1); + } else if (!strcasecmp(varname, "tlsdisablev11")) { + ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV11); + } else if (!strcasecmp(varname, "tlsdisablev12")) { + ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV12); } else { return -1; } |