summaryrefslogtreecommitdiff
path: root/main
diff options
context:
space:
mode:
Diffstat (limited to 'main')
-rw-r--r--main/http.c7
-rw-r--r--main/tcptls.c30
-rw-r--r--main/udptl.c15
3 files changed, 37 insertions, 15 deletions
diff --git a/main/http.c b/main/http.c
index 26e218ba0..c343cb236 100644
--- a/main/http.c
+++ b/main/http.c
@@ -2102,10 +2102,13 @@ static int __ast_http_load(int reload)
}
http_tls_cfg.pvtfile = ast_strdup("");
+ /* Apply modern intermediate settings according to the Mozilla OpSec team as of July 30th, 2015 but disable TLSv1 */
+ ast_set_flag(&http_tls_cfg.flags, AST_SSL_DISABLE_TLSV1 | AST_SSL_SERVER_CIPHER_ORDER);
+
if (http_tls_cfg.cipher) {
ast_free(http_tls_cfg.cipher);
}
- http_tls_cfg.cipher = ast_strdup("");
+ http_tls_cfg.cipher = ast_strdup("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA");
AST_RWLIST_WRLOCK(&uri_redirects);
while ((redirect = AST_RWLIST_REMOVE_HEAD(&uri_redirects, entry))) {
@@ -2131,8 +2134,6 @@ static int __ast_http_load(int reload)
&& strcasecmp(v->name, "tlsdontverifyserver")
&& strcasecmp(v->name, "tlsclientmethod")
&& strcasecmp(v->name, "sslclientmethod")
- && strcasecmp(v->name, "tlscipher")
- && strcasecmp(v->name, "sslcipher")
&& !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
continue;
}
diff --git a/main/tcptls.c b/main/tcptls.c
index 1b0c26ad2..6f37724d9 100644
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -759,7 +759,8 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
return 0;
#else
int disable_ssl = 0;
-
+ long ssl_opts = 0;
+
if (!cfg->enabled) {
return 0;
}
@@ -807,11 +808,24 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
* them. SSLv23_*_method supports TLSv1+.
*/
if (disable_ssl) {
- long ssl_opts;
+ ssl_opts |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+ }
+
+ if (ast_test_flag(&cfg->flags, AST_SSL_SERVER_CIPHER_ORDER)) {
+ ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+ }
- ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
- SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
+ if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) {
+ ssl_opts |= SSL_OP_NO_TLSv1;
}
+ if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) {
+ ssl_opts |= SSL_OP_NO_TLSv1_1;
+ }
+ if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) {
+ ssl_opts |= SSL_OP_NO_TLSv1_2;
+ }
+
+ SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
SSL_CTX_set_verify(cfg->ssl_ctx,
ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE,
@@ -1164,6 +1178,14 @@ int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_
ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
}
+ } else if (!strcasecmp(varname, "tlsservercipherorder")) {
+ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_SERVER_CIPHER_ORDER);
+ } else if (!strcasecmp(varname, "tlsdisablev1")) {
+ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV1);
+ } else if (!strcasecmp(varname, "tlsdisablev11")) {
+ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV11);
+ } else if (!strcasecmp(varname, "tlsdisablev12")) {
+ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV12);
} else {
return -1;
}
diff --git a/main/udptl.c b/main/udptl.c
index 4e878195c..e8410cc8b 100644
--- a/main/udptl.c
+++ b/main/udptl.c
@@ -305,16 +305,15 @@ static int decode_open_type(uint8_t *buf, unsigned int limit, unsigned int *len,
if (decode_length(buf, limit, len, &octet_cnt) != 0)
return -1;
- if (octet_cnt > 0) {
- /* Make sure the buffer contains at least the number of bits requested */
- if ((*len + octet_cnt) > limit)
- return -1;
-
- *p_num_octets = octet_cnt;
- *p_object = &buf[*len];
- *len += octet_cnt;
+ /* Make sure the buffer contains at least the number of bits requested */
+ if ((*len + octet_cnt) > limit) {
+ return -1;
}
+ *p_num_octets = octet_cnt;
+ *p_object = &buf[*len];
+ *len += octet_cnt;
+
return 0;
}
/*- End of function --------------------------------------------------------*/
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-22 16:45:18 +0000