diff options
Diffstat (limited to 'main')
-rw-r--r-- | main/http.c | 7 | ||||
-rw-r--r-- | main/tcptls.c | 30 | ||||
-rw-r--r-- | main/udptl.c | 15 |
3 files changed, 37 insertions, 15 deletions
diff --git a/main/http.c b/main/http.c index 26e218ba0..c343cb236 100644 --- a/main/http.c +++ b/main/http.c @@ -2102,10 +2102,13 @@ static int __ast_http_load(int reload) } http_tls_cfg.pvtfile = ast_strdup(""); + /* Apply modern intermediate settings according to the Mozilla OpSec team as of July 30th, 2015 but disable TLSv1 */ + ast_set_flag(&http_tls_cfg.flags, AST_SSL_DISABLE_TLSV1 | AST_SSL_SERVER_CIPHER_ORDER); + if (http_tls_cfg.cipher) { ast_free(http_tls_cfg.cipher); } - http_tls_cfg.cipher = ast_strdup(""); + http_tls_cfg.cipher = ast_strdup("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"); AST_RWLIST_WRLOCK(&uri_redirects); while ((redirect = AST_RWLIST_REMOVE_HEAD(&uri_redirects, entry))) { @@ -2131,8 +2134,6 @@ static int __ast_http_load(int reload) && strcasecmp(v->name, "tlsdontverifyserver") && strcasecmp(v->name, "tlsclientmethod") && strcasecmp(v->name, "sslclientmethod") - && strcasecmp(v->name, "tlscipher") - && strcasecmp(v->name, "sslcipher") && !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) { continue; } diff --git a/main/tcptls.c b/main/tcptls.c index 1b0c26ad2..6f37724d9 100644 --- a/main/tcptls.c +++ b/main/tcptls.c @@ -759,7 +759,8 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client) return 0; #else int disable_ssl = 0; - + long ssl_opts = 0; + if (!cfg->enabled) { return 0; } @@ -807,11 +808,24 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client) * them. SSLv23_*_method supports TLSv1+. */ if (disable_ssl) { - long ssl_opts; + ssl_opts |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + } + + if (ast_test_flag(&cfg->flags, AST_SSL_SERVER_CIPHER_ORDER)) { + ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE; + } - ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; - SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts); + if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) { + ssl_opts |= SSL_OP_NO_TLSv1; } + if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) { + ssl_opts |= SSL_OP_NO_TLSv1_1; + } + if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) { + ssl_opts |= SSL_OP_NO_TLSv1_2; + } + + SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts); SSL_CTX_set_verify(cfg->ssl_ctx, ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE, @@ -1164,6 +1178,14 @@ int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_ ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT); ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT); } + } else if (!strcasecmp(varname, "tlsservercipherorder")) { + ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_SERVER_CIPHER_ORDER); + } else if (!strcasecmp(varname, "tlsdisablev1")) { + ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV1); + } else if (!strcasecmp(varname, "tlsdisablev11")) { + ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV11); + } else if (!strcasecmp(varname, "tlsdisablev12")) { + ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV12); } else { return -1; } diff --git a/main/udptl.c b/main/udptl.c index 4e878195c..e8410cc8b 100644 --- a/main/udptl.c +++ b/main/udptl.c @@ -305,16 +305,15 @@ static int decode_open_type(uint8_t *buf, unsigned int limit, unsigned int *len, if (decode_length(buf, limit, len, &octet_cnt) != 0) return -1; - if (octet_cnt > 0) { - /* Make sure the buffer contains at least the number of bits requested */ - if ((*len + octet_cnt) > limit) - return -1; - - *p_num_octets = octet_cnt; - *p_object = &buf[*len]; - *len += octet_cnt; + /* Make sure the buffer contains at least the number of bits requested */ + if ((*len + octet_cnt) > limit) { + return -1; } + *p_num_octets = octet_cnt; + *p_object = &buf[*len]; + *len += octet_cnt; + return 0; } /*- End of function --------------------------------------------------------*/ |