From 6a799cd78f0f26f26afab8b123e04f16c0308c36 Mon Sep 17 00:00:00 2001 From: Mark Michelson Date: Thu, 4 Feb 2016 16:17:55 -0600 Subject: Check for OpenSSL defines before trying to use them. The SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 defines did not exist prior to OpenSSL version 1.0.1. A recent commit attempts to, by default, set these options, which can cause problems on systems with older OpenSSL installations. This commit adds a configure script check for those defines and will not attempt to make use of those if they do not exist. We will print a warning urging the user to upgrade their OpenSSL installation if those defines are not present. Change-Id: I6a2eb9a43fd0738b404d8f6f2cf4b5c22d9d752d --- main/tcptls.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'main/tcptls.c') diff --git a/main/tcptls.c b/main/tcptls.c index 6f37724d9..34baf9a0e 100644 --- a/main/tcptls.c +++ b/main/tcptls.c @@ -818,12 +818,17 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client) if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) { ssl_opts |= SSL_OP_NO_TLSv1; } +#if defined(HAVE_SSL_OP_NO_TLSV1_1) && defined(HAVE_SSL_OP_NO_TLSV1_2) if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) { ssl_opts |= SSL_OP_NO_TLSv1_1; } if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) { ssl_opts |= SSL_OP_NO_TLSv1_2; } +#else + ast_log(LOG_WARNING, "Your version of OpenSSL leaves you potentially vulnerable " + "to the SSL BEAST attack. Please upgrade to OpenSSL 1.0.1 or later\n"); +#endif SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts); -- cgit v1.2.3