diff options
| author | Benny Prijono <bennylp@teluu.com> | 2014-07-02 18:57:53 +0000 |
|---|---|---|
| committer | Benny Prijono <bennylp@teluu.com> | 2014-07-02 18:57:53 +0000 |
| commit | 0afb0fd54874856944a4df43f6242cbd46868999 (patch) | |
| tree | 9372779d18bc0e5b6d2bdd84c1576d01710d699c | |
| parent | 818f603bbf1ca0a48f07565750a8e12691a813a2 (diff) | |
Closed #1775: Changing OpenSSL default method from TLSv1 to SSLv23 to enable enable AES-GCM cipher suites in default (thanks Alexander Traud for the patch).
Also fixed a bug in SIP TLS transport (sip_transport_tls.c). According to [https://trac.pjsip.org/repos/browser/pjproject/trunk/pjsip/include/pjsip/sip_transport_tls.h#L94 sip_transport_tls.h:94], when PJSIP_SSL_UNSPECIFIED_METHOD is set as method, PJSIP_SSL_DEFAULT_METHOD will be used. But the implementation uses PJ_SSL_SOCK_PROTO_DEFAULT instead of PJSIP_SSL_DEFAULT_METHOD. Currently this is fine because both resolve to TLSv1, but the patch will break it.
git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@4869 74dad513-b988-da41-8d7b-12977e46ad98
| -rw-r--r-- | pjlib/src/pj/ssl_sock_ossl.c | 2 | ||||
| -rw-r--r-- | pjsip/src/pjsip/sip_transport_tls.c | 15 |
2 files changed, 13 insertions, 4 deletions
diff --git a/pjlib/src/pj/ssl_sock_ossl.c b/pjlib/src/pj/ssl_sock_ossl.c index cc99433d..9f83a0db 100644 --- a/pjlib/src/pj/ssl_sock_ossl.c +++ b/pjlib/src/pj/ssl_sock_ossl.c @@ -506,7 +506,6 @@ static pj_status_t create_ssl(pj_ssl_sock_t *ssock) /* Determine SSL method to use */ switch (ssock->param.proto) { - case PJ_SSL_SOCK_PROTO_DEFAULT: case PJ_SSL_SOCK_PROTO_TLS1: ssl_method = (SSL_METHOD*)TLSv1_method(); break; @@ -518,6 +517,7 @@ static pj_status_t create_ssl(pj_ssl_sock_t *ssock) case PJ_SSL_SOCK_PROTO_SSL3: ssl_method = (SSL_METHOD*)SSLv3_method(); break; + case PJ_SSL_SOCK_PROTO_DEFAULT: case PJ_SSL_SOCK_PROTO_SSL23: ssl_method = (SSL_METHOD*)SSLv23_method(); break; diff --git a/pjsip/src/pjsip/sip_transport_tls.c b/pjsip/src/pjsip/sip_transport_tls.c index 4e890e10..aa486987 100644 --- a/pjsip/src/pjsip/sip_transport_tls.c +++ b/pjsip/src/pjsip/sip_transport_tls.c @@ -274,7 +274,7 @@ PJ_DEF(pj_status_t) pjsip_tls_transport_start2( pjsip_endpoint *endpt, { pj_pool_t *pool; pj_bool_t is_ipv6; - int af; + int af, sip_ssl_method; struct tls_listener *listener; pj_ssl_sock_param ssock_param; pj_sockaddr *listener_addr; @@ -367,7 +367,11 @@ PJ_DEF(pj_status_t) pjsip_tls_transport_start2( pjsip_endpoint *endpt, has_listener = PJ_FALSE; - switch(listener->tls_setting.method) { + sip_ssl_method = listener->tls_setting.method; + if (sip_ssl_method==PJSIP_SSL_UNSPECIFIED_METHOD) + sip_ssl_method = PJSIP_SSL_DEFAULT_METHOD; + + switch(sip_ssl_method) { case PJSIP_TLSV1_METHOD: ssock_param.proto = PJ_SSL_SOCK_PROTO_TLS1; break; @@ -958,6 +962,7 @@ static pj_status_t lis_create_transport(pjsip_tpfactory *factory, { struct tls_listener *listener; struct tls_transport *tls; + int sip_ssl_method; pj_pool_t *pool; pj_grp_lock_t *glock; pj_ssl_sock_t *ssock; @@ -1021,7 +1026,11 @@ static pj_status_t lis_create_transport(pjsip_tpfactory *factory, &listener->tls_setting.sockopt_params, sizeof(listener->tls_setting.sockopt_params)); - switch(listener->tls_setting.method) { + sip_ssl_method = listener->tls_setting.method; + if (sip_ssl_method==PJSIP_SSL_UNSPECIFIED_METHOD) + sip_ssl_method = PJSIP_SSL_DEFAULT_METHOD; + + switch(sip_ssl_method) { case PJSIP_TLSV1_METHOD: ssock_param.proto = PJ_SSL_SOCK_PROTO_TLS1; break; |