From 835fae422744c23ffb341e499950a685507745fc Mon Sep 17 00:00:00 2001
From: Brian West <brian@freeswitch.org>
Date: Fri, 18 Jul 2014 09:10:15 -0500
Subject: [PATCH] Any browser (Firefox, Chrome, Opera) that can run Verto can
 do TLS1.2, We shouldn't lower the bar when we don't need too.

---
 src/mod/endpoints/mod_verto/mod_verto.c | 11 +++++++++++
 src/mod/endpoints/mod_verto/ws.c        | 14 ++++++++++++--
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/src/mod/endpoints/mod_verto/mod_verto.c b/src/mod/endpoints/mod_verto/mod_verto.c
index a5897fbbb6..1b3d48f2dd 100644
--- a/src/mod/endpoints/mod_verto/mod_verto.c
+++ b/src/mod/endpoints/mod_verto/mod_verto.c
@@ -150,6 +150,17 @@ static void verto_init_ssl(verto_profile_t *profile)
 	profile->ssl_ready = 1;
 	assert(profile->ssl_ctx);
 
+	/* Disable SSLv2 */
+	SSL_CTX_set_options(profile->ssl_ctx, SSL_OP_NO_SSLv2);
+	/* Disable SSLv3 */
+	SSL_CTX_set_options(profile->ssl_ctx, SSL_OP_NO_SSLv3);
+	/* Disable TLSv1 */
+	SSL_CTX_set_options(profile->ssl_ctx, SSL_OP_NO_TLSv1);
+	/* Disable TLSv1_1 */
+	SSL_CTX_set_options(profile->ssl_ctx, SSL_OP_NO_TLSv1_1);
+	/* Disable Compression CRIME (Compression Ratio Info-leak Made Easy) */
+	SSL_CTX_set_options(profile->ssl_ctx, SSL_OP_NO_COMPRESSION);
+
 	/* set the local certificate from CertFile */
 	if (!zstr(profile->chain)) {
 		SSL_CTX_use_certificate_chain_file(profile->ssl_ctx, profile->chain);
diff --git a/src/mod/endpoints/mod_verto/ws.c b/src/mod/endpoints/mod_verto/ws.c
index 3b152e4fec..e9100e2977 100644
--- a/src/mod/endpoints/mod_verto/ws.c
+++ b/src/mod/endpoints/mod_verto/ws.c
@@ -92,10 +92,20 @@ void init_ssl(void) {
 
 	OpenSSL_add_all_algorithms();   /* load & register cryptos */
 	SSL_load_error_strings();     /* load all error messages */
-	ws_globals.ssl_method = TLSv1_server_method();   /* create server instance */
+	ws_globals.ssl_method = SSLv23_server_method();   /* create server instance */
 	ws_globals.ssl_ctx = SSL_CTX_new(ws_globals.ssl_method);         /* create context */
 	assert(ws_globals.ssl_ctx);
-	
+
+	/* Disable SSLv2 */
+	SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_SSLv2);
+	/* Disable SSLv3 */
+	SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_SSLv3);
+	/* Disable TLSv1 */
+	SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_TLSv1);
+	/* Disable TLSv1_1 */
+	SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_TLSv1_1);
+	/* Disable Compression CRIME (Compression Ratio Info-leak Made Easy) */
+	SSL_CTX_set_options(globals.ssl_ctx, SSL_OP_NO_COMPRESSION);
 	/* set the local certificate from CertFile */
 	SSL_CTX_use_certificate_file(ws_globals.ssl_ctx, ws_globals.cert, SSL_FILETYPE_PEM);
 	/* set the private key from KeyFile */