Allow setting enabled TLS versions in Sofia-SIP

Previously if the TPTAG_TLS_VERSION was set to a non-zero value we supported only TLSv1 (but not TLSv1.1 or TLSv1.2), and if was set to zero we supported all versions of TLS and SSL (including the ridiculous SSLv2). Now we take an integer field where various bits can be set indicating which versions of TLS we would like to support.
2014-02-06 00:18:05 +00:00 · 2014-02-06 00:18:05 +00:00 · e3b353e911
parent fd0d91c2b6
commit e3b353e911
2 changed files with 25 additions and 21 deletions
--- a/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h
@ -180,6 +180,14 @@ TPORT_DLL extern tag_typedef_t tptag_certificate;
 TPORT_DLL extern tag_typedef_t tptag_certificate_ref;
 #define TPTAG_CERTIFICATE_REF(x) tptag_certificate_ref, tag_str_vr(&(x))

+enum tport_tls_version {
+  TPTLS_VERSION_SSLv2 = (1 << 0),
+  TPTLS_VERSION_SSLv3 = (1 << 1),
+  TPTLS_VERSION_TLSv1 = (1 << 2),
+  TPTLS_VERSION_TLSv1_1 = (1 << 3),
+  TPTLS_VERSION_TLSv1_2 = (1 << 4),
+};
+
 TPORT_DLL extern tag_typedef_t tptag_tls_version;
 #define TPTAG_TLS_VERSION(x) tptag_tls_version, tag_uint_v((x))

--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
@ -295,27 +295,23 @@ int tls_init_context(tls_t *tls, tls_issues_t const *ti)
  signal(SIGPIPE, SIG_IGN);
 #endif

-  if (tls->ctx == NULL) {
-    const SSL_METHOD *meth;
-
-    /* meth = SSLv3_method(); */
-    /* meth = SSLv23_method(); */
-
-    if (ti->version)
-      meth = TLSv1_method();
-    else
-      meth = SSLv23_method();
-
-    tls->ctx = SSL_CTX_new((SSL_METHOD*)meth);
-	SSL_CTX_sess_set_remove_cb(tls->ctx, NULL);
-  }
-
-  if (tls->ctx == NULL) {
-    tls_log_errors(1, "tls_init_context", 0);
-    errno = EIO;
-    return -1;
-  }
-
+  if (tls->ctx == NULL)
+    if (!(tls->ctx = SSL_CTX_new((SSL_METHOD*)SSLv23_method()))) {
+      tls_log_errors(1, "SSL_CTX_new() failed", 0);
+      errno = EIO;
+      return -1;
+    }
+  if (!(ti->version & TPTLS_VERSION_SSLv2))
+    SSL_CTX_set_options(tls->ctx, SSL_OP_NO_SSLv2);
+  if (!(ti->version & TPTLS_VERSION_SSLv3))
+    SSL_CTX_set_options(tls->ctx, SSL_OP_NO_SSLv3);
+  if (!(ti->version & TPTLS_VERSION_TLSv1))
+    SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1);
+  if (!(ti->version & TPTLS_VERSION_TLSv1_1))
+    SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1_1);
+  if (!(ti->version & TPTLS_VERSION_TLSv1_2))
+    SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1_2);
+  SSL_CTX_sess_set_remove_cb(tls->ctx, NULL);
  SSL_CTX_set_timeout(tls->ctx, ti->timeout);

  /* Set callback if we have a passphrase */