From e3b353e911b4a7cc7a955d43016c81b75ddcea84 Mon Sep 17 00:00:00 2001 From: Travis Cross Date: Thu, 6 Feb 2014 00:18:05 +0000 Subject: [PATCH] Allow setting enabled TLS versions in Sofia-SIP Previously if the TPTAG_TLS_VERSION was set to a non-zero value we supported only TLSv1 (but not TLSv1.1 or TLSv1.2), and if was set to zero we supported all versions of TLS and SSL (including the ridiculous SSLv2). Now we take an integer field where various bits can be set indicating which versions of TLS we would like to support. --- .../tport/sofia-sip/tport_tag.h | 8 ++++ .../libsofia-sip-ua/tport/tport_tls.c | 38 +++++++++---------- 2 files changed, 25 insertions(+), 21 deletions(-) diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h b/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h index 3abbbcbac4..e00a61c2cf 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h +++ b/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h @@ -180,6 +180,14 @@ TPORT_DLL extern tag_typedef_t tptag_certificate; TPORT_DLL extern tag_typedef_t tptag_certificate_ref; #define TPTAG_CERTIFICATE_REF(x) tptag_certificate_ref, tag_str_vr(&(x)) +enum tport_tls_version { + TPTLS_VERSION_SSLv2 = (1 << 0), + TPTLS_VERSION_SSLv3 = (1 << 1), + TPTLS_VERSION_TLSv1 = (1 << 2), + TPTLS_VERSION_TLSv1_1 = (1 << 3), + TPTLS_VERSION_TLSv1_2 = (1 << 4), +}; + TPORT_DLL extern tag_typedef_t tptag_tls_version; #define TPTAG_TLS_VERSION(x) tptag_tls_version, tag_uint_v((x)) diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c index 28cdf69bd6..853e2bb398 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c +++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c @@ -295,27 +295,23 @@ int tls_init_context(tls_t *tls, tls_issues_t const *ti) signal(SIGPIPE, SIG_IGN); #endif - if (tls->ctx == NULL) { - const SSL_METHOD *meth; - - /* meth = SSLv3_method(); */ - /* meth = SSLv23_method(); */ - - if (ti->version) - meth = TLSv1_method(); - else - meth = SSLv23_method(); - - tls->ctx = SSL_CTX_new((SSL_METHOD*)meth); - SSL_CTX_sess_set_remove_cb(tls->ctx, NULL); - } - - if (tls->ctx == NULL) { - tls_log_errors(1, "tls_init_context", 0); - errno = EIO; - return -1; - } - + if (tls->ctx == NULL) + if (!(tls->ctx = SSL_CTX_new((SSL_METHOD*)SSLv23_method()))) { + tls_log_errors(1, "SSL_CTX_new() failed", 0); + errno = EIO; + return -1; + } + if (!(ti->version & TPTLS_VERSION_SSLv2)) + SSL_CTX_set_options(tls->ctx, SSL_OP_NO_SSLv2); + if (!(ti->version & TPTLS_VERSION_SSLv3)) + SSL_CTX_set_options(tls->ctx, SSL_OP_NO_SSLv3); + if (!(ti->version & TPTLS_VERSION_TLSv1)) + SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1); + if (!(ti->version & TPTLS_VERSION_TLSv1_1)) + SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1_1); + if (!(ti->version & TPTLS_VERSION_TLSv1_2)) + SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1_2); + SSL_CTX_sess_set_remove_cb(tls->ctx, NULL); SSL_CTX_set_timeout(tls->ctx, ti->timeout); /* Set callback if we have a passphrase */