Allow setting TLS cipher suites through Sofia-SIP API

Previously there was no way to override the hard-coded cipher suite
specification of "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH".

This commit does leave in place the hardcoded cipher spec for WebRTC
of "HIGH:!DSS:!aNULL@STRENGTH".

diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h b/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h
index e00a61c2cf7db23e874560ad91c712fad7fadab1..6e0ef165d0e4e99d75f3e53a0e4d8a028ed34daa 100644 (file)
--- a/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h
@@ -180,6 +180,12 @@ TPORT_DLL extern tag_typedef_t tptag_certificate;
 TPORT_DLL extern tag_typedef_t tptag_certificate_ref;
 #define TPTAG_CERTIFICATE_REF(x) tptag_certificate_ref, tag_str_vr(&(x))
 
+TPORT_DLL extern tag_typedef_t tptag_tls_ciphers;
+#define TPTAG_TLS_CIPHERS(x) tptag_tls_ciphers, tag_str_v((x))
+
+TPORT_DLL extern tag_typedef_t tptag_tls_ciphers_ref;
+#define TPTAG_TLS_CIPHERS_REF(x) tptag_tls_ciphers_ref, tag_str_vr(&(x))
+
 enum tport_tls_version {
   TPTLS_VERSION_SSLv2 = (1 << 0),
   TPTLS_VERSION_SSLv3 = (1 << 1),

diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c
index 495eaaf997ed5d5e5dfff71b6409a60b018a5187..59feeeceeee1008b4b0c499dda6b60225506d5b0 100644 (file)
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c
@@ -270,6 +270,14 @@ tag_typedef_t tptag_certificate = STRTAG_TYPEDEF(certificate);
  */
 tag_typedef_t tptag_compartment = PTRTAG_TYPEDEF(compartment);
 
+/**@def TPTAG_TLS_CIPHERS(x)
+ *
+ * Sets the supported TLS cipher suites.
+ *
+ * Use with tport_tbind(), nua_create(), nta_agent_create(),
+ * nta_agent_add_tport(), nth_engine_create(), or initial nth_site_create().
+ */
+tag_typedef_t tptag_tls_ciphers = STRTAG_TYPEDEF(tls_ciphers);
 
 /**@def TPTAG_TLS_VERSION(x)
  *

diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
index e88aa6b83d17b12b0e53fd2575191fb10a8c0006..0a50de4882282d23a0207382a8003f30e4028b9c 100644 (file)
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c
@@ -202,7 +202,7 @@ void tls_set_default(tls_issues_t *i)
   i->key = i->key ? i->key : i->cert;
   i->randFile = i->randFile ? i->randFile : "tls_seed.dat";
   i->CAfile = i->CAfile ? i->CAfile : "cafile.pem";
-  i->cipher = i->cipher ? i->cipher : "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH";
+  i->ciphers = i->ciphers ? i->ciphers : "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH";
   /* Default SIP cipher */
   /* "RSA-WITH-AES-128-CBC-SHA"; */
   /* RFC-2543-compatibility ciphersuite */
@@ -381,7 +381,7 @@ int tls_init_context(tls_t *tls, tls_issues_t const *ti)
   SSL_CTX_set_verify_depth(tls->ctx, ti->verify_depth);
   SSL_CTX_set_verify(tls->ctx, verify, tls_verify_cb);
 
-  if (!SSL_CTX_set_cipher_list(tls->ctx, ti->cipher)) {
+  if (!SSL_CTX_set_cipher_list(tls->ctx, ti->ciphers)) {
     SU_DEBUG_1(("%s: error setting cipher list\n", "tls_init_context"));
     tls_log_errors(3, "tls_init_context", 0);
     errno = EIO;

diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h
index 702dcc90400c189406f21e98c941d150aab6411c..0d806e7204a6b467f897d767f4253d9e2d7d140a 100644 (file)
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h
@@ -60,7 +60,7 @@ typedef struct tls_issues_s {
   char *randFile;       /* Seed file for the PRNG (default: tls_seed.dat) */
   char *CAfile;                /* PEM file of CA's                           */
   char *CApath;                /* PEM file path of CA's                      */
-  char *cipher;         /* Should be one of the above defined ciphers *
+  char *ciphers;         /* Should be one of the above defined ciphers *
                         * or NULL (default: "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
                          */
   int   version;       /* For tls1, version is 1. When ssl3/ssl2 is

diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c
index cd2ac9a9b6e8e63f5bfdeca275a0454d0966b47d..455f2b535ba15d6ca46879147924904e70ae2859 100644 (file)
--- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c
+++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c
@@ -180,6 +180,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
   char *homedir;
   char *tbf = NULL;
   char const *path = NULL;
+  char const *tls_ciphers = NULL;
   unsigned tls_version = 1;
   unsigned tls_timeout = 300;
   unsigned tls_verify = 0;
@@ -198,6 +199,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
 
   tl_gets(tags,
          TPTAG_CERTIFICATE_REF(path),
+         TPTAG_TLS_CIPHERS_REF(tls_ciphers),
          TPTAG_TLS_VERSION_REF(tls_version),
          TPTAG_TLS_TIMEOUT_REF(tls_timeout),
          TPTAG_TLS_VERIFY_PEER_REF(tls_verify),
@@ -225,6 +227,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
     ti.passphrase = su_strdup(autohome, passphrase);
     ti.cert = ti.key;
     ti.CAfile = su_sprintf(autohome, "%s/%s", path, "cafile.pem");
+    if (tls_ciphers) ti.ciphers = su_strdup(autohome, tls_ciphers);
     ti.version = tls_version;
     ti.timeout = tls_timeout;
     ti.CApath = su_strdup(autohome, path);