Support setting enabled TLS versions in mod_sofia

Previously if tls-version was set to tlsv1 we supported only TLSv1,
but if it was set to sslv23 we supported all versions of TLS.  This
was a weird incorrectly documented behavior that we hope no one was
relying on.

Now we can pass a comma-separated list of TLS/SSL versions that we
would like to support in tls-version.

FS-5839 --resolve

diff --git a/src/mod/endpoints/mod_sofia/mod_sofia.h b/src/mod/endpoints/mod_sofia/mod_sofia.h
index 603b70ca9533dd040c5734c129655f29a6ed91ce..67d08819da2a3602b544aa3398ab40c50def7fe1 100644 (file)
--- a/src/mod/endpoints/mod_sofia/mod_sofia.h
+++ b/src/mod/endpoints/mod_sofia/mod_sofia.h
@@ -438,6 +438,14 @@ typedef enum {
        SOFIA_TRANSPORT_SCTP
 } sofia_transport_t;
 
+typedef enum {
+       SOFIA_TLS_VERSION_SSLv2 = (1 << 0),
+       SOFIA_TLS_VERSION_SSLv3 = (1 << 1),
+       SOFIA_TLS_VERSION_TLSv1 = (1 << 2),
+       SOFIA_TLS_VERSION_TLSv1_1 = (1 << 3),
+       SOFIA_TLS_VERSION_TLSv1_2 = (1 << 4),
+} sofia_tls_version_t;
+
 typedef enum {
        SOFIA_GATEWAY_DOWN,
        SOFIA_GATEWAY_UP,

diff --git a/src/mod/endpoints/mod_sofia/sofia.c b/src/mod/endpoints/mod_sofia/sofia.c
index b46718d1dc792836ca31c0b2b275c8299c90f984..86cda022fc59405a638fe00d4951752e0fe9d2c2 100644 (file)
--- a/src/mod/endpoints/mod_sofia/sofia.c
+++ b/src/mod/endpoints/mod_sofia/sofia.c
@@ -4579,11 +4579,26 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
                                        } else if (!strcasecmp(var, "tls-verify-in-subjects")) {
                                                profile->tls_verify_in_subjects_str = switch_core_strdup(profile->pool, val);
                                        } else if (!strcasecmp(var, "tls-version")) {
-
-                                               if (!strcasecmp(val, "tlsv1")) {
-                                                       profile->tls_version = 1;
-                                               } else {
-                                                       profile->tls_version = 0;
+                                               char *ps = val, *pe;
+                                               while (1) {
+                                                       int n;
+                                                       pe = strchr(ps,',');
+                                                       if (!pe && !(pe = memchr(ps,0,1024))) break;
+                                                       n = pe-ps;
+                                                       if (n==5 && !strncasecmp(ps, "sslv2", n))
+                                                               profile->tls_version |= SOFIA_TLS_VERSION_SSLv2;
+                                                       if (n==5 && !strncasecmp(ps, "sslv3", n))
+                                                               profile->tls_version |= SOFIA_TLS_VERSION_SSLv3;
+                                                       if (n==6 && !strncasecmp(ps, "sslv23", n))
+                                                               profile->tls_version |= SOFIA_TLS_VERSION_SSLv2 | SOFIA_TLS_VERSION_SSLv3;
+                                                       if (n==5 && !strncasecmp(ps, "tlsv1", n))
+                                                               profile->tls_version |= SOFIA_TLS_VERSION_TLSv1;
+                                                       if (n==7 && !strncasecmp(ps, "tlsv1.1", n))
+                                                               profile->tls_version |= SOFIA_TLS_VERSION_TLSv1_1;
+                                                       if (n==7 && !strncasecmp(ps, "tlsv1.2", n))
+                                                               profile->tls_version |= SOFIA_TLS_VERSION_TLSv1_2;
+                                                       ps=pe+1;
+                                                       if (!*pe) break;
                                                }
                                        } else if (!strcasecmp(var, "tls-timeout")) {
                                                int v = atoi(val);