From: Brian West Date: Wed, 21 Jun 2017 13:51:50 +0000 (-0500) Subject: FS-10406: [mod_sofia] mod_sofia secure websocket connections SSLv3 and tls v1.0 is... X-Git-Tag: v1.6.19~28 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=637f3b63362243237eecdbdd37b51620c39ea044;p=thirdparty%2Ffreeswitch.git FS-10406: [mod_sofia] mod_sofia secure websocket connections SSLv3 and tls v1.0 is still not disabled #resolve --- diff --git a/libs/sofia-sip/.update b/libs/sofia-sip/.update index 207a8106df..4d7c2d3c76 100644 --- a/libs/sofia-sip/.update +++ b/libs/sofia-sip/.update @@ -1 +1 @@ -Tue Jun 6 09:36:46 CDT 2017 +Tue Jul 11 12:51:40 EDT 2017 diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_ws.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_ws.c index 6b525581f1..3ce3b4a005 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_ws.c +++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_ws.c @@ -390,6 +390,15 @@ static int tport_ws_init_primary_secure(tport_primary_t *pri, goto done; } + /* Disable SSLv2 */ + SSL_CTX_set_options(wspri->ssl_ctx, SSL_OP_NO_SSLv2); + /* Disable SSLv3 */ + SSL_CTX_set_options(wspri->ssl_ctx, SSL_OP_NO_SSLv3); + /* Disable TLSv1 */ + SSL_CTX_set_options(wspri->ssl_ctx, SSL_OP_NO_TLSv1); + /* Disable Compression CRIME (Compression Ratio Info-leak Made Easy) */ + SSL_CTX_set_options(wspri->ssl_ctx, SSL_OP_NO_COMPRESSION); + if (chain) { if ( !SSL_CTX_use_certificate_chain_file(wspri->ssl_ctx, chain) ) { tls_log_errors(3, "tport_ws_init_primary_secure", 0);