From: Travis Cross Date: Thu, 6 Feb 2014 00:18:05 +0000 (+0000) Subject: Allow setting enabled TLS versions in Sofia-SIP X-Git-Tag: v1.2.20~31 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7f772b26012988f49f727ae765db28c6772b39c3;p=thirdparty%2Ffreeswitch.git Allow setting enabled TLS versions in Sofia-SIP Previously if the TPTAG_TLS_VERSION was set to a non-zero value we supported only TLSv1 (but not TLSv1.1 or TLSv1.2), and if was set to zero we supported all versions of TLS and SSL (including the ridiculous SSLv2). Now we take an integer field where various bits can be set indicating which versions of TLS we would like to support. --- diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h b/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h index 3abbbcbac4..e00a61c2cf 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h +++ b/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h @@ -180,6 +180,14 @@ TPORT_DLL extern tag_typedef_t tptag_certificate; TPORT_DLL extern tag_typedef_t tptag_certificate_ref; #define TPTAG_CERTIFICATE_REF(x) tptag_certificate_ref, tag_str_vr(&(x)) +enum tport_tls_version { + TPTLS_VERSION_SSLv2 = (1 << 0), + TPTLS_VERSION_SSLv3 = (1 << 1), + TPTLS_VERSION_TLSv1 = (1 << 2), + TPTLS_VERSION_TLSv1_1 = (1 << 3), + TPTLS_VERSION_TLSv1_2 = (1 << 4), +}; + TPORT_DLL extern tag_typedef_t tptag_tls_version; #define TPTAG_TLS_VERSION(x) tptag_tls_version, tag_uint_v((x)) diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c index 828b3f313c..e88aa6b83d 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c +++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c @@ -291,27 +291,23 @@ int tls_init_context(tls_t *tls, tls_issues_t const *ti) signal(SIGPIPE, SIG_IGN); #endif - if (tls->ctx == NULL) { - const SSL_METHOD *meth; - - /* meth = SSLv3_method(); */ - /* meth = SSLv23_method(); */ - - if (ti->version) - meth = TLSv1_method(); - else - meth = SSLv23_method(); - - tls->ctx = SSL_CTX_new((SSL_METHOD*)meth); - SSL_CTX_sess_set_remove_cb(tls->ctx, NULL); - } - - if (tls->ctx == NULL) { - tls_log_errors(1, "tls_init_context", 0); - errno = EIO; - return -1; - } - + if (tls->ctx == NULL) + if (!(tls->ctx = SSL_CTX_new((SSL_METHOD*)SSLv23_method()))) { + tls_log_errors(1, "SSL_CTX_new() failed", 0); + errno = EIO; + return -1; + } + if (!(ti->version & TPTLS_VERSION_SSLv2)) + SSL_CTX_set_options(tls->ctx, SSL_OP_NO_SSLv2); + if (!(ti->version & TPTLS_VERSION_SSLv3)) + SSL_CTX_set_options(tls->ctx, SSL_OP_NO_SSLv3); + if (!(ti->version & TPTLS_VERSION_TLSv1)) + SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1); + if (!(ti->version & TPTLS_VERSION_TLSv1_1)) + SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1_1); + if (!(ti->version & TPTLS_VERSION_TLSv1_2)) + SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1_2); + SSL_CTX_sess_set_remove_cb(tls->ctx, NULL); SSL_CTX_set_timeout(tls->ctx, ti->timeout); /* Set callback if we have a passphrase */