AST-2014-011: Fix POODLE security issues

There are two aspects to the vulnerability:
(1) res_jabber/res_xmpp use SSLv3 only. This patch updates the module to use
    TLSv1+. At this time, it does not refactor res_jabber/res_xmpp to use the
    TCP/TLS core, which should be done as an improvement at a latter date.
(2) The TCP/TLS core, when tlsclientmethod/sslclientmethod is left unspecified,
    will default to the OpenSSL SSLv23_method. This method allows for all
    encryption methods, including SSLv2/SSLv3. A MITM can exploit this by
    forcing a fallback to SSLv3, which leaves the server vulnerable to POODLE.
    This patch adds WARNINGS if a user uses SSLv2/SSLv3 in their configuration,
    and explicitly disables SSLv2/SSLv3 if using SSLv23_method.

For TLS clients, Asterisk will default to TLSv1+ and WARN if SSLv2 or SSLv3 is
explicitly chosen. For TLS servers, Asterisk will no longer support SSLv2 or
SSLv3.

Much thanks to abelbeck for reporting the vulnerability and providing a patch
for the res_jabber/res_xmpp modules.

Review: https://reviewboard.asterisk.org/r/4096/

ASTERISK-24425 #close
Reported by: abelbeck
Tested by: abelbeck, opsmonitor, gtjoseph
patches:
  asterisk-1.8-jabber-tls.patch uploaded by abelbeck (License 5903)
  asterisk-11-jabber-xmpp-tls.patch uploaded by abelbeck (License 5903)
  AST-2014-011-1.8.diff uploaded by mjordan (License 6283)
  AST-2014-011-11.diff uploaded by mjordan (License 6283)
  AST-2014-011-12.diff uploaded by mjordan (License 6283)


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@425985 65c4cc65-6c06-0410-ace0-fbb531ad65f3

UPGRADE.txt

@@ -18,6 +18,18 @@
 ===
 ===========================================================
 
+from 1.8.31.0 to 1.8.31.1:
+
+* Due to the POODLE vulnerability (see 
+  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566), the
+  default TLS method for TLS clients will no longer allow SSLv3. As
+  SSLv2 was already deprecated, it is no longer allowed by default as
+  well. TLS servers no longer allow SSLv2 or SSLv3 connections. This
+  affects the chan_sip channel driver, AMI, and the Asterisk HTTP server.
+
+* The res_jabber resource module no longer uses SSLv3 to connect to an
+  XMPP server. It will now only use TLSv1 or later methods.
+
 from 1.8.28.2 to 1.8.29.0:
 * Added the inband_on_setup_ack compatibility option to chan_dahdi.conf to
   deal with switches that don't send an inband progress indication in the

main/tcptls.c

@@ -741,6 +741,8 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
 	cfg->enabled = 0;
 	return 0;
 #else
+	int disable_ssl = 0;
+
 	if (!cfg->enabled)
 		return 0;
 
@@ -755,22 +757,21 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
 	if (client) {
 #ifndef OPENSSL_NO_SSL2
 		if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) {
+			ast_log(LOG_WARNING, "Usage of SSLv2 is discouraged due to known vulnerabilities. Please use 'tlsv1' or leave the TLS method unspecified!\n");
 			cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());
 		} else
 #endif
 		if (ast_test_flag(&cfg->flags, AST_SSL_SSLV3_CLIENT)) {
+			ast_log(LOG_WARNING, "Usage of SSLv3 is discouraged due to known vulnerabilities. Please use 'tlsv1' or leave the TLS method unspecified!\n");
 			cfg->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
 		} else if (ast_test_flag(&cfg->flags, AST_SSL_TLSV1_CLIENT)) {
 			cfg->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
 		} else {
-			/* SSLv23_client_method() sends SSLv2, this was the original
-			 * default for ssl clients before the option was given to
-			 * pick what protocol a client should use.  In order not
-			 * to break expected behavior it remains the default. */
+			disable_ssl = 1;
 			cfg->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
 		}
 	} else {
-		/* SSLv23_server_method() supports TLSv1, SSLv2, and SSLv3 inbound connections. */
+		disable_ssl = 1;
 		cfg->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
 	}
 
@@ -780,6 +781,17 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
 		return 0;
 	}
 
+	/* Due to the POODLE vulnerability, completely disable
+	 * SSLv2 and SSLv3 if we are not explicitly told to use
+	 * them. SSLv23_*_method supports TLSv1+.
+	 */
+	if (disable_ssl) {
+		long ssl_opts;
+
+		ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+		SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
+	}
+
 	SSL_CTX_set_verify(cfg->ssl_ctx,
 		ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE,
 		NULL);

res/res_jabber.c

@@ -1240,14 +1240,17 @@ static int aji_tls_handshake(struct aji_client *client)
 {
 	int ret;
 	int sock;
+	long ssl_opts;
 
 	ast_debug(1, "Starting TLS handshake\n");
 
 	/* Choose an SSL/TLS protocol version, create SSL_CTX */
-	client->ssl_method = SSLv3_method();
+	client->ssl_method = SSLv23_method();
 	if (!(client->ssl_context = SSL_CTX_new((SSL_METHOD *) client->ssl_method))) {
 		return IKS_NET_TLSFAIL;
 	}
+	ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+	SSL_CTX_set_options(client->ssl_context, ssl_opts);
 
 	/* Create new SSL session */
 	if (!(client->ssl_session = SSL_new(client->ssl_context))) {