diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h b/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h index e00a61c2cf..6e0ef165d0 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h +++ b/libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h @@ -180,6 +180,12 @@ TPORT_DLL extern tag_typedef_t tptag_certificate; TPORT_DLL extern tag_typedef_t tptag_certificate_ref; #define TPTAG_CERTIFICATE_REF(x) tptag_certificate_ref, tag_str_vr(&(x)) +TPORT_DLL extern tag_typedef_t tptag_tls_ciphers; +#define TPTAG_TLS_CIPHERS(x) tptag_tls_ciphers, tag_str_v((x)) + +TPORT_DLL extern tag_typedef_t tptag_tls_ciphers_ref; +#define TPTAG_TLS_CIPHERS_REF(x) tptag_tls_ciphers_ref, tag_str_vr(&(x)) + enum tport_tls_version { TPTLS_VERSION_SSLv2 = (1 << 0), TPTLS_VERSION_SSLv3 = (1 << 1), diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c index 495eaaf997..59feeeceee 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c +++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c @@ -270,6 +270,14 @@ tag_typedef_t tptag_certificate = STRTAG_TYPEDEF(certificate); */ tag_typedef_t tptag_compartment = PTRTAG_TYPEDEF(compartment); +/**@def TPTAG_TLS_CIPHERS(x) + * + * Sets the supported TLS cipher suites. + * + * Use with tport_tbind(), nua_create(), nta_agent_create(), + * nta_agent_add_tport(), nth_engine_create(), or initial nth_site_create(). + */ +tag_typedef_t tptag_tls_ciphers = STRTAG_TYPEDEF(tls_ciphers); /**@def TPTAG_TLS_VERSION(x) * diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c index e88aa6b83d..0a50de4882 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c +++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c @@ -202,7 +202,7 @@ void tls_set_default(tls_issues_t *i) i->key = i->key ? i->key : i->cert; i->randFile = i->randFile ? i->randFile : "tls_seed.dat"; i->CAfile = i->CAfile ? i->CAfile : "cafile.pem"; - i->cipher = i->cipher ? i->cipher : "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"; + i->ciphers = i->ciphers ? i->ciphers : "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"; /* Default SIP cipher */ /* "RSA-WITH-AES-128-CBC-SHA"; */ /* RFC-2543-compatibility ciphersuite */ @@ -381,7 +381,7 @@ int tls_init_context(tls_t *tls, tls_issues_t const *ti) SSL_CTX_set_verify_depth(tls->ctx, ti->verify_depth); SSL_CTX_set_verify(tls->ctx, verify, tls_verify_cb); - if (!SSL_CTX_set_cipher_list(tls->ctx, ti->cipher)) { + if (!SSL_CTX_set_cipher_list(tls->ctx, ti->ciphers)) { SU_DEBUG_1(("%s: error setting cipher list\n", "tls_init_context")); tls_log_errors(3, "tls_init_context", 0); errno = EIO; diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h index 702dcc9040..0d806e7204 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h +++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h @@ -60,7 +60,7 @@ typedef struct tls_issues_s { char *randFile; /* Seed file for the PRNG (default: tls_seed.dat) */ char *CAfile; /* PEM file of CA's */ char *CApath; /* PEM file path of CA's */ - char *cipher; /* Should be one of the above defined ciphers * + char *ciphers; /* Should be one of the above defined ciphers * * or NULL (default: "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH */ int version; /* For tls1, version is 1. When ssl3/ssl2 is diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c index cd2ac9a9b6..455f2b535b 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c +++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c @@ -180,6 +180,7 @@ static int tport_tls_init_master(tport_primary_t *pri, char *homedir; char *tbf = NULL; char const *path = NULL; + char const *tls_ciphers = NULL; unsigned tls_version = 1; unsigned tls_timeout = 300; unsigned tls_verify = 0; @@ -198,6 +199,7 @@ static int tport_tls_init_master(tport_primary_t *pri, tl_gets(tags, TPTAG_CERTIFICATE_REF(path), + TPTAG_TLS_CIPHERS_REF(tls_ciphers), TPTAG_TLS_VERSION_REF(tls_version), TPTAG_TLS_TIMEOUT_REF(tls_timeout), TPTAG_TLS_VERIFY_PEER_REF(tls_verify), @@ -225,6 +227,7 @@ static int tport_tls_init_master(tport_primary_t *pri, ti.passphrase = su_strdup(autohome, passphrase); ti.cert = ti.key; ti.CAfile = su_sprintf(autohome, "%s/%s", path, "cafile.pem"); + if (tls_ciphers) ti.ciphers = su_strdup(autohome, tls_ciphers); ti.version = tls_version; ti.timeout = tls_timeout; ti.CApath = su_strdup(autohome, path);