Support setting enabled TLS versions in mod_sofia

Previously if tls-version was set to tlsv1 we supported only TLSv1,
but if it was set to sslv23 we supported all versions of TLS.  This
was a weird incorrectly documented behavior that we hope no one was
relying on.

Now we can pass a comma-separated list of TLS/SSL versions that we
would like to support in tls-version.

FS-5839 --resolve
This commit is contained in:
Travis Cross 2014-02-06 00:20:45 +00:00
parent 7f772b2601
commit 3a753f1de2
2 changed files with 28 additions and 5 deletions

View File

@ -438,6 +438,14 @@ typedef enum {
SOFIA_TRANSPORT_SCTP
} sofia_transport_t;
typedef enum {
SOFIA_TLS_VERSION_SSLv2 = (1 << 0),
SOFIA_TLS_VERSION_SSLv3 = (1 << 1),
SOFIA_TLS_VERSION_TLSv1 = (1 << 2),
SOFIA_TLS_VERSION_TLSv1_1 = (1 << 3),
SOFIA_TLS_VERSION_TLSv1_2 = (1 << 4),
} sofia_tls_version_t;
typedef enum {
SOFIA_GATEWAY_DOWN,
SOFIA_GATEWAY_UP,

View File

@ -4579,11 +4579,26 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
} else if (!strcasecmp(var, "tls-verify-in-subjects")) {
profile->tls_verify_in_subjects_str = switch_core_strdup(profile->pool, val);
} else if (!strcasecmp(var, "tls-version")) {
if (!strcasecmp(val, "tlsv1")) {
profile->tls_version = 1;
} else {
profile->tls_version = 0;
char *ps = val, *pe;
while (1) {
int n;
pe = strchr(ps,',');
if (!pe && !(pe = memchr(ps,0,1024))) break;
n = pe-ps;
if (n==5 && !strncasecmp(ps, "sslv2", n))
profile->tls_version |= SOFIA_TLS_VERSION_SSLv2;
if (n==5 && !strncasecmp(ps, "sslv3", n))
profile->tls_version |= SOFIA_TLS_VERSION_SSLv3;
if (n==6 && !strncasecmp(ps, "sslv23", n))
profile->tls_version |= SOFIA_TLS_VERSION_SSLv2 | SOFIA_TLS_VERSION_SSLv3;
if (n==5 && !strncasecmp(ps, "tlsv1", n))
profile->tls_version |= SOFIA_TLS_VERSION_TLSv1;
if (n==7 && !strncasecmp(ps, "tlsv1.1", n))
profile->tls_version |= SOFIA_TLS_VERSION_TLSv1_1;
if (n==7 && !strncasecmp(ps, "tlsv1.2", n))
profile->tls_version |= SOFIA_TLS_VERSION_TLSv1_2;
ps=pe+1;
if (!*pe) break;
}
} else if (!strcasecmp(var, "tls-timeout")) {
int v = atoi(val);