From 8b4579c01d83e232806443525965a23f497e56b6 Mon Sep 17 00:00:00 2001
From: Travis Cross <tc@traviscross.com>
Date: Thu, 6 Feb 2014 03:13:13 +0000
Subject: [PATCH] Support setting TLS cipher suites in mod_sofia

This adds a parameter tls-ciphers in which we can specify the TLS
cipher suite specification for OpenSSL.
---
 src/mod/endpoints/mod_sofia/conf/sofia.conf.xml | 2 ++
 src/mod/endpoints/mod_sofia/mod_sofia.h         | 1 +
 src/mod/endpoints/mod_sofia/sofia.c             | 5 +++++
 3 files changed, 8 insertions(+)

diff --git a/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml b/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml
index 411ea3e44e..0977ef2d25 100644
--- a/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml
+++ b/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml
@@ -243,6 +243,8 @@
              sets which subjects are allowed, multiple subjects can be split
              with a '|' pipe -->
         <param name="tls-verify-in-subjects" value=""/>
+        <!-- Set the OpenSSL cipher suite list -->
+        <!-- <param name="tls-ciphers" value="!aNULL:!LOW:!EXP:!kECDH:!ECDSA:!DSS:!PSK:!SRP:ALL"/> -->
         <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not
              work with TLSv1 -->
         <param name="tls-version" value="$${sip_tls_version}"/>
diff --git a/src/mod/endpoints/mod_sofia/mod_sofia.h b/src/mod/endpoints/mod_sofia/mod_sofia.h
index 67d08819da..b42a6bcdce 100644
--- a/src/mod/endpoints/mod_sofia/mod_sofia.h
+++ b/src/mod/endpoints/mod_sofia/mod_sofia.h
@@ -620,6 +620,7 @@ struct sofia_profile {
 	switch_port_t sip_port;
 	switch_port_t extsipport;
 	switch_port_t tls_sip_port;
+	char *tls_ciphers;
 	int tls_version;
 	unsigned int tls_timeout;
 	char *inbound_codec_string;
diff --git a/src/mod/endpoints/mod_sofia/sofia.c b/src/mod/endpoints/mod_sofia/sofia.c
index 172df99e23..d4b969b472 100644
--- a/src/mod/endpoints/mod_sofia/sofia.c
+++ b/src/mod/endpoints/mod_sofia/sofia.c
@@ -2462,6 +2462,8 @@ void *SWITCH_THREAD_FUNC sofia_profile_thread_run(switch_thread_t *thread, void
 									 TPTAG_TLS_VERIFY_DATE(profile->tls_verify_date)),
 							  TAG_IF(sofia_test_pflag(profile, PFLAG_TLS) && profile->tls_verify_in_subjects,
 									  TPTAG_TLS_VERIFY_SUBJECTS(profile->tls_verify_in_subjects)),
+							  TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
+									 TPTAG_TLS_CIPHERS(profile->tls_ciphers)),
 							  TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
 									 TPTAG_TLS_VERSION(profile->tls_version)),
 							  TAG_IF(sofia_test_pflag(profile, PFLAG_TLS) && profile->tls_timeout,
@@ -3658,6 +3660,7 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
 					profile->sip_force_expires = 0;
 					profile->sip_expires_max_deviation = 0;
 					profile->sip_subscription_max_deviation = 0;
+					profile->tls_ciphers = "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH";
 					profile->tls_version = SOFIA_TLS_VERSION_TLSv1;
 					profile->tls_version |= SOFIA_TLS_VERSION_TLSv1_1;
 					profile->tls_version |= SOFIA_TLS_VERSION_TLSv1_2;
@@ -4580,6 +4583,8 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
 						profile->tls_passphrase = switch_core_strdup(profile->pool, val);
 					} else if (!strcasecmp(var, "tls-verify-in-subjects")) {
 						profile->tls_verify_in_subjects_str = switch_core_strdup(profile->pool, val);
+					} else if (!strcasecmp(var, "tls-ciphers")) {
+						profile->tls_ciphers = switch_core_strdup(profile->pool, val);
 					} else if (!strcasecmp(var, "tls-version")) {
 						char *ps = val, *pe;
 						profile->tls_version = 0;