From 8c2c464bec09ae3ee1632d332c2d777d1cdab7f2 Mon Sep 17 00:00:00 2001
From: Travis Cross <tc@traviscross.com>
Date: Thu, 6 Feb 2014 00:20:45 +0000
Subject: [PATCH] Support setting enabled TLS versions in mod_sofia

Previously if tls-version was set to tlsv1 we supported only TLSv1,
but if it was set to sslv23 we supported all versions of TLS.  This
was a weird incorrectly documented behavior that we hope no one was
relying on.

Now we can pass a comma-separated list of TLS/SSL versions that we
would like to support in tls-version.

FS-5839 --resolve
---
 src/mod/endpoints/mod_sofia/mod_sofia.h |  8 ++++++++
 src/mod/endpoints/mod_sofia/sofia.c     | 25 ++++++++++++++++++++-----
 2 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/src/mod/endpoints/mod_sofia/mod_sofia.h b/src/mod/endpoints/mod_sofia/mod_sofia.h
index e307a005ba..25b98725e7 100644
--- a/src/mod/endpoints/mod_sofia/mod_sofia.h
+++ b/src/mod/endpoints/mod_sofia/mod_sofia.h
@@ -399,6 +399,14 @@ typedef enum {
 	SOFIA_TRANSPORT_WSS
 } sofia_transport_t;
 
+typedef enum {
+	SOFIA_TLS_VERSION_SSLv2 = (1 << 0),
+	SOFIA_TLS_VERSION_SSLv3 = (1 << 1),
+	SOFIA_TLS_VERSION_TLSv1 = (1 << 2),
+	SOFIA_TLS_VERSION_TLSv1_1 = (1 << 3),
+	SOFIA_TLS_VERSION_TLSv1_2 = (1 << 4),
+} sofia_tls_version_t;
+
 typedef enum {
 	SOFIA_GATEWAY_DOWN,
 	SOFIA_GATEWAY_UP,
diff --git a/src/mod/endpoints/mod_sofia/sofia.c b/src/mod/endpoints/mod_sofia/sofia.c
index 753a8e4a40..7d02d77196 100644
--- a/src/mod/endpoints/mod_sofia/sofia.c
+++ b/src/mod/endpoints/mod_sofia/sofia.c
@@ -4700,11 +4700,26 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
 					} else if (!strcasecmp(var, "tls-verify-in-subjects") && !zstr(val)) {
 						profile->tls_verify_in_subjects_str = switch_core_strdup(profile->pool, val);
 					} else if (!strcasecmp(var, "tls-version") && !zstr(val)) {
-
-						if (!strcasecmp(val, "tlsv1")) {
-							profile->tls_version = 1;
-						} else {
-							profile->tls_version = 0;
+						char *ps = val, *pe;
+						while (1) {
+							int n;
+							pe = strchr(ps,',');
+							if (!pe && !(pe = memchr(ps,0,1024))) break;
+							n = pe-ps;
+							if (n==5 && !strncasecmp(ps, "sslv2", n))
+								profile->tls_version |= SOFIA_TLS_VERSION_SSLv2;
+							if (n==5 && !strncasecmp(ps, "sslv3", n))
+								profile->tls_version |= SOFIA_TLS_VERSION_SSLv3;
+							if (n==6 && !strncasecmp(ps, "sslv23", n))
+								profile->tls_version |= SOFIA_TLS_VERSION_SSLv2 | SOFIA_TLS_VERSION_SSLv3;
+							if (n==5 && !strncasecmp(ps, "tlsv1", n))
+								profile->tls_version |= SOFIA_TLS_VERSION_TLSv1;
+							if (n==7 && !strncasecmp(ps, "tlsv1.1", n))
+								profile->tls_version |= SOFIA_TLS_VERSION_TLSv1_1;
+							if (n==7 && !strncasecmp(ps, "tlsv1.2", n))
+								profile->tls_version |= SOFIA_TLS_VERSION_TLSv1_2;
+							ps=pe+1;
+							if (!*pe) break;
 						}
 					} else if (!strcasecmp(var, "tls-timeout")) {
 						int v = atoi(val);