mirror of
https://github.com/SoftEtherVPN/SoftEtherVPN.git
synced 2024-11-23 01:49:53 +03:00
Default to TLS connections only
Due to DROWN (CVE-2016-0800), SSLv2 must be disabled by default. This is the most straight-forward way to ensure new installations are not vulnerable. The upgrade use case is not addressed by this PR, though I posted information to the forum: http://www.vpnusers.com/viewtopic.php?f=7&t=5596 This patch is made available under Contribution Option 1, to allow PacketiX to be fixed the same way.
This commit is contained in:
parent
d3a1b26413
commit
15876de6fb
@ -2577,6 +2577,9 @@ void SiLoadInitialConfiguration(SERVER *s)
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Default to TLS only; mitigates CVE-2016-0800
|
||||||
|
s->Cedar->AcceptOnlyTls = true;
|
||||||
|
|
||||||
// Auto saving interval related
|
// Auto saving interval related
|
||||||
s->AutoSaveConfigSpan = SERVER_FILE_SAVE_INTERVAL_DEFAULT;
|
s->AutoSaveConfigSpan = SERVER_FILE_SAVE_INTERVAL_DEFAULT;
|
||||||
s->BackupConfigOnlyWhenModified = true;
|
s->BackupConfigOnlyWhenModified = true;
|
||||||
@ -2762,6 +2765,9 @@ void SiInitConfiguration(SERVER *s)
|
|||||||
s->AutoSaveConfigSpan = SERVER_FILE_SAVE_INTERVAL_DEFAULT;
|
s->AutoSaveConfigSpan = SERVER_FILE_SAVE_INTERVAL_DEFAULT;
|
||||||
s->BackupConfigOnlyWhenModified = true;
|
s->BackupConfigOnlyWhenModified = true;
|
||||||
|
|
||||||
|
// Default to TLS only; mitigates CVE-2016-0800
|
||||||
|
s->Cedar->AcceptOnlyTls = true;
|
||||||
|
|
||||||
// IPsec server
|
// IPsec server
|
||||||
if (s->Cedar->Bridge == false)
|
if (s->Cedar->Bridge == false)
|
||||||
{
|
{
|
||||||
@ -6156,8 +6162,15 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
|
|||||||
SetGlobalServerFlag(GSF_DISABLE_SESSION_RECONNECT, CfgGetBool(f, "DisableSessionReconnect"));
|
SetGlobalServerFlag(GSF_DISABLE_SESSION_RECONNECT, CfgGetBool(f, "DisableSessionReconnect"));
|
||||||
|
|
||||||
// AcceptOnlyTls
|
// AcceptOnlyTls
|
||||||
|
if (CfgIsItem(f, "AcceptOnlyTls"))
|
||||||
|
{
|
||||||
c->AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls");
|
c->AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls");
|
||||||
}
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
c->AcceptOnlyTls = true;
|
||||||
|
}
|
||||||
|
}
|
||||||
Unlock(c->lock);
|
Unlock(c->lock);
|
||||||
|
|
||||||
#ifdef OS_UNIX
|
#ifdef OS_UNIX
|
||||||
|
Loading…
Reference in New Issue
Block a user