1
0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-11-22 17:39:53 +03:00

Introduce DisableSslVersions.

The SSL Versions specified will be disabled on server context.
This commit is contained in:
Raymond Tau 2015-11-10 00:55:24 +08:00
parent d3a1b26413
commit 8b1b67faed
5 changed files with 67 additions and 11 deletions

View File

@ -404,7 +404,19 @@
#define KEEP_ALIVE_MAGIC 0xffffffff
#define MAX_KEEPALIVE_SIZE 512
// SSL/TLS Versions
#define SSL_VERSION_SSL_V2 0x01 // SSLv2
#define SSL_VERSION_SSL_V3 0x02 // SSLv3
#define SSL_VERSION_TLS_V1_0 0x04 // TLS v1.0
#define SSL_VERSION_TLS_V1_1 0x08 // TLS v1.1
#define SSL_VERSION_TLS_V1_2 0x10 // TLS v1.2
// SSL/TLS Version Names
#define NAME_SSL_VERSION_SSL_V2 "SSL_V2" // SSLv2
#define NAME_SSL_VERSION_SSL_V3 "SSL_V3" // SSLv3
#define NAME_SSL_VERSION_TLS_V1_0 "TLS_V1_0" // TLS v1.0
#define NAME_SSL_VERSION_TLS_V1_0 "TLS_V1_1" // TLS v1.1
#define NAME_SSL_VERSION_TLS_V1_0 "TLS_V1_2" // TLS v1.2
//////////////////////////////////////////////////////////////////////
//
@ -1053,6 +1065,7 @@ typedef struct CEDAR
LOCK *FifoBudgetLock; // Fifo budget lock
UINT FifoBudget; // Fifo budget
bool AcceptOnlyTls; // Accept only TLS (Disable SSL)
UINT DisableSslVersions = 0x0; // Bitmap of SSL Version to disable
char OpenVPNDefaultClientOption[MAX_SIZE]; // OpenVPN Default Client Option String
} CEDAR;

View File

@ -3137,10 +3137,8 @@ void ConnectionAccept(CONNECTION *c)
// Start the SSL communication
Debug("StartSSL()\n");
if (c->Cedar->AcceptOnlyTls)
{
s->AcceptOnlyTls = true;
}
s->DisableSslVersions = c->Cedar->DisableSslVersions;
if (StartSSL(s, x, k) == false)
{
// Failed

View File

@ -6157,6 +6157,39 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
// AcceptOnlyTls
c->AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls");
if (c->AcceptOnlyTls) {
c->DisableSslVersions |= SSL_VERSION_SSL_V2;
c->DisableSslVersions |= SSL_VERSION_SSL_V3;
}
if (CfgGetStr(f, "DisableSslVersions", tmp, sizeof(tmp))) {
TOKEN_LIST *sslVersions= ParseToken(tmp, ", ");
UINT i;
for (i = 0;i < sslVersions->NumTokens;i++)
{
if (strcmp(tmp, NAME_SSL_VERSION_SSL_V2))
c->DisableSslVersions |= SSL_VERSION_SSL_V2;
continue;
}
if (strcmp(tmp, NAME_SSL_VERSION_SSL_V3))
c->DisableSslVersions |= SSL_VERSION_SSL_V3;
continue;
}
if (strcmp(tmp, NAME_SSL_VERSION_TLS_V1_0))
c->DisableSslVersions |= SSL_VERSION_TLS_V1_0;
continue;
}
if (strcmp(tmp, NAME_SSL_VERSION_TLS_V1_1))
c->DisableSslVersions |= SSL_VERSION_TLS_V1_1;
continue;
}
if (strcmp(tmp, NAME_SSL_VERSION_TLS_V1_2))
c->DisableSslVersions |= SSL_VERSION_TLS_V1_2;
continue;
}
}
FreeToken(sslVersions);
}
}
Unlock(c->lock);
@ -6467,6 +6500,8 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)
CfgAddBool(f, "AcceptOnlyTls", c->AcceptOnlyTls);
CfgAddStr(f, "DisableSslVersions", c->DisableSslVersions);
// Disable session reconnect
CfgAddBool(f, "DisableSessionReconnect", GetGlobalServerFlag(GSF_DISABLE_SESSION_RECONNECT));
}

View File

@ -12965,16 +12965,25 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch
Lock(openssl_lock);
{
if (sock->ServerMode)
{
if (sock->AcceptOnlyTls == false)
{
SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());
long ssl_opt_flags=0x0L;
if (sock->DisableSslVersions & SSL_VERSION_SSL_V2) {
ssl_opt_flags |= SSL_OP_NO_SSLv2;
}
else
{
SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_method());
if (sock->DisableSslVersions & SSL_VERSION_SSL_V3) {
ssl_opt_flags |= SSL_OP_NO_SSLv3;
}
if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_0) {
ssl_opt_flags |= SSL_OP_NO_TLSv1;
}
if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_1) {
ssl_opt_flags |= SSL_OP_NO_TLSv1_1;
}
if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_2) {
ssl_opt_flags |= SSL_OP_NO_TLSv1_2;
}
SSL_CTX_set_options(ssl_ctx, ssl_opt_flags);
Unlock(openssl_lock);
AddChainSslCertOnDirectory(ssl_ctx);
Lock(openssl_lock);

View File

@ -313,6 +313,7 @@ struct SOCK
UINT Reverse_MyServerPort; // Self port number when using the reverse socket
UCHAR Ssl_Init_Async_SendAlert[2]; // Initial state of SSL send_alert
bool AcceptOnlyTls; // Accept only TLS (disable SSLv3)
UINT DisableSslVersions; // Bitmap of SSL Version to disable
bool RawIP_HeaderIncludeFlag;
#ifdef ENABLE_SSL_LOGGING