diff --git a/src/Cedar/AzureClient.c b/src/Cedar/AzureClient.c index 447c6abd..78d5e01b 100644 --- a/src/Cedar/AzureClient.c +++ b/src/Cedar/AzureClient.c @@ -193,7 +193,7 @@ void AcWaitForRequest(AZURE_CLIENT *ac, SOCK *s, AZURE_PARAM *param) SetTimeout(ns, param->DataTimeout); - if (StartSSLEx(ns, NULL, NULL, true, 0, NULL)) + if (StartSSLEx(ns, NULL, NULL, 0, NULL)) { // Check certification char server_cert_hash_str[MAX_SIZE]; diff --git a/src/Cedar/CM.c b/src/Cedar/CM.c index ea0f6cfd..36eceaa3 100644 --- a/src/Cedar/CM.c +++ b/src/Cedar/CM.c @@ -6373,7 +6373,6 @@ void CmImportAccountMainEx(HWND hWnd, wchar_t *filename, bool overwrite) t->ClientOption->RequireMonitorMode = old_option->RequireMonitorMode; t->ClientOption->RequireBridgeRoutingMode = old_option->RequireBridgeRoutingMode; t->ClientOption->DisableQoS = old_option->DisableQoS; - t->ClientOption->NoTls1 = old_option->NoTls1; // Inherit the authentication data CiFreeClientAuth(t->ClientAuth); @@ -6987,8 +6986,6 @@ void CmEditAccountDlgUpdate(HWND hWnd, CM_ACCOUNT *a) } a->ClientOption->RetryInterval = GetInt(hWnd, E_RETRY_SPAN); - a->ClientOption->NoTls1 = IsChecked(hWnd, R_NOTLS1); - // Information determining if (UniStrLen(a->ClientOption->AccountName) == 0 && a->NatMode == false) { @@ -7442,8 +7439,6 @@ void CmEditAccountDlgInit(HWND hWnd, CM_ACCOUNT *a) } SetIntEx(hWnd, E_RETRY_SPAN, a->ClientOption->RetryInterval); - Check(hWnd, R_NOTLS1, a->ClientOption->NoTls1); - // Title if (a->NatMode == false) { diff --git a/src/Cedar/Client.c b/src/Cedar/Client.c index a5508f09..9008b0fd 100644 --- a/src/Cedar/Client.c +++ b/src/Cedar/Client.c @@ -4548,7 +4548,6 @@ void InRpcClientOption(CLIENT_OPTION *c, PACK *p) c->RequireMonitorMode = PackGetBool(p, "RequireMonitorMode"); c->RequireBridgeRoutingMode = PackGetBool(p, "RequireBridgeRoutingMode"); c->FromAdminPack = PackGetBool(p, "FromAdminPack"); - c->NoTls1 = PackGetBool(p, "NoTls1"); c->NoUdpAcceleration = PackGetBool(p, "NoUdpAcceleration"); PackGetData2(p, "HostUniqueKey", c->HostUniqueKey, SHA1_SIZE); } @@ -4586,7 +4585,6 @@ void OutRpcClientOption(PACK *p, CLIENT_OPTION *c) PackAddBool(p, "RequireBridgeRoutingMode", c->RequireBridgeRoutingMode); PackAddBool(p, "DisableQoS", c->DisableQoS); PackAddBool(p, "FromAdminPack", c->FromAdminPack); - PackAddBool(p, "NoTls1", c->NoTls1); PackAddBool(p, "NoUdpAcceleration", c->NoUdpAcceleration); PackAddData(p, "HostUniqueKey", c->HostUniqueKey, SHA1_SIZE); } @@ -9574,7 +9572,6 @@ CLIENT_OPTION *CiLoadClientOption(FOLDER *f) o->RequireBridgeRoutingMode = CfgGetBool(f, "RequireBridgeRoutingMode"); o->DisableQoS = CfgGetBool(f, "DisableQoS"); o->FromAdminPack = CfgGetBool(f, "FromAdminPack"); - o->NoTls1 = CfgGetBool(f, "NoTls1"); o->NoUdpAcceleration = CfgGetBool(f, "NoUdpAcceleration"); b = CfgGetBuf(f, "HostUniqueKey"); @@ -10108,7 +10105,6 @@ void CiWriteClientOption(FOLDER *f, CLIENT_OPTION *o) CfgAddBool(f, "RequireMonitorMode", o->RequireMonitorMode); CfgAddBool(f, "RequireBridgeRoutingMode", o->RequireBridgeRoutingMode); CfgAddBool(f, "DisableQoS", o->DisableQoS); - CfgAddBool(f, "NoTls1", o->NoTls1); CfgAddBool(f, "NoUdpAcceleration", o->NoUdpAcceleration); if (o->FromAdminPack) diff --git a/src/Cedar/Command.c b/src/Cedar/Command.c index c897bfa2..c3e62867 100644 --- a/src/Cedar/Command.c +++ b/src/Cedar/Command.c @@ -2148,7 +2148,7 @@ void TtcThread(THREAD *thread, void *param) IPToStr(target_host, sizeof(target_host), &ip_ret); } - s = ConnectEx4(target_host, ttc->Port, 0, ttc->Cancel, NULL, NULL, false, false, true, &ip_ret); + s = ConnectEx4(target_host, ttc->Port, 0, ttc->Cancel, NULL, NULL, false, true, &ip_ret); if (s == NULL) { diff --git a/src/Cedar/Connection.c b/src/Cedar/Connection.c index 90551a65..772463a8 100644 --- a/src/Cedar/Connection.c +++ b/src/Cedar/Connection.c @@ -3649,9 +3649,6 @@ CONNECTION *NewClientConnectionEx(SESSION *s, char *client_str, UINT client_ver, StrCpy(c->ServerName, sizeof(c->ServerName), s->ClientOption->Hostname); c->ServerPort = s->ClientOption->Port; - // TLS 1.0 using flag - c->DontUseTls1 = s->ClientOption->NoTls1; - // Create queues c->ReceivedBlocks = NewQueue(); c->SendBlocks = NewQueue(); diff --git a/src/Cedar/Connection.h b/src/Cedar/Connection.h index eab8eada..1c95e088 100644 --- a/src/Cedar/Connection.h +++ b/src/Cedar/Connection.h @@ -189,7 +189,6 @@ struct CLIENT_OPTION bool RequireBridgeRoutingMode; // Bridge or routing mode bool DisableQoS; // Disable the VoIP / QoS function bool FromAdminPack; // For Administration Pack - bool NoTls1; // Do not use TLS 1.0 bool NoUdpAcceleration; // Do not use UDP acceleration mode UCHAR HostUniqueKey[SHA1_SIZE]; // Host unique key }; @@ -310,7 +309,6 @@ struct CONNECTION IP ClientIp; // Client IP address char ClientHostname[MAX_HOST_NAME_LEN + 1]; // Client host name UINT Type; // Type - bool DontUseTls1; // Do not use TLS 1.0 void *hWndForUI; // Parent window bool IsInProc; // In-process char InProcPrefix[64]; // Prefix diff --git a/src/Cedar/Protocol.c b/src/Cedar/Protocol.c index 3d21257f..9ea4b34d 100644 --- a/src/Cedar/Protocol.c +++ b/src/Cedar/Protocol.c @@ -3920,7 +3920,7 @@ SOCK *ClientAdditionalConnectToServer(CONNECTION *c) } // Socket connection - s = ClientConnectGetSocket(c, true, (c->DontUseTls1 ? false : true)); + s = ClientConnectGetSocket(c, true); if (s == NULL) { // Connection failure @@ -3955,7 +3955,7 @@ SOCK *ClientAdditionalConnectToServer(CONNECTION *c) SetTimeout(s, CONNECTING_TIMEOUT); // Start the SSL communication - if (StartSSLEx(s, NULL, NULL, (c->DontUseTls1 ? false : true), 0, c->ServerName) == false) + if (StartSSLEx(s, NULL, NULL, 0, c->ServerName) == false) { // SSL communication failure Disconnect(s); @@ -6252,7 +6252,7 @@ SOCK *ClientConnectToServer(CONNECTION *c) } // Get the socket by connecting - s = ClientConnectGetSocket(c, false, (c->DontUseTls1 ? false : true)); + s = ClientConnectGetSocket(c, false); if (s == NULL) { // Connection failure @@ -6273,7 +6273,7 @@ SOCK *ClientConnectToServer(CONNECTION *c) SetTimeout(s, CONNECTING_TIMEOUT); // Start the SSL communication - if (StartSSLEx(s, x, k, (c->DontUseTls1 ? false : true), 0, c->ServerName) == false) + if (StartSSLEx(s, x, k, 0, c->ServerName) == false) { // SSL communication start failure Disconnect(s); @@ -6297,7 +6297,7 @@ SOCK *ClientConnectToServer(CONNECTION *c) } // Return a socket by connecting to the server -SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect, bool no_tls) +SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect) { SOCK *s = NULL; CLIENT_OPTION *o; @@ -6369,7 +6369,7 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect, bool no_tls // If additional_connect == true, follow the IsRUDPSession setting in this session s = TcpIpConnectEx(host_for_direct_connection, port_for_direct_connection, (bool *)cancel_flag, hWnd, &nat_t_err, (additional_connect ? (!is_additional_rudp_session) : false), - true, no_tls, &ret_ip); + true, &ret_ip); } } else @@ -6530,7 +6530,7 @@ SOCK *SocksConnectEx2(CONNECTION *c, char *proxy_host_name, UINT proxy_port, } // Connection - s = TcpConnectEx3(proxy_host_name, proxy_port, timeout, cancel_flag, hWnd, true, NULL, false, false, ret_ip); + s = TcpConnectEx3(proxy_host_name, proxy_port, timeout, cancel_flag, hWnd, true, NULL, false, ret_ip); if (s == NULL) { // Failure @@ -6737,7 +6737,7 @@ SOCK *ProxyConnectEx2(CONNECTION *c, char *proxy_host_name, UINT proxy_port, } // Connection - s = TcpConnectEx3(proxy_host_name, proxy_port, timeout, cancel_flag, hWnd, true, NULL, false, false, NULL); + s = TcpConnectEx3(proxy_host_name, proxy_port, timeout, cancel_flag, hWnd, true, NULL, false, NULL); if (s == NULL) { // Failure @@ -6887,32 +6887,32 @@ SOCK *ProxyConnectEx2(CONNECTION *c, char *proxy_host_name, UINT proxy_port, } // TCP connection function -SOCK *TcpConnectEx2(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool try_start_ssl, bool ssl_no_tls) +SOCK *TcpConnectEx2(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool try_start_ssl) { - return TcpConnectEx3(hostname, port, timeout, cancel_flag, hWnd, false, NULL, try_start_ssl, ssl_no_tls, NULL); + return TcpConnectEx3(hostname, port, timeout, cancel_flag, hWnd, false, NULL, try_start_ssl, NULL); } -SOCK *TcpConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, bool ssl_no_tls, IP *ret_ip) +SOCK *TcpConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, IP *ret_ip) { #ifdef OS_WIN32 if (hWnd == NULL) { #endif // OS_WIN32 - return ConnectEx4(hostname, port, timeout, cancel_flag, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), nat_t_error_code, try_start_ssl, ssl_no_tls, true, ret_ip); + return ConnectEx4(hostname, port, timeout, cancel_flag, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), nat_t_error_code, try_start_ssl, true, ret_ip); #ifdef OS_WIN32 } else { - return WinConnectEx3((HWND)hWnd, hostname, port, timeout, 0, NULL, NULL, nat_t_error_code, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), try_start_ssl, ssl_no_tls); + return WinConnectEx3((HWND)hWnd, hostname, port, timeout, 0, NULL, NULL, nat_t_error_code, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), try_start_ssl); } #endif // OS_WIN32 } // Connect with TCP/IP -SOCK *TcpIpConnect(char *hostname, UINT port, bool try_start_ssl, bool ssl_no_tls) +SOCK *TcpIpConnect(char *hostname, UINT port, bool try_start_ssl) { - return TcpIpConnectEx(hostname, port, NULL, NULL, NULL, false, try_start_ssl, ssl_no_tls, NULL); + return TcpIpConnectEx(hostname, port, NULL, NULL, NULL, false, try_start_ssl, NULL); } -SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, bool ssl_no_tls, IP *ret_ip) +SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, IP *ret_ip) { SOCK *s = NULL; UINT dummy_int = 0; @@ -6927,7 +6927,7 @@ SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, U return NULL; } - s = TcpConnectEx3(hostname, port, 0, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, ssl_no_tls, ret_ip); + s = TcpConnectEx3(hostname, port, 0, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, ret_ip); if (s == NULL) { return NULL; diff --git a/src/Cedar/Protocol.h b/src/Cedar/Protocol.h index 2fca210c..2fd47973 100644 --- a/src/Cedar/Protocol.h +++ b/src/Cedar/Protocol.h @@ -217,16 +217,16 @@ UINT64 ShortStrToDate64(char *str); bool ServerAccept(CONNECTION *c); bool ClientConnect(CONNECTION *c); SOCK *ClientConnectToServer(CONNECTION *c); -SOCK *TcpIpConnect(char *hostname, UINT port, bool try_start_ssl, bool ssl_no_tls); -SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, bool ssl_no_tls, IP *ret_ip); +SOCK *TcpIpConnect(char *hostname, UINT port, bool try_start_ssl); +SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, IP *ret_ip); bool ClientUploadSignature(SOCK *s); bool ClientDownloadHello(CONNECTION *c, SOCK *s); bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str); bool ServerUploadHello(CONNECTION *c); bool ClientUploadAuth(CONNECTION *c); -SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect, bool no_tls); -SOCK *TcpConnectEx2(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool try_start_ssl, bool ssl_no_tls); -SOCK *TcpConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, bool ssl_no_tls, IP *ret_ip); +SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect); +SOCK *TcpConnectEx2(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool try_start_ssl); +SOCK *TcpConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, IP *ret_ip); void InitProtocol(); void FreeProtocol(); diff --git a/src/Cedar/Server.c b/src/Cedar/Server.c index 51ede8e7..b309dfa2 100644 --- a/src/Cedar/Server.c +++ b/src/Cedar/Server.c @@ -2550,9 +2550,6 @@ void SiLoadInitialConfiguration(SERVER *s) return; } - // Default to TLS only; mitigates CVE-2016-0800 - s->Cedar->SslAcceptSettings.AcceptOnlyTls = true; - // Auto saving interval related s->AutoSaveConfigSpan = SERVER_FILE_SAVE_INTERVAL_DEFAULT; s->BackupConfigOnlyWhenModified = true; @@ -6126,16 +6123,6 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f) // Disable session reconnect SetGlobalServerFlag(GSF_DISABLE_SESSION_RECONNECT, CfgGetBool(f, "DisableSessionReconnect")); - // AcceptOnlyTls - if (CfgIsItem(f, "AcceptOnlyTls")) - { - c->SslAcceptSettings.AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls"); - } - else - { - // Default to TLS only; mitigates CVE-2016-0800 - c->SslAcceptSettings.AcceptOnlyTls = true; - } c->SslAcceptSettings.Tls_Disable1_0 = CfgGetBool(f, "Tls_Disable1_0"); c->SslAcceptSettings.Tls_Disable1_1 = CfgGetBool(f, "Tls_Disable1_1"); c->SslAcceptSettings.Tls_Disable1_2 = CfgGetBool(f, "Tls_Disable1_2"); @@ -6460,7 +6447,6 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s) CfgAddBool(f, "DisableGetHostNameWhenAcceptTcp", s->DisableGetHostNameWhenAcceptTcp); CfgAddBool(f, "DisableCoreDumpOnUnix", s->DisableCoreDumpOnUnix); - CfgAddBool(f, "AcceptOnlyTls", c->SslAcceptSettings.AcceptOnlyTls); CfgAddBool(f, "Tls_Disable1_0", c->SslAcceptSettings.Tls_Disable1_0); CfgAddBool(f, "Tls_Disable1_1", c->SslAcceptSettings.Tls_Disable1_1); CfgAddBool(f, "Tls_Disable1_2", c->SslAcceptSettings.Tls_Disable1_2); diff --git a/src/Cedar/Virtual.c b/src/Cedar/Virtual.c index a25376fd..b02325f5 100644 --- a/src/Cedar/Virtual.c +++ b/src/Cedar/Virtual.c @@ -4431,7 +4431,7 @@ void NatTcpConnectThread(THREAD *t, void *p) // Attempt to connect to the TCP host Debug("NatTcpConnect Connecting to %s:%u\n", hostname, port_number); - sock = ConnectEx3(hostname, port_number, 0, &n->NatTcpCancelFlag, NULL, NULL, false, false, true); + sock = ConnectEx3(hostname, port_number, 0, &n->NatTcpCancelFlag, NULL, NULL, false, true); if (sock == NULL) { // Connection failure diff --git a/src/Cedar/WinUi.c b/src/Cedar/WinUi.c index 67ecf660..364eb54c 100644 --- a/src/Cedar/WinUi.c +++ b/src/Cedar/WinUi.c @@ -1460,7 +1460,7 @@ void WinConnectDlgThread(THREAD *thread, void *param) nat_t_svc_name = d->nat_t_svc_name; } - s = ConnectEx3(d->hostname, d->port, d->timeout, &d->cancel, nat_t_svc_name, &nat_t_error_code, d->try_start_ssl, d->ssl_no_tls, false); + s = ConnectEx3(d->hostname, d->port, d->timeout, &d->cancel, nat_t_svc_name, &nat_t_error_code, d->try_start_ssl, false); d->ret_sock = s; d->nat_t_error_code = nat_t_error_code; @@ -1536,7 +1536,7 @@ UINT WinConnectDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void * } // TCP connection with showing the UI -SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl, bool ssl_no_tls) +SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl) { wchar_t tmp[MAX_SIZE]; wchar_t tmp2[MAX_SIZE]; @@ -1572,7 +1572,6 @@ SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_ Zero(&d, sizeof(d)); d.try_start_ssl = try_start_ssl; - d.ssl_no_tls = ssl_no_tls; d.cancel = false; d.caption = caption; d.icon_id = icon_id; diff --git a/src/Cedar/WinUi.h b/src/Cedar/WinUi.h index 9aaa71f7..b9cb29e0 100644 --- a/src/Cedar/WinUi.h +++ b/src/Cedar/WinUi.h @@ -449,7 +449,6 @@ typedef struct WINCONNECT_DLG_DATA char nat_t_svc_name[MAX_SIZE]; UINT nat_t_error_code; bool try_start_ssl; - bool ssl_no_tls; } WINCONNECT_DLG_DATA; HBITMAP ResizeBitmap(HBITMAP hSrc, UINT src_x, UINT src_y, UINT dst_x, UINT dst_y); @@ -838,7 +837,7 @@ HFONT GetMeiryoFont(); HFONT GetMeiryoFontEx(UINT font_size); HFONT GetMeiryoFontEx2(UINT font_size, bool bold); bool ShowWindowsNetworkConnectionDialog(); -SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl, bool ssl_no_tls); +SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl); UINT WinConnectDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *param); void WinConnectDlgThread(THREAD *thread, void *param); void NicInfo(UI_NICINFO *info); diff --git a/src/Cedar/Wpc.c b/src/Cedar/Wpc.c index cddfd383..ec16ee3b 100644 --- a/src/Cedar/Wpc.c +++ b/src/Cedar/Wpc.c @@ -623,7 +623,7 @@ SOCK *WpcSockConnectEx(WPC_CONNECT *param, UINT *error_code, UINT timeout, bool switch (param->ProxyType) { case PROXY_DIRECT: - sock = TcpConnectEx3(param->HostName, param->Port, timeout, cancel, NULL, true, NULL, false, false, NULL); + sock = TcpConnectEx3(param->HostName, param->Port, timeout, cancel, NULL, true, NULL, false, NULL); if (sock == NULL) { err = ERR_CONNECT_FAILED; @@ -790,7 +790,7 @@ BUF *HttpRequestEx3(URL_DATA *data, INTERNET_SETTING *setting, else { // If the connection is not SSL via HTTP Proxy - s = TcpConnectEx3(con.ProxyHostName, con.ProxyPort, timeout_connect, cancel, NULL, true, NULL, false, false, NULL); + s = TcpConnectEx3(con.ProxyHostName, con.ProxyPort, timeout_connect, cancel, NULL, true, NULL, false, NULL); if (s == NULL) { *error_code = ERR_PROXY_CONNECT_FAILED; @@ -805,7 +805,7 @@ BUF *HttpRequestEx3(URL_DATA *data, INTERNET_SETTING *setting, if (data->Secure) { // Start the SSL communication - if (StartSSLEx(s, NULL, NULL, true, 0, (IsEmptyStr(data->SniString) ? NULL : data->SniString)) == false) + if (StartSSLEx(s, NULL, NULL, 0, (IsEmptyStr(data->SniString) ? NULL : data->SniString)) == false) { // SSL connection failed *error_code = ERR_PROTOCOL_ERROR; diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index 28172767..f5e3aa34 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -829,7 +829,7 @@ bool GetIPViaDnsProxyForJapanFlets(IP *ip_ret, char *hostname, bool ipv6, UINT t Format(connect_hostname2, sizeof(connect_hostname2), "[%s]", connect_hostname); } - s = ConnectEx3(connect_hostname, BFLETS_DNS_PROXY_PORT, timeout, cancel, NULL, NULL, false, false, false); + s = ConnectEx3(connect_hostname, BFLETS_DNS_PROXY_PORT, timeout, cancel, NULL, NULL, false, false); if (s == NULL) { @@ -847,7 +847,7 @@ bool GetIPViaDnsProxyForJapanFlets(IP *ip_ret, char *hostname, bool ipv6, UINT t SetTimeout(s, timeout); // Start the SSL - if (StartSSLEx(s, NULL, NULL, true, 0, NULL) && (*cancel == false)) + if (StartSSLEx(s, NULL, NULL, 0, NULL) && (*cancel == false)) { UCHAR hash[SHA1_SIZE]; BUF *hash2 = StrToBin(BFLETS_DNS_PROXY_CERT_HASH); @@ -12141,9 +12141,9 @@ bool AddChainSslCert(struct ssl_ctx_st *ctx, X *x) // Start a TCP-SSL communication bool StartSSL(SOCK *sock, X *x, K *priv) { - return StartSSLEx(sock, x, priv, true, 0, NULL); + return StartSSLEx(sock, x, priv, 0, NULL); } -bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, char *sni_hostname) +bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname) { X509 *x509; EVP_PKEY *key; @@ -12203,39 +12203,32 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch { if (sock->ServerMode) { - SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method()); + SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_server_method()); -#ifdef SSL_OP_NO_SSLv2 - SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2); -#endif // SSL_OP_NO_SSLv2 - - if (sock->SslAcceptSettings.AcceptOnlyTls) - { #ifdef SSL_OP_NO_SSLv3 - SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); #endif // SSL_OP_NO_SSLv3 - } +#ifdef SSL_OP_NO_TLSv1 if (sock->SslAcceptSettings.Tls_Disable1_0) { -#ifdef SSL_OP_NO_TLSv1 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1); -#endif // SSL_OP_NO_TLSv1 } +#endif // SSL_OP_NO_TLSv1 +#ifdef SSL_OP_NO_TLSv1_1 if (sock->SslAcceptSettings.Tls_Disable1_1) { -#ifdef SSL_OP_NO_TLSv1_1 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1); -#endif // SSL_OP_NO_TLSv1_1 } +#endif // SSL_OP_NO_TLSv1_1 +#ifdef SSL_OP_NO_TLSv1_2 if (sock->SslAcceptSettings.Tls_Disable1_2) { -#ifdef SSL_OP_NO_TLSv1_2 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2); -#endif // SSL_OP_NO_TLSv1_2 } +#endif // SSL_OP_NO_TLSv1_2 Unlock(openssl_lock); AddChainSslCertOnDirectory(ssl_ctx); @@ -12243,24 +12236,18 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch } else { - if (client_tls == false) - { -#if OPENSSL_VERSION_NUMBER < 0x10100000L - SSL_CTX_set_ssl_version(ssl_ctx, SSLv3_method()); -#else - SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method()); -#endif - } - else - { - SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method()); - } + SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method()); + +#ifdef SSL_OP_NO_SSLv3 + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); +#endif // SSL_OP_NO_SSLv3 } + sock->ssl = SSL_new(ssl_ctx); SSL_set_fd(sock->ssl, (int)sock->socket); #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME - if (sock->ServerMode == false && client_tls) + if (sock->ServerMode == false) { if (IsEmptyStr(sni_hostname) == false) { @@ -14279,7 +14266,7 @@ void ConnectThreadForTcp(THREAD *thread, void *param) // Connecting process IPToStr(hostname, sizeof(hostname), &p->Ip); - sock = ConnectEx3(hostname, p->Port, p->Timeout, p->CancelFlag, NULL, NULL, false, false, true); + sock = ConnectEx3(hostname, p->Port, p->Timeout, p->CancelFlag, NULL, NULL, false, true); if (sock != NULL && p->Tcp_TryStartSsl) { @@ -14304,7 +14291,7 @@ void ConnectThreadForTcp(THREAD *thread, void *param) Unlock(p->CancelLock); // Start the SSL communication - ssl_ret = StartSSLEx(sock, NULL, NULL, p->Tcp_SslNoTls, 0, p->Hostname); + ssl_ret = StartSSLEx(sock, NULL, NULL, 0, p->Hostname); if (ssl_ret) { @@ -14417,14 +14404,13 @@ SOCK *ConnectEx(char *hostname, UINT port, UINT timeout) } SOCK *ConnectEx2(char *hostname, UINT port, UINT timeout, bool *cancel_flag) { - return ConnectEx3(hostname, port, timeout, cancel_flag, NULL, NULL, false, false, true); + return ConnectEx3(hostname, port, timeout, cancel_flag, NULL, NULL, false, true); } -SOCK *ConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool ssl_no_tls, bool no_get_hostname) +SOCK *ConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname) { - return ConnectEx4(hostname, port, timeout, cancel_flag, nat_t_svc_name, nat_t_error_code, try_start_ssl, ssl_no_tls, - no_get_hostname, NULL); + return ConnectEx4(hostname, port, timeout, cancel_flag, nat_t_svc_name, nat_t_error_code, try_start_ssl, no_get_hostname, NULL); } -SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool ssl_no_tls, bool no_get_hostname, IP *ret_ip) +SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, IP *ret_ip) { SOCK *sock; SOCKET s; @@ -14603,7 +14589,6 @@ SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha p1.CancelFlag = &cancel_flag2; p1.FinishEvent = finish_event; p1.Tcp_TryStartSsl = try_start_ssl; - p1.Tcp_SslNoTls = ssl_no_tls; p1.CancelLock = NewLock(); // p2: NAT-T diff --git a/src/Mayaqua/Network.h b/src/Mayaqua/Network.h index b3a6cbfd..be9936da 100644 --- a/src/Mayaqua/Network.h +++ b/src/Mayaqua/Network.h @@ -250,7 +250,6 @@ struct SOCK_EVENT // SSL Accept Settings struct SSL_ACCEPT_SETTINGS { - bool AcceptOnlyTls; bool Tls_Disable1_0; bool Tls_Disable1_1; bool Tls_Disable1_2; @@ -927,7 +926,6 @@ struct CONNECT_TCP_RUDP_PARAM UINT RUdpProtocol; UINT Delay; bool Tcp_TryStartSsl; - bool Tcp_SslNoTls; LOCK *CancelLock; SOCK *CancelDisconnectSock; bool Tcp_InNegotiation; @@ -1271,8 +1269,8 @@ void CleanupSock(SOCK *s); SOCK *Connect(char *hostname, UINT port); SOCK *ConnectEx(char *hostname, UINT port, UINT timeout); SOCK *ConnectEx2(char *hostname, UINT port, UINT timeout, bool *cancel_flag); -SOCK *ConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool ssl_no_tls, bool no_get_hostname); -SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool ssl_no_tls, bool no_get_hostname, IP *ret_ip); +SOCK *ConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname); +SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, IP *ret_ip); SOCKET ConnectTimeoutIPv4(IP *ip, UINT port, UINT timeout, bool *cancel_flag); void SetSocketSendRecvBufferSize(SOCKET s, UINT size); bool SetSocketBufferSize(SOCKET s, bool send, UINT size); @@ -1295,7 +1293,7 @@ void SetNoNeedToRead(SOCK *sock); UINT SecureSend(SOCK *sock, void *data, UINT size); UINT SecureRecv(SOCK *sock, void *data, UINT size); bool StartSSL(SOCK *sock, X *x, K *priv); -bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, char *sni_hostname); +bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname); bool AddChainSslCert(struct ssl_ctx_st *ctx, X *x); void AddChainSslCertOnDirectory(struct ssl_ctx_st *ctx); bool SendAll(SOCK *sock, void *data, UINT size, bool secure); diff --git a/src/PenCore/PenCore.rc b/src/PenCore/PenCore.rc index e9959b1f..4d1912f7 100644 --- a/src/PenCore/PenCore.rc +++ b/src/PenCore/PenCore.rc @@ -1564,7 +1564,6 @@ BEGIN EDITTEXT E_RETRY_SPAN,318,251,41,11,ES_RIGHT | ES_AUTOHSCROLL | ES_NUMBER LTEXT "@S_RETRY_SPAN_2",S_RETRY_SPAN_2,364,252,72,9 CONTROL "@R_INFINITE",R_INFINITE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,266,265,171,9 - CONTROL "@R_NOTLS1",R_NOTLS1,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,253,280,87,9 PUSHBUTTON "@B_DETAIL",B_DETAIL,344,277,87,15 DEFPUSHBUTTON "@IDOK",IDOK,308,300,64,17 PUSHBUTTON "@IDCANCEL",IDCANCEL,380,300,64,17 diff --git a/src/PenCore/resource.h b/src/PenCore/resource.h index aa6d1eb3..bdb0666b 100644 --- a/src/PenCore/resource.h +++ b/src/PenCore/resource.h @@ -360,8 +360,6 @@ #define B_IE 1087 #define B_EXPORT 1088 #define IDC_STATIC1 1088 -#define R_R_NOTLS1 1088 -#define R_NOTLS1 1088 #define R_USE_PASSWORD 1089 #define IDC_STATIC3 1089 #define B_IMPORT2 1089 diff --git a/src/bin/hamcore/strtable_cn.stb b/src/bin/hamcore/strtable_cn.stb index c4336e3c..648e3b99 100644 --- a/src/bin/hamcore/strtable_cn.stb +++ b/src/bin/hamcore/strtable_cn.stb @@ -2332,7 +2332,6 @@ S_RETRY_NUM_2 次 S_RETRY_SPAN_1 重连间隔(&K): S_RETRY_SPAN_2 秒 R_INFINITE 无限重连(总是保持 VPN 在线) (&I) -R_NOTLS1 使用 SSL 3.0 (&1) B_DETAIL 高级设置(&D)... IDOK 确定(&O) IDCANCEL 取消 diff --git a/src/bin/hamcore/strtable_en.stb b/src/bin/hamcore/strtable_en.stb index 1a7e3f35..d9a28378 100644 --- a/src/bin/hamcore/strtable_en.stb +++ b/src/bin/hamcore/strtable_en.stb @@ -2312,7 +2312,6 @@ S_RETRY_NUM_2 times S_RETRY_SPAN_1 Reconnect Interval: S_RETRY_SPAN_2 seconds R_INFINITE &Infinite Reconnects (Keep VPN Always Online) -R_NOTLS1 Use SSL 3.0 (&1) B_DETAIL A&dvanced Settings... IDOK &OK IDCANCEL Cancel diff --git a/src/bin/hamcore/strtable_ja.stb b/src/bin/hamcore/strtable_ja.stb index a3487155..913da6ca 100644 --- a/src/bin/hamcore/strtable_ja.stb +++ b/src/bin/hamcore/strtable_ja.stb @@ -2317,7 +2317,6 @@ S_RETRY_NUM_2 回 S_RETRY_SPAN_1 再接続間隔(&K): S_RETRY_SPAN_2 秒 R_INFINITE 無限に再接続を試行する (常時接続) (&I) -R_NOTLS1 SSL 3.0 を使用する(&1) B_DETAIL 高度な通信設定(&N)... IDOK &OK IDCANCEL キャンセル diff --git a/src/bin/hamcore/strtable_ko.stb b/src/bin/hamcore/strtable_ko.stb index 4aaaf1df..bd9eea19 100644 --- a/src/bin/hamcore/strtable_ko.stb +++ b/src/bin/hamcore/strtable_ko.stb @@ -2312,7 +2312,6 @@ S_RETRY_NUM_2 회 S_RETRY_SPAN_1 다시 연결 간격 (&K): S_RETRY_SPAN_2 초 R_INFINITE 무한 재 연결을 시도하는 (상시 접속) (&I) -R_NOTLS1 사용 SSL 3.0(&1) B_DETAIL 고급 통신 설정 (&N)... IDOK & OK IDCANCEL 취소 diff --git a/src/bin/hamcore/strtable_tw.stb b/src/bin/hamcore/strtable_tw.stb index ab613075..7fd79c71 100644 --- a/src/bin/hamcore/strtable_tw.stb +++ b/src/bin/hamcore/strtable_tw.stb @@ -2333,7 +2333,6 @@ S_RETRY_NUM_2 次 S_RETRY_SPAN_1 重連間隔(&K): S_RETRY_SPAN_2 秒 R_INFINITE 無限重連(總是保持 VPN 線上) (&I) -R_NOTLS1 使用 SSL 3.0 (&1) B_DETAIL 進階設置(&D)... IDOK 確定(&O) IDCANCEL 取消