1
0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-11-23 01:49:53 +03:00

Merge PR #594: Remove SSLv3 support

This commit is contained in:
Davide Beatrici 2018-08-18 07:38:05 +02:00 committed by GitHub
commit daed1ad8b3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
22 changed files with 59 additions and 114 deletions

View File

@ -193,7 +193,7 @@ void AcWaitForRequest(AZURE_CLIENT *ac, SOCK *s, AZURE_PARAM *param)
SetTimeout(ns, param->DataTimeout);
if (StartSSLEx(ns, NULL, NULL, true, 0, NULL))
if (StartSSLEx(ns, NULL, NULL, 0, NULL))
{
// Check certification
char server_cert_hash_str[MAX_SIZE];

View File

@ -6373,7 +6373,6 @@ void CmImportAccountMainEx(HWND hWnd, wchar_t *filename, bool overwrite)
t->ClientOption->RequireMonitorMode = old_option->RequireMonitorMode;
t->ClientOption->RequireBridgeRoutingMode = old_option->RequireBridgeRoutingMode;
t->ClientOption->DisableQoS = old_option->DisableQoS;
t->ClientOption->NoTls1 = old_option->NoTls1;
// Inherit the authentication data
CiFreeClientAuth(t->ClientAuth);
@ -6987,8 +6986,6 @@ void CmEditAccountDlgUpdate(HWND hWnd, CM_ACCOUNT *a)
}
a->ClientOption->RetryInterval = GetInt(hWnd, E_RETRY_SPAN);
a->ClientOption->NoTls1 = IsChecked(hWnd, R_NOTLS1);
// Information determining
if (UniStrLen(a->ClientOption->AccountName) == 0 && a->NatMode == false)
{
@ -7442,8 +7439,6 @@ void CmEditAccountDlgInit(HWND hWnd, CM_ACCOUNT *a)
}
SetIntEx(hWnd, E_RETRY_SPAN, a->ClientOption->RetryInterval);
Check(hWnd, R_NOTLS1, a->ClientOption->NoTls1);
// Title
if (a->NatMode == false)
{

View File

@ -4548,7 +4548,6 @@ void InRpcClientOption(CLIENT_OPTION *c, PACK *p)
c->RequireMonitorMode = PackGetBool(p, "RequireMonitorMode");
c->RequireBridgeRoutingMode = PackGetBool(p, "RequireBridgeRoutingMode");
c->FromAdminPack = PackGetBool(p, "FromAdminPack");
c->NoTls1 = PackGetBool(p, "NoTls1");
c->NoUdpAcceleration = PackGetBool(p, "NoUdpAcceleration");
PackGetData2(p, "HostUniqueKey", c->HostUniqueKey, SHA1_SIZE);
}
@ -4586,7 +4585,6 @@ void OutRpcClientOption(PACK *p, CLIENT_OPTION *c)
PackAddBool(p, "RequireBridgeRoutingMode", c->RequireBridgeRoutingMode);
PackAddBool(p, "DisableQoS", c->DisableQoS);
PackAddBool(p, "FromAdminPack", c->FromAdminPack);
PackAddBool(p, "NoTls1", c->NoTls1);
PackAddBool(p, "NoUdpAcceleration", c->NoUdpAcceleration);
PackAddData(p, "HostUniqueKey", c->HostUniqueKey, SHA1_SIZE);
}
@ -9574,7 +9572,6 @@ CLIENT_OPTION *CiLoadClientOption(FOLDER *f)
o->RequireBridgeRoutingMode = CfgGetBool(f, "RequireBridgeRoutingMode");
o->DisableQoS = CfgGetBool(f, "DisableQoS");
o->FromAdminPack = CfgGetBool(f, "FromAdminPack");
o->NoTls1 = CfgGetBool(f, "NoTls1");
o->NoUdpAcceleration = CfgGetBool(f, "NoUdpAcceleration");
b = CfgGetBuf(f, "HostUniqueKey");
@ -10108,7 +10105,6 @@ void CiWriteClientOption(FOLDER *f, CLIENT_OPTION *o)
CfgAddBool(f, "RequireMonitorMode", o->RequireMonitorMode);
CfgAddBool(f, "RequireBridgeRoutingMode", o->RequireBridgeRoutingMode);
CfgAddBool(f, "DisableQoS", o->DisableQoS);
CfgAddBool(f, "NoTls1", o->NoTls1);
CfgAddBool(f, "NoUdpAcceleration", o->NoUdpAcceleration);
if (o->FromAdminPack)

View File

@ -2148,7 +2148,7 @@ void TtcThread(THREAD *thread, void *param)
IPToStr(target_host, sizeof(target_host), &ip_ret);
}
s = ConnectEx4(target_host, ttc->Port, 0, ttc->Cancel, NULL, NULL, false, false, true, &ip_ret);
s = ConnectEx4(target_host, ttc->Port, 0, ttc->Cancel, NULL, NULL, false, true, &ip_ret);
if (s == NULL)
{

View File

@ -3649,9 +3649,6 @@ CONNECTION *NewClientConnectionEx(SESSION *s, char *client_str, UINT client_ver,
StrCpy(c->ServerName, sizeof(c->ServerName), s->ClientOption->Hostname);
c->ServerPort = s->ClientOption->Port;
// TLS 1.0 using flag
c->DontUseTls1 = s->ClientOption->NoTls1;
// Create queues
c->ReceivedBlocks = NewQueue();
c->SendBlocks = NewQueue();

View File

@ -189,7 +189,6 @@ struct CLIENT_OPTION
bool RequireBridgeRoutingMode; // Bridge or routing mode
bool DisableQoS; // Disable the VoIP / QoS function
bool FromAdminPack; // For Administration Pack
bool NoTls1; // Do not use TLS 1.0
bool NoUdpAcceleration; // Do not use UDP acceleration mode
UCHAR HostUniqueKey[SHA1_SIZE]; // Host unique key
};
@ -310,7 +309,6 @@ struct CONNECTION
IP ClientIp; // Client IP address
char ClientHostname[MAX_HOST_NAME_LEN + 1]; // Client host name
UINT Type; // Type
bool DontUseTls1; // Do not use TLS 1.0
void *hWndForUI; // Parent window
bool IsInProc; // In-process
char InProcPrefix[64]; // Prefix

View File

@ -3920,7 +3920,7 @@ SOCK *ClientAdditionalConnectToServer(CONNECTION *c)
}
// Socket connection
s = ClientConnectGetSocket(c, true, (c->DontUseTls1 ? false : true));
s = ClientConnectGetSocket(c, true);
if (s == NULL)
{
// Connection failure
@ -3955,7 +3955,7 @@ SOCK *ClientAdditionalConnectToServer(CONNECTION *c)
SetTimeout(s, CONNECTING_TIMEOUT);
// Start the SSL communication
if (StartSSLEx(s, NULL, NULL, (c->DontUseTls1 ? false : true), 0, c->ServerName) == false)
if (StartSSLEx(s, NULL, NULL, 0, c->ServerName) == false)
{
// SSL communication failure
Disconnect(s);
@ -6252,7 +6252,7 @@ SOCK *ClientConnectToServer(CONNECTION *c)
}
// Get the socket by connecting
s = ClientConnectGetSocket(c, false, (c->DontUseTls1 ? false : true));
s = ClientConnectGetSocket(c, false);
if (s == NULL)
{
// Connection failure
@ -6273,7 +6273,7 @@ SOCK *ClientConnectToServer(CONNECTION *c)
SetTimeout(s, CONNECTING_TIMEOUT);
// Start the SSL communication
if (StartSSLEx(s, x, k, (c->DontUseTls1 ? false : true), 0, c->ServerName) == false)
if (StartSSLEx(s, x, k, 0, c->ServerName) == false)
{
// SSL communication start failure
Disconnect(s);
@ -6297,7 +6297,7 @@ SOCK *ClientConnectToServer(CONNECTION *c)
}
// Return a socket by connecting to the server
SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect, bool no_tls)
SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect)
{
SOCK *s = NULL;
CLIENT_OPTION *o;
@ -6369,7 +6369,7 @@ SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect, bool no_tls
// If additional_connect == true, follow the IsRUDPSession setting in this session
s = TcpIpConnectEx(host_for_direct_connection, port_for_direct_connection,
(bool *)cancel_flag, hWnd, &nat_t_err, (additional_connect ? (!is_additional_rudp_session) : false),
true, no_tls, &ret_ip);
true, &ret_ip);
}
}
else
@ -6530,7 +6530,7 @@ SOCK *SocksConnectEx2(CONNECTION *c, char *proxy_host_name, UINT proxy_port,
}
// Connection
s = TcpConnectEx3(proxy_host_name, proxy_port, timeout, cancel_flag, hWnd, true, NULL, false, false, ret_ip);
s = TcpConnectEx3(proxy_host_name, proxy_port, timeout, cancel_flag, hWnd, true, NULL, false, ret_ip);
if (s == NULL)
{
// Failure
@ -6737,7 +6737,7 @@ SOCK *ProxyConnectEx2(CONNECTION *c, char *proxy_host_name, UINT proxy_port,
}
// Connection
s = TcpConnectEx3(proxy_host_name, proxy_port, timeout, cancel_flag, hWnd, true, NULL, false, false, NULL);
s = TcpConnectEx3(proxy_host_name, proxy_port, timeout, cancel_flag, hWnd, true, NULL, false, NULL);
if (s == NULL)
{
// Failure
@ -6887,32 +6887,32 @@ SOCK *ProxyConnectEx2(CONNECTION *c, char *proxy_host_name, UINT proxy_port,
}
// TCP connection function
SOCK *TcpConnectEx2(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool try_start_ssl, bool ssl_no_tls)
SOCK *TcpConnectEx2(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool try_start_ssl)
{
return TcpConnectEx3(hostname, port, timeout, cancel_flag, hWnd, false, NULL, try_start_ssl, ssl_no_tls, NULL);
return TcpConnectEx3(hostname, port, timeout, cancel_flag, hWnd, false, NULL, try_start_ssl, NULL);
}
SOCK *TcpConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, bool ssl_no_tls, IP *ret_ip)
SOCK *TcpConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, IP *ret_ip)
{
#ifdef OS_WIN32
if (hWnd == NULL)
{
#endif // OS_WIN32
return ConnectEx4(hostname, port, timeout, cancel_flag, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), nat_t_error_code, try_start_ssl, ssl_no_tls, true, ret_ip);
return ConnectEx4(hostname, port, timeout, cancel_flag, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), nat_t_error_code, try_start_ssl, true, ret_ip);
#ifdef OS_WIN32
}
else
{
return WinConnectEx3((HWND)hWnd, hostname, port, timeout, 0, NULL, NULL, nat_t_error_code, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), try_start_ssl, ssl_no_tls);
return WinConnectEx3((HWND)hWnd, hostname, port, timeout, 0, NULL, NULL, nat_t_error_code, (no_nat_t ? NULL : VPN_RUDP_SVC_NAME), try_start_ssl);
}
#endif // OS_WIN32
}
// Connect with TCP/IP
SOCK *TcpIpConnect(char *hostname, UINT port, bool try_start_ssl, bool ssl_no_tls)
SOCK *TcpIpConnect(char *hostname, UINT port, bool try_start_ssl)
{
return TcpIpConnectEx(hostname, port, NULL, NULL, NULL, false, try_start_ssl, ssl_no_tls, NULL);
return TcpIpConnectEx(hostname, port, NULL, NULL, NULL, false, try_start_ssl, NULL);
}
SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, bool ssl_no_tls, IP *ret_ip)
SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, IP *ret_ip)
{
SOCK *s = NULL;
UINT dummy_int = 0;
@ -6927,7 +6927,7 @@ SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, U
return NULL;
}
s = TcpConnectEx3(hostname, port, 0, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, ssl_no_tls, ret_ip);
s = TcpConnectEx3(hostname, port, 0, cancel_flag, hWnd, no_nat_t, nat_t_error_code, try_start_ssl, ret_ip);
if (s == NULL)
{
return NULL;

View File

@ -217,16 +217,16 @@ UINT64 ShortStrToDate64(char *str);
bool ServerAccept(CONNECTION *c);
bool ClientConnect(CONNECTION *c);
SOCK *ClientConnectToServer(CONNECTION *c);
SOCK *TcpIpConnect(char *hostname, UINT port, bool try_start_ssl, bool ssl_no_tls);
SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, bool ssl_no_tls, IP *ret_ip);
SOCK *TcpIpConnect(char *hostname, UINT port, bool try_start_ssl);
SOCK *TcpIpConnectEx(char *hostname, UINT port, bool *cancel_flag, void *hWnd, UINT *nat_t_error_code, bool no_nat_t, bool try_start_ssl, IP *ret_ip);
bool ClientUploadSignature(SOCK *s);
bool ClientDownloadHello(CONNECTION *c, SOCK *s);
bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str);
bool ServerUploadHello(CONNECTION *c);
bool ClientUploadAuth(CONNECTION *c);
SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect, bool no_tls);
SOCK *TcpConnectEx2(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool try_start_ssl, bool ssl_no_tls);
SOCK *TcpConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, bool ssl_no_tls, IP *ret_ip);
SOCK *ClientConnectGetSocket(CONNECTION *c, bool additional_connect);
SOCK *TcpConnectEx2(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool try_start_ssl);
SOCK *TcpConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, void *hWnd, bool no_nat_t, UINT *nat_t_error_code, bool try_start_ssl, IP *ret_ip);
void InitProtocol();
void FreeProtocol();

View File

@ -2550,9 +2550,6 @@ void SiLoadInitialConfiguration(SERVER *s)
return;
}
// Default to TLS only; mitigates CVE-2016-0800
s->Cedar->SslAcceptSettings.AcceptOnlyTls = true;
// Auto saving interval related
s->AutoSaveConfigSpan = SERVER_FILE_SAVE_INTERVAL_DEFAULT;
s->BackupConfigOnlyWhenModified = true;
@ -6126,16 +6123,6 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
// Disable session reconnect
SetGlobalServerFlag(GSF_DISABLE_SESSION_RECONNECT, CfgGetBool(f, "DisableSessionReconnect"));
// AcceptOnlyTls
if (CfgIsItem(f, "AcceptOnlyTls"))
{
c->SslAcceptSettings.AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls");
}
else
{
// Default to TLS only; mitigates CVE-2016-0800
c->SslAcceptSettings.AcceptOnlyTls = true;
}
c->SslAcceptSettings.Tls_Disable1_0 = CfgGetBool(f, "Tls_Disable1_0");
c->SslAcceptSettings.Tls_Disable1_1 = CfgGetBool(f, "Tls_Disable1_1");
c->SslAcceptSettings.Tls_Disable1_2 = CfgGetBool(f, "Tls_Disable1_2");
@ -6460,7 +6447,6 @@ void SiWriteServerCfg(FOLDER *f, SERVER *s)
CfgAddBool(f, "DisableGetHostNameWhenAcceptTcp", s->DisableGetHostNameWhenAcceptTcp);
CfgAddBool(f, "DisableCoreDumpOnUnix", s->DisableCoreDumpOnUnix);
CfgAddBool(f, "AcceptOnlyTls", c->SslAcceptSettings.AcceptOnlyTls);
CfgAddBool(f, "Tls_Disable1_0", c->SslAcceptSettings.Tls_Disable1_0);
CfgAddBool(f, "Tls_Disable1_1", c->SslAcceptSettings.Tls_Disable1_1);
CfgAddBool(f, "Tls_Disable1_2", c->SslAcceptSettings.Tls_Disable1_2);

View File

@ -4431,7 +4431,7 @@ void NatTcpConnectThread(THREAD *t, void *p)
// Attempt to connect to the TCP host
Debug("NatTcpConnect Connecting to %s:%u\n", hostname, port_number);
sock = ConnectEx3(hostname, port_number, 0, &n->NatTcpCancelFlag, NULL, NULL, false, false, true);
sock = ConnectEx3(hostname, port_number, 0, &n->NatTcpCancelFlag, NULL, NULL, false, true);
if (sock == NULL)
{
// Connection failure

View File

@ -1460,7 +1460,7 @@ void WinConnectDlgThread(THREAD *thread, void *param)
nat_t_svc_name = d->nat_t_svc_name;
}
s = ConnectEx3(d->hostname, d->port, d->timeout, &d->cancel, nat_t_svc_name, &nat_t_error_code, d->try_start_ssl, d->ssl_no_tls, false);
s = ConnectEx3(d->hostname, d->port, d->timeout, &d->cancel, nat_t_svc_name, &nat_t_error_code, d->try_start_ssl, false);
d->ret_sock = s;
d->nat_t_error_code = nat_t_error_code;
@ -1536,7 +1536,7 @@ UINT WinConnectDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *
}
// TCP connection with showing the UI
SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl, bool ssl_no_tls)
SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl)
{
wchar_t tmp[MAX_SIZE];
wchar_t tmp2[MAX_SIZE];
@ -1572,7 +1572,6 @@ SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_
Zero(&d, sizeof(d));
d.try_start_ssl = try_start_ssl;
d.ssl_no_tls = ssl_no_tls;
d.cancel = false;
d.caption = caption;
d.icon_id = icon_id;

View File

@ -449,7 +449,6 @@ typedef struct WINCONNECT_DLG_DATA
char nat_t_svc_name[MAX_SIZE];
UINT nat_t_error_code;
bool try_start_ssl;
bool ssl_no_tls;
} WINCONNECT_DLG_DATA;
HBITMAP ResizeBitmap(HBITMAP hSrc, UINT src_x, UINT src_y, UINT dst_x, UINT dst_y);
@ -838,7 +837,7 @@ HFONT GetMeiryoFont();
HFONT GetMeiryoFontEx(UINT font_size);
HFONT GetMeiryoFontEx2(UINT font_size, bool bold);
bool ShowWindowsNetworkConnectionDialog();
SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl, bool ssl_no_tls);
SOCK *WinConnectEx3(HWND hWnd, char *server, UINT port, UINT timeout, UINT icon_id, wchar_t *caption, wchar_t *info, UINT *nat_t_error_code, char *nat_t_svc_name, bool try_start_ssl);
UINT WinConnectDlgProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, void *param);
void WinConnectDlgThread(THREAD *thread, void *param);
void NicInfo(UI_NICINFO *info);

View File

@ -623,7 +623,7 @@ SOCK *WpcSockConnectEx(WPC_CONNECT *param, UINT *error_code, UINT timeout, bool
switch (param->ProxyType)
{
case PROXY_DIRECT:
sock = TcpConnectEx3(param->HostName, param->Port, timeout, cancel, NULL, true, NULL, false, false, NULL);
sock = TcpConnectEx3(param->HostName, param->Port, timeout, cancel, NULL, true, NULL, false, NULL);
if (sock == NULL)
{
err = ERR_CONNECT_FAILED;
@ -790,7 +790,7 @@ BUF *HttpRequestEx3(URL_DATA *data, INTERNET_SETTING *setting,
else
{
// If the connection is not SSL via HTTP Proxy
s = TcpConnectEx3(con.ProxyHostName, con.ProxyPort, timeout_connect, cancel, NULL, true, NULL, false, false, NULL);
s = TcpConnectEx3(con.ProxyHostName, con.ProxyPort, timeout_connect, cancel, NULL, true, NULL, false, NULL);
if (s == NULL)
{
*error_code = ERR_PROXY_CONNECT_FAILED;
@ -805,7 +805,7 @@ BUF *HttpRequestEx3(URL_DATA *data, INTERNET_SETTING *setting,
if (data->Secure)
{
// Start the SSL communication
if (StartSSLEx(s, NULL, NULL, true, 0, (IsEmptyStr(data->SniString) ? NULL : data->SniString)) == false)
if (StartSSLEx(s, NULL, NULL, 0, (IsEmptyStr(data->SniString) ? NULL : data->SniString)) == false)
{
// SSL connection failed
*error_code = ERR_PROTOCOL_ERROR;

View File

@ -829,7 +829,7 @@ bool GetIPViaDnsProxyForJapanFlets(IP *ip_ret, char *hostname, bool ipv6, UINT t
Format(connect_hostname2, sizeof(connect_hostname2), "[%s]", connect_hostname);
}
s = ConnectEx3(connect_hostname, BFLETS_DNS_PROXY_PORT, timeout, cancel, NULL, NULL, false, false, false);
s = ConnectEx3(connect_hostname, BFLETS_DNS_PROXY_PORT, timeout, cancel, NULL, NULL, false, false);
if (s == NULL)
{
@ -847,7 +847,7 @@ bool GetIPViaDnsProxyForJapanFlets(IP *ip_ret, char *hostname, bool ipv6, UINT t
SetTimeout(s, timeout);
// Start the SSL
if (StartSSLEx(s, NULL, NULL, true, 0, NULL) && (*cancel == false))
if (StartSSLEx(s, NULL, NULL, 0, NULL) && (*cancel == false))
{
UCHAR hash[SHA1_SIZE];
BUF *hash2 = StrToBin(BFLETS_DNS_PROXY_CERT_HASH);
@ -12141,9 +12141,9 @@ bool AddChainSslCert(struct ssl_ctx_st *ctx, X *x)
// Start a TCP-SSL communication
bool StartSSL(SOCK *sock, X *x, K *priv)
{
return StartSSLEx(sock, x, priv, true, 0, NULL);
return StartSSLEx(sock, x, priv, 0, NULL);
}
bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, char *sni_hostname)
bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname)
{
X509 *x509;
EVP_PKEY *key;
@ -12203,39 +12203,32 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch
{
if (sock->ServerMode)
{
SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());
SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_server_method());
#ifdef SSL_OP_NO_SSLv2
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
#endif // SSL_OP_NO_SSLv2
if (sock->SslAcceptSettings.AcceptOnlyTls)
{
#ifdef SSL_OP_NO_SSLv3
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
#endif // SSL_OP_NO_SSLv3
}
#ifdef SSL_OP_NO_TLSv1
if (sock->SslAcceptSettings.Tls_Disable1_0)
{
#ifdef SSL_OP_NO_TLSv1
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
#endif // SSL_OP_NO_TLSv1
}
#endif // SSL_OP_NO_TLSv1
#ifdef SSL_OP_NO_TLSv1_1
if (sock->SslAcceptSettings.Tls_Disable1_1)
{
#ifdef SSL_OP_NO_TLSv1_1
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
#endif // SSL_OP_NO_TLSv1_1
}
#endif // SSL_OP_NO_TLSv1_1
#ifdef SSL_OP_NO_TLSv1_2
if (sock->SslAcceptSettings.Tls_Disable1_2)
{
#ifdef SSL_OP_NO_TLSv1_2
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
#endif // SSL_OP_NO_TLSv1_2
}
#endif // SSL_OP_NO_TLSv1_2
Unlock(openssl_lock);
AddChainSslCertOnDirectory(ssl_ctx);
@ -12243,24 +12236,18 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch
}
else
{
if (client_tls == false)
{
#if OPENSSL_VERSION_NUMBER < 0x10100000L
SSL_CTX_set_ssl_version(ssl_ctx, SSLv3_method());
#else
SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());
#endif
}
else
{
SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method());
}
SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method());
#ifdef SSL_OP_NO_SSLv3
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
#endif // SSL_OP_NO_SSLv3
}
sock->ssl = SSL_new(ssl_ctx);
SSL_set_fd(sock->ssl, (int)sock->socket);
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
if (sock->ServerMode == false && client_tls)
if (sock->ServerMode == false)
{
if (IsEmptyStr(sni_hostname) == false)
{
@ -14279,7 +14266,7 @@ void ConnectThreadForTcp(THREAD *thread, void *param)
// Connecting process
IPToStr(hostname, sizeof(hostname), &p->Ip);
sock = ConnectEx3(hostname, p->Port, p->Timeout, p->CancelFlag, NULL, NULL, false, false, true);
sock = ConnectEx3(hostname, p->Port, p->Timeout, p->CancelFlag, NULL, NULL, false, true);
if (sock != NULL && p->Tcp_TryStartSsl)
{
@ -14304,7 +14291,7 @@ void ConnectThreadForTcp(THREAD *thread, void *param)
Unlock(p->CancelLock);
// Start the SSL communication
ssl_ret = StartSSLEx(sock, NULL, NULL, p->Tcp_SslNoTls, 0, p->Hostname);
ssl_ret = StartSSLEx(sock, NULL, NULL, 0, p->Hostname);
if (ssl_ret)
{
@ -14417,14 +14404,13 @@ SOCK *ConnectEx(char *hostname, UINT port, UINT timeout)
}
SOCK *ConnectEx2(char *hostname, UINT port, UINT timeout, bool *cancel_flag)
{
return ConnectEx3(hostname, port, timeout, cancel_flag, NULL, NULL, false, false, true);
return ConnectEx3(hostname, port, timeout, cancel_flag, NULL, NULL, false, true);
}
SOCK *ConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool ssl_no_tls, bool no_get_hostname)
SOCK *ConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname)
{
return ConnectEx4(hostname, port, timeout, cancel_flag, nat_t_svc_name, nat_t_error_code, try_start_ssl, ssl_no_tls,
no_get_hostname, NULL);
return ConnectEx4(hostname, port, timeout, cancel_flag, nat_t_svc_name, nat_t_error_code, try_start_ssl, no_get_hostname, NULL);
}
SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool ssl_no_tls, bool no_get_hostname, IP *ret_ip)
SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, IP *ret_ip)
{
SOCK *sock;
SOCKET s;
@ -14603,7 +14589,6 @@ SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, cha
p1.CancelFlag = &cancel_flag2;
p1.FinishEvent = finish_event;
p1.Tcp_TryStartSsl = try_start_ssl;
p1.Tcp_SslNoTls = ssl_no_tls;
p1.CancelLock = NewLock();
// p2: NAT-T

View File

@ -250,7 +250,6 @@ struct SOCK_EVENT
// SSL Accept Settings
struct SSL_ACCEPT_SETTINGS
{
bool AcceptOnlyTls;
bool Tls_Disable1_0;
bool Tls_Disable1_1;
bool Tls_Disable1_2;
@ -927,7 +926,6 @@ struct CONNECT_TCP_RUDP_PARAM
UINT RUdpProtocol;
UINT Delay;
bool Tcp_TryStartSsl;
bool Tcp_SslNoTls;
LOCK *CancelLock;
SOCK *CancelDisconnectSock;
bool Tcp_InNegotiation;
@ -1271,8 +1269,8 @@ void CleanupSock(SOCK *s);
SOCK *Connect(char *hostname, UINT port);
SOCK *ConnectEx(char *hostname, UINT port, UINT timeout);
SOCK *ConnectEx2(char *hostname, UINT port, UINT timeout, bool *cancel_flag);
SOCK *ConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool ssl_no_tls, bool no_get_hostname);
SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool ssl_no_tls, bool no_get_hostname, IP *ret_ip);
SOCK *ConnectEx3(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname);
SOCK *ConnectEx4(char *hostname, UINT port, UINT timeout, bool *cancel_flag, char *nat_t_svc_name, UINT *nat_t_error_code, bool try_start_ssl, bool no_get_hostname, IP *ret_ip);
SOCKET ConnectTimeoutIPv4(IP *ip, UINT port, UINT timeout, bool *cancel_flag);
void SetSocketSendRecvBufferSize(SOCKET s, UINT size);
bool SetSocketBufferSize(SOCKET s, bool send, UINT size);
@ -1295,7 +1293,7 @@ void SetNoNeedToRead(SOCK *sock);
UINT SecureSend(SOCK *sock, void *data, UINT size);
UINT SecureRecv(SOCK *sock, void *data, UINT size);
bool StartSSL(SOCK *sock, X *x, K *priv);
bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, char *sni_hostname);
bool StartSSLEx(SOCK *sock, X *x, K *priv, UINT ssl_timeout, char *sni_hostname);
bool AddChainSslCert(struct ssl_ctx_st *ctx, X *x);
void AddChainSslCertOnDirectory(struct ssl_ctx_st *ctx);
bool SendAll(SOCK *sock, void *data, UINT size, bool secure);

View File

@ -1564,7 +1564,6 @@ BEGIN
EDITTEXT E_RETRY_SPAN,318,251,41,11,ES_RIGHT | ES_AUTOHSCROLL | ES_NUMBER
LTEXT "@S_RETRY_SPAN_2",S_RETRY_SPAN_2,364,252,72,9
CONTROL "@R_INFINITE",R_INFINITE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,266,265,171,9
CONTROL "@R_NOTLS1",R_NOTLS1,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,253,280,87,9
PUSHBUTTON "@B_DETAIL",B_DETAIL,344,277,87,15
DEFPUSHBUTTON "@IDOK",IDOK,308,300,64,17
PUSHBUTTON "@IDCANCEL",IDCANCEL,380,300,64,17

View File

@ -360,8 +360,6 @@
#define B_IE 1087
#define B_EXPORT 1088
#define IDC_STATIC1 1088
#define R_R_NOTLS1 1088
#define R_NOTLS1 1088
#define R_USE_PASSWORD 1089
#define IDC_STATIC3 1089
#define B_IMPORT2 1089

View File

@ -2332,7 +2332,6 @@ S_RETRY_NUM_2 次
S_RETRY_SPAN_1 重连间隔(&K):
S_RETRY_SPAN_2 秒
R_INFINITE 无限重连(总是保持 VPN 在线) (&I)
R_NOTLS1 使用 SSL 3.0 (&1)
B_DETAIL 高级设置(&D)...
IDOK 确定(&O)
IDCANCEL 取消

View File

@ -2312,7 +2312,6 @@ S_RETRY_NUM_2 times
S_RETRY_SPAN_1 Reconnect Interval:
S_RETRY_SPAN_2 seconds
R_INFINITE &Infinite Reconnects (Keep VPN Always Online)
R_NOTLS1 Use SSL 3.0 (&1)
B_DETAIL A&dvanced Settings...
IDOK &OK
IDCANCEL Cancel

View File

@ -2317,7 +2317,6 @@ S_RETRY_NUM_2 回
S_RETRY_SPAN_1 再接続間隔(&K):
S_RETRY_SPAN_2 秒
R_INFINITE 無限に再接続を試行する (常時接続) (&I)
R_NOTLS1 SSL 3.0 を使用する(&1)
B_DETAIL 高度な通信設定(&N)...
IDOK &OK
IDCANCEL キャンセル

View File

@ -2312,7 +2312,6 @@ S_RETRY_NUM_2 회
S_RETRY_SPAN_1 다시 연결 간격 (&K):
S_RETRY_SPAN_2 초
R_INFINITE 무한 재 연결을 시도하는 (상시 접속) (&I)
R_NOTLS1 사용 SSL 3.0(&1)
B_DETAIL 고급 통신 설정 (&N)...
IDOK & OK
IDCANCEL 취소

View File

@ -2333,7 +2333,6 @@ S_RETRY_NUM_2 次
S_RETRY_SPAN_1 重連間隔(&K):
S_RETRY_SPAN_2 秒
R_INFINITE 無限重連(總是保持 VPN 線上) (&I)
R_NOTLS1 使用 SSL 3.0 (&1)
B_DETAIL 進階設置(&D)...
IDOK 確定(&O)
IDCANCEL 取消