Browse code

tls: options to set TLS versions lower limit

- example: if method is set to TLSv1.1+, then the connection must be
TLSv1.1 or newer
- closes FS#502

Daniel-Constantin Mierla authored on 02/01/2015 10:18:47
Showing 4 changed files
... ...
@@ -114,8 +114,13 @@ static cfg_option_t methods[] = {
114 114
 	{"SSLv3",   .val = TLS_USE_SSLv3},
115 115
 	{"SSLv23",  .val = TLS_USE_SSLv23},
116 116
 	{"TLSv1",   .val = TLS_USE_TLSv1},
117
-	{"TLSv1.1", .val = TLS_USE_TLSv1_1},
118
-	{"TLSv1.2", .val = TLS_USE_TLSv1_2},
117
+	{"TLSv1.0", .val = TLS_USE_TLSv1},
118
+	{"TLSv1+",  .val = TLS_USE_TLSv1_PLUS},
119
+	{"TLSv1.0+", .val = TLS_USE_TLSv1_PLUS},
120
+	{"TLSv1.1",  .val = TLS_USE_TLSv1_1},
121
+	{"TLSv1.1+", .val = TLS_USE_TLSv1_1_PLUS},
122
+	{"TLSv1.2",  .val = TLS_USE_TLSv1_2},
123
+	{"TLSv1.2+", .val = TLS_USE_TLSv1_2_PLUS},
119 124
 	{0}
120 125
 };
121 126
 
... ...
@@ -455,14 +460,14 @@ int tls_parse_method(str* method)
455 460
 	if (!opt) return -1;
456 461
 
457 462
 #if OPENSSL_VERSION_NUMBER < 0x1000100fL
458
-	if(opt->val == TLS_USE_TLSv1_1) {
463
+	if(opt->val == TLS_USE_TLSv1_1 || opt->val == TLS_USE_TLSv1_1_PLUS) {
459 464
 		LM_ERR("tls v1.1 not supported by this libssl version: %ld\n",
460 465
 				(long)OPENSSL_VERSION_NUMBER);
461 466
 		return -1;
462 467
 	}
463 468
 #endif
464 469
 #if OPENSSL_VERSION_NUMBER < 0x1000105fL
465
-	if(opt->val == TLS_USE_TLSv1_2) {
470
+	if(opt->val == TLS_USE_TLSv1_2 || opt->val == TLS_USE_TLSv1_2_PLUS) {
466 471
 		LM_ERR("tls v1.2 not supported by this libssl version: %ld\n",
467 472
 				(long)OPENSSL_VERSION_NUMBER);
468 473
 		return -1;
... ...
@@ -896,13 +896,25 @@ static int fix_domain(tls_domain_t* d, tls_domain_t* def)
896 896
 		ERR("%s: Cannot allocate shared memory\n", tls_domain_str(d));
897 897
 		return -1;
898 898
 	}
899
+	if(d->method>TLS_USE_TLSvRANGE) {
900
+		LM_DBG("using tls methods range: %d\n", d->method);
901
+	} else {
902
+		LM_DBG("using one tls method version: %d\n", d->method);
903
+	}
899 904
 	memset(d->ctx, 0, sizeof(SSL_CTX*) * procs_no);
900 905
 	for(i = 0; i < procs_no; i++) {
901
-		d->ctx[i] = SSL_CTX_new((SSL_METHOD*)ssl_methods[d->method - 1]);
906
+		if(d->method>TLS_USE_TLSvRANGE) {
907
+			d->ctx[i] = SSL_CTX_new(SSLv23_method());
908
+		} else {
909
+			d->ctx[i] = SSL_CTX_new((SSL_METHOD*)ssl_methods[d->method - 1]);
910
+		}
902 911
 		if (d->ctx[i] == NULL) {
903 912
 			ERR("%s: Cannot create SSL context\n", tls_domain_str(d));
904 913
 			return -1;
905 914
 		}
915
+		if(d->method>TLS_USE_TLSvRANGE) {
916
+			SSL_CTX_set_options(d->ctx[i], (long)ssl_methods[d->method - 1]);
917
+		}
906 918
 	}
907 919
 	
908 920
 	if (load_cert(d) < 0) return -1;
... ...
@@ -33,29 +33,46 @@
33 33
 #include <openssl/ssl.h>
34 34
 
35 35
 
36
+#define TLS_OP_SSLv2_PLUS   0
37
+#define TLS_OP_SSLv3_PLUS   (TLS_OP_SSLv2_PLUS   | SSL_OP_NO_SSLv2)
38
+#define TLS_OP_TLSv1_PLUS   (TLS_OP_SSLv3_PLUS   | SSL_OP_NO_SSLv3)
39
+
40
+#ifdef SSL_OP_NO_TLSv1
41
+#  define TLS_OP_TLSv1_1_PLUS (TLS_OP_TLSv1_PLUS   | SSL_OP_NO_TLSv1)
42
+
43
+#  ifdef SSL_OP_NO_TLSv1_1
44
+#    define TLS_OP_TLSv1_2_PLUS (TLS_OP_TLSv1_1_PLUS | SSL_OP_NO_TLSv1_1)
45
+#  endif /*SSL_OP_NO_TLSv1_1*/
46
+
47
+#endif /*SSL_OP_NO_TLSv1*/
48
+
36 49
 /**
37 50
  * Available TLS methods
38 51
  */
39 52
 enum tls_method {
40 53
 	TLS_METHOD_UNSPEC = 0,
54
+	TLS_USE_SSLv23_cli,
55
+	TLS_USE_SSLv23_srv,
56
+	TLS_USE_SSLv23,     /* any SSL/TLS version */
41 57
 	TLS_USE_SSLv2_cli,
42 58
 	TLS_USE_SSLv2_srv,
43
-	TLS_USE_SSLv2,
59
+	TLS_USE_SSLv2,      /* only SSLv2 (deprecated) */
44 60
 	TLS_USE_SSLv3_cli,
45 61
 	TLS_USE_SSLv3_srv,
46
-	TLS_USE_SSLv3,
62
+	TLS_USE_SSLv3,      /* only SSLv3 (insecure) */
47 63
 	TLS_USE_TLSv1_cli,
48 64
 	TLS_USE_TLSv1_srv,
49
-	TLS_USE_TLSv1,
50
-	TLS_USE_SSLv23_cli,
51
-	TLS_USE_SSLv23_srv,
52
-	TLS_USE_SSLv23,
65
+	TLS_USE_TLSv1,      /* only TLSv1.0 */
53 66
 	TLS_USE_TLSv1_1_cli,
54 67
 	TLS_USE_TLSv1_1_srv,
55
-	TLS_USE_TLSv1_1,
68
+	TLS_USE_TLSv1_1,    /* only TLSv1.1 */
56 69
 	TLS_USE_TLSv1_2_cli,
57 70
 	TLS_USE_TLSv1_2_srv,
58
-	TLS_USE_TLSv1_2,
71
+	TLS_USE_TLSv1_2,    /* only TLSv1.2 */
72
+	TLS_USE_TLSvRANGE,    /* placeholder - TLSvX ranges must be after it */
73
+	TLS_USE_TLSv1_PLUS,   /* TLSv1.0 or greater */
74
+	TLS_USE_TLSv1_1_PLUS, /* TLSv1.1 or greater */
75
+	TLS_USE_TLSv1_2_PLUS, /* TLSv1.1 or greater */
59 76
 	TLS_METHOD_MAX
60 77
 };
61 78
 
... ...
@@ -329,6 +329,12 @@ static void init_ssl_methods(void)
329 329
 {
330 330
 	memset(ssl_methods, 0, sizeof(ssl_methods));
331 331
 
332
+	/* any SSL/TLS version */
333
+	ssl_methods[TLS_USE_SSLv23_cli - 1] = SSLv23_client_method();
334
+	ssl_methods[TLS_USE_SSLv23_srv - 1] = SSLv23_server_method();
335
+	ssl_methods[TLS_USE_SSLv23 - 1] = SSLv23_method();
336
+
337
+	/* only specific SSL or TLS version */
332 338
 #ifndef OPENSSL_NO_SSL2
333 339
 	ssl_methods[TLS_USE_SSLv2_cli - 1] = SSLv2_client_method();
334 340
 	ssl_methods[TLS_USE_SSLv2_srv - 1] = SSLv2_server_method();
... ...
@@ -343,10 +349,6 @@ static void init_ssl_methods(void)
343 349
 	ssl_methods[TLS_USE_TLSv1_srv - 1] = TLSv1_server_method();
344 350
 	ssl_methods[TLS_USE_TLSv1 - 1] = TLSv1_method();
345 351
 
346
-	ssl_methods[TLS_USE_SSLv23_cli - 1] = SSLv23_client_method();
347
-	ssl_methods[TLS_USE_SSLv23_srv - 1] = SSLv23_server_method();
348
-	ssl_methods[TLS_USE_SSLv23 - 1] = SSLv23_method();
349
-
350 352
 #if OPENSSL_VERSION_NUMBER >= 0x1000100fL
351 353
 	ssl_methods[TLS_USE_TLSv1_1_cli - 1] = TLSv1_1_client_method();
352 354
 	ssl_methods[TLS_USE_TLSv1_1_srv - 1] = TLSv1_1_server_method();
... ...
@@ -358,6 +360,17 @@ static void init_ssl_methods(void)
358 360
 	ssl_methods[TLS_USE_TLSv1_2_srv - 1] = TLSv1_2_server_method();
359 361
 	ssl_methods[TLS_USE_TLSv1_2 - 1] = TLSv1_2_method();
360 362
 #endif
363
+
364
+	/* ranges of TLS versions (require a minimum TLS version) */
365
+	ssl_methods[TLS_USE_TLSv1_PLUS - 1] = (void*)TLS_OP_TLSv1_PLUS;
366
+
367
+#if OPENSSL_VERSION_NUMBER >= 0x1000100fL
368
+	ssl_methods[TLS_USE_TLSv1_1_PLUS - 1] = (void*)TLS_OP_TLSv1_1_PLUS;
369
+#endif
370
+
371
+#if OPENSSL_VERSION_NUMBER >= 0x1000105fL
372
+	ssl_methods[TLS_USE_TLSv1_2_PLUS - 1] = (void*)TLS_OP_TLSv1_2_PLUS;
373
+#endif
361 374
 }
362 375
 
363 376