[asterisk-commits] bebuild: tag certified-1.8.28-cert2 r426054 - in /certified/tags/1.8.28-cert2...
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Mon Oct 20 09:43:45 CDT 2014
Author: bebuild
Date: Mon Oct 20 09:43:42 2014
New Revision: 426054
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=426054
Log:
Merge 426052
Removed:
certified/tags/1.8.28-cert2/certified-asterisk-1.8.28-cert1-summary.html
certified/tags/1.8.28-cert2/certified-asterisk-1.8.28-cert1-summary.txt
Modified:
certified/tags/1.8.28-cert2/ (props changed)
certified/tags/1.8.28-cert2/.version
certified/tags/1.8.28-cert2/ChangeLog
certified/tags/1.8.28-cert2/UPGRADE.txt
certified/tags/1.8.28-cert2/main/tcptls.c
certified/tags/1.8.28-cert2/res/res_jabber.c
Propchange: certified/tags/1.8.28-cert2/
------------------------------------------------------------------------------
--- branch-1.8-merged (original)
+++ branch-1.8-merged Mon Oct 20 09:43:42 2014
@@ -1,1 +1,1 @@
-/branches/1.8:1-415260,415841,416066,419630,420434
+/branches/1.8:1-415260,415841,416066,419630,420434,425985
Propchange: certified/tags/1.8.28-cert2/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Mon Oct 20 09:43:42 2014
@@ -1,2 +1,3 @@
/certified/branches/1.8.15:370667,418367
+/certified/branches/1.8.28:426052
/trunk:394552,394567
Modified: certified/tags/1.8.28-cert2/.version
URL: http://svnview.digium.com/svn/asterisk/certified/tags/1.8.28-cert2/.version?view=diff&rev=426054&r1=426053&r2=426054
==============================================================================
--- certified/tags/1.8.28-cert2/.version (original)
+++ certified/tags/1.8.28-cert2/.version Mon Oct 20 09:43:42 2014
@@ -1,1 +1,1 @@
-1.8.28-cert1
+1.8.28-cert2
Modified: certified/tags/1.8.28-cert2/ChangeLog
URL: http://svnview.digium.com/svn/asterisk/certified/tags/1.8.28-cert2/ChangeLog?view=diff&rev=426054&r1=426053&r2=426054
==============================================================================
--- certified/tags/1.8.28-cert2/ChangeLog (original)
+++ certified/tags/1.8.28-cert2/ChangeLog Mon Oct 20 09:43:42 2014
@@ -1,3 +1,29 @@
+2014-10-20 Asterisk Development Team <asteriskteam at digium.com>
+
+ * Certified Asterisk 1.8.28-cert2 Released.
+
+ * AST-2014-011: Fix POODLE security issues
+
+ There are two aspects to the vulnerability:
+ (1) res_jabber/res_xmpp use SSLv3 only. This patch updates the module
+ to use TLSv1+. At this time, it does not refactor res_jabber/
+ res_xmpp to use the TCP/TLS core, which should be done as an
+ improvement at a latter date.
+ (2) The TCP/TLS core, when tlsclientmethod/sslclientmethod is left
+ unspecified, will default to the OpenSSL SSLv23_method. This
+ method allows for all encryption methods, including SSLv2/SSLv3.
+ A MITM can exploit this by forcing a fallback to SSLv3, which
+ leaves the server vulnerable to POODLE. This patch adds WARNINGS
+ if a user uses SSLv2/SSLv3 in their configuration, and explicitly
+ disables SSLv2/SSLv3 if using SSLv23_method.
+
+ For TLS clients, Asterisk will default to TLSv1+ and WARN if SSLv2 or
+ SSLv3 is explicitly chosen. For TLS servers, Asterisk will no longer
+ support SSLv2 or SSLv3.
+
+ Much thanks to abelbeck for reporting the vulnerability and providing
+ a patch for the res_jabber/res_xmpp modules.
+
2014-09-05 Asterisk Development Team <asteriskteam at digium.com>
* Certified Asterisk 1.8.28-cert1 Released.
Modified: certified/tags/1.8.28-cert2/UPGRADE.txt
URL: http://svnview.digium.com/svn/asterisk/certified/tags/1.8.28-cert2/UPGRADE.txt?view=diff&rev=426054&r1=426053&r2=426054
==============================================================================
--- certified/tags/1.8.28-cert2/UPGRADE.txt (original)
+++ certified/tags/1.8.28-cert2/UPGRADE.txt Mon Oct 20 09:43:42 2014
@@ -18,6 +18,18 @@
===
===========================================================
+from 1.8.28-cert1 to 1.8.28-cert2:
+
+* Due to the POODLE vulnerability (see
+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566), the
+ default TLS method for TLS clients will no longer allow SSLv3. As
+ SSLv2 was already deprecated, it is no longer allowed by default as
+ well. TLS servers no longer allow SSLv2 or SSLv3 connections. This
+ affects the chan_sip channel driver, AMI, and the Asterisk HTTP server.
+
+* The res_jabber resource module no longer uses SSLv3 to connect to an
+ XMPP server. It will now only use TLSv1 or later methods.
+
from 1.8.28-cert0 to 1.8.28-cert1
* Added http.conf session_inactivity timer option to close HTTP connections
that aren't doing anything.
Modified: certified/tags/1.8.28-cert2/main/tcptls.c
URL: http://svnview.digium.com/svn/asterisk/certified/tags/1.8.28-cert2/main/tcptls.c?view=diff&rev=426054&r1=426053&r2=426054
==============================================================================
--- certified/tags/1.8.28-cert2/main/tcptls.c (original)
+++ certified/tags/1.8.28-cert2/main/tcptls.c Mon Oct 20 09:43:42 2014
@@ -736,6 +736,8 @@
cfg->enabled = 0;
return 0;
#else
+ int disable_ssl = 0;
+
if (!cfg->enabled)
return 0;
@@ -750,22 +752,21 @@
if (client) {
#ifndef OPENSSL_NO_SSL2
if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) {
+ ast_log(LOG_WARNING, "Usage of SSLv2 is discouraged due to known vulnerabilities. Please use 'tlsv1' or leave the TLS method unspecified!\n");
cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());
} else
#endif
if (ast_test_flag(&cfg->flags, AST_SSL_SSLV3_CLIENT)) {
+ ast_log(LOG_WARNING, "Usage of SSLv3 is discouraged due to known vulnerabilities. Please use 'tlsv1' or leave the TLS method unspecified!\n");
cfg->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
} else if (ast_test_flag(&cfg->flags, AST_SSL_TLSV1_CLIENT)) {
cfg->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
} else {
- /* SSLv23_client_method() sends SSLv2, this was the original
- * default for ssl clients before the option was given to
- * pick what protocol a client should use. In order not
- * to break expected behavior it remains the default. */
+ disable_ssl = 1;
cfg->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
}
} else {
- /* SSLv23_server_method() supports TLSv1, SSLv2, and SSLv3 inbound connections. */
+ disable_ssl = 1;
cfg->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
}
@@ -773,6 +774,17 @@
ast_debug(1, "Sorry, SSL_CTX_new call returned null...\n");
cfg->enabled = 0;
return 0;
+ }
+
+ /* Due to the POODLE vulnerability, completely disable
+ * SSLv2 and SSLv3 if we are not explicitly told to use
+ * them. SSLv23_*_method supports TLSv1+.
+ */
+ if (disable_ssl) {
+ long ssl_opts;
+
+ ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+ SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
}
SSL_CTX_set_verify(cfg->ssl_ctx,
Modified: certified/tags/1.8.28-cert2/res/res_jabber.c
URL: http://svnview.digium.com/svn/asterisk/certified/tags/1.8.28-cert2/res/res_jabber.c?view=diff&rev=426054&r1=426053&r2=426054
==============================================================================
--- certified/tags/1.8.28-cert2/res/res_jabber.c (original)
+++ certified/tags/1.8.28-cert2/res/res_jabber.c Mon Oct 20 09:43:42 2014
@@ -1287,14 +1287,17 @@
{
int ret;
int sock;
+ long ssl_opts;
ast_debug(1, "Starting TLS handshake\n");
/* Choose an SSL/TLS protocol version, create SSL_CTX */
- client->ssl_method = SSLv3_method();
+ client->ssl_method = SSLv23_method();
if (!(client->ssl_context = SSL_CTX_new((SSL_METHOD *) client->ssl_method))) {
return IKS_NET_TLSFAIL;
}
+ ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+ SSL_CTX_set_options(client->ssl_context, ssl_opts);
/* Create new SSL session */
if (!(client->ssl_session = SSL_new(client->ssl_context))) {
More information about the asterisk-commits
mailing list