[asterisk-commits] AST-2016-001 http: Provide greater control of TLS and set mo... (asterisk[master])

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Wed Feb 3 15:10:29 CST 2016


Kevin Harwell has submitted this change and it was merged.

Change subject: AST-2016-001 http: Provide greater control of TLS and set modern defaults.
......................................................................


AST-2016-001 http: Provide greater control of TLS and set modern defaults.

This change exposes the configuration of various aspects of the TLS
support and sets the default to the modern standards.

The TLS cipher is now set to the best values according to the
Mozilla OpSec team, different TLS versions can now be disabled, and
the cipher order can be forced to be that of the server instead of
the client.

ASTERISK-24972 #close

Change-Id: I0a10f2883f7559af5e48dee0901251dbf30d45b8
---
M configs/samples/http.conf.sample
M include/asterisk/tcptls.h
M main/http.c
M main/tcptls.c
4 files changed, 60 insertions(+), 9 deletions(-)

Approvals:
  Kevin Harwell: Looks good to me, approved; Verified



diff --git a/configs/samples/http.conf.sample b/configs/samples/http.conf.sample
index a4093bd..28437b0 100644
--- a/configs/samples/http.conf.sample
+++ b/configs/samples/http.conf.sample
@@ -90,6 +90,26 @@
 ; private in same .pem file.
 ; openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem
 ;
+; tlscipher=                             ; The list of allowed ciphers
+;                                        ; if none are specified the following cipher
+;                                        ; list will be used instead:
+; ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
+; ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:
+; kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
+; ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
+; ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:
+; DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:
+; AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:
+; AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:
+; !EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+;
+; tlsdisablev1=yes                ; Disable TLSv1 support - if not set this defaults to "yes"
+; tlsdisablev11=yes               ; Disable TLSv1.1 support - if not set this defaults to "no"
+; tlsdisablev12=yes               ; Disable TLSv1.2 support - if not set this defaults to "no"
+;
+; tlsservercipherorder=yes        ; Use the server preference order instead of the client order
+;                                 ; Defaults to "yes"
+;
 ; The post_mappings section maps URLs to real paths on the filesystem.  If a
 ; POST is done from within an authenticated manager session to one of the
 ; configured POST mappings, then any files in the POST will be placed in the
diff --git a/include/asterisk/tcptls.h b/include/asterisk/tcptls.h
index a3f3f28..3c5f450 100644
--- a/include/asterisk/tcptls.h
+++ b/include/asterisk/tcptls.h
@@ -87,7 +87,15 @@
 	/*! Use SSLv3 for outgoing client connections */
 	AST_SSL_SSLV3_CLIENT = (1 << 4),
 	/*! Use TLSv1 for outgoing client connections */
-	AST_SSL_TLSV1_CLIENT = (1 << 5)
+	AST_SSL_TLSV1_CLIENT = (1 << 5),
+	/*! Use server cipher order instead of the client order */
+	AST_SSL_SERVER_CIPHER_ORDER = (1 << 6),
+	/*! Disable TLSv1 support */
+	AST_SSL_DISABLE_TLSV1 = (1 << 7),
+	/*! Disable TLSv1.1 support */
+	AST_SSL_DISABLE_TLSV11 = (1 << 8),
+	/*! Disable TLSv1.2 support */
+	AST_SSL_DISABLE_TLSV12 = (1 << 9),
 };
 
 struct ast_tls_config {
diff --git a/main/http.c b/main/http.c
index 3a9d9ce..5ec94a7 100644
--- a/main/http.c
+++ b/main/http.c
@@ -2102,10 +2102,13 @@
 	}
 	http_tls_cfg.pvtfile = ast_strdup("");
 
+	/* Apply modern intermediate settings according to the Mozilla OpSec team as of July 30th, 2015 but disable TLSv1 */
+	ast_set_flag(&http_tls_cfg.flags, AST_SSL_DISABLE_TLSV1 | AST_SSL_SERVER_CIPHER_ORDER);
+
 	if (http_tls_cfg.cipher) {
 		ast_free(http_tls_cfg.cipher);
 	}
-	http_tls_cfg.cipher = ast_strdup("");
+	http_tls_cfg.cipher = ast_strdup("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA");
 
 	AST_RWLIST_WRLOCK(&uri_redirects);
 	while ((redirect = AST_RWLIST_REMOVE_HEAD(&uri_redirects, entry))) {
@@ -2131,8 +2134,6 @@
 			&& strcasecmp(v->name, "tlsdontverifyserver")
 			&& strcasecmp(v->name, "tlsclientmethod")
 			&& strcasecmp(v->name, "sslclientmethod")
-			&& strcasecmp(v->name, "tlscipher")
-			&& strcasecmp(v->name, "sslcipher")
 			&& !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
 			continue;
 		}
diff --git a/main/tcptls.c b/main/tcptls.c
index 7ead094..3941794 100644
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -816,7 +816,8 @@
 	return 0;
 #else
 	int disable_ssl = 0;
- 
+	long ssl_opts = 0;
+
 	if (!cfg->enabled) {
 		return 0;
 	}
@@ -864,11 +865,24 @@
 	 * them. SSLv23_*_method supports TLSv1+.
 	 */
 	if (disable_ssl) {
-		long ssl_opts;
-
-		ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
-		SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
+		ssl_opts |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
 	}
+
+	if (ast_test_flag(&cfg->flags, AST_SSL_SERVER_CIPHER_ORDER)) {
+		ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+	}
+
+	if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) {
+		ssl_opts |= SSL_OP_NO_TLSv1;
+	}
+	if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) {
+		ssl_opts |= SSL_OP_NO_TLSv1_1;
+	}
+	if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) {
+		ssl_opts |= SSL_OP_NO_TLSv1_2;
+	}
+
+	SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
 
 	SSL_CTX_set_verify(cfg->ssl_ctx,
 		ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE,
@@ -1232,6 +1246,14 @@
 			ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
 			ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
 		}
+	} else if (!strcasecmp(varname, "tlsservercipherorder")) {
+		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_SERVER_CIPHER_ORDER);
+	} else if (!strcasecmp(varname, "tlsdisablev1")) {
+		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV1);
+	} else if (!strcasecmp(varname, "tlsdisablev11")) {
+		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV11);
+	} else if (!strcasecmp(varname, "tlsdisablev12")) {
+		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV12);
 	} else {
 		return -1;
 	}

-- 
To view, visit https://gerrit.asterisk.org/2165
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I0a10f2883f7559af5e48dee0901251dbf30d45b8
Gerrit-PatchSet: 3
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Owner: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Anonymous Coward #1000019
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>



More information about the asterisk-commits mailing list