[svn-commits] bebuild: tag certified-11.6-cert7 r426055 - in /certified/tags/11.6-cert7: ./...

SVN commits to the Digium repositories svn-commits at lists.digium.com
Mon Oct 20 09:45:47 CDT 2014 

Author: bebuild
Date: Mon Oct 20 09:45:42 2014
New Revision: 426055

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=426055
Log:
Merge 426053

Removed:
    certified/tags/11.6-cert7/certified-asterisk-11.6-cert6-summary.html
    certified/tags/11.6-cert7/certified-asterisk-11.6-cert6-summary.txt
Modified:
    certified/tags/11.6-cert7/   (props changed)
    certified/tags/11.6-cert7/.version
    certified/tags/11.6-cert7/ChangeLog
    certified/tags/11.6-cert7/UPGRADE.txt
    certified/tags/11.6-cert7/main/tcptls.c
    certified/tags/11.6-cert7/res/res_jabber.c
    certified/tags/11.6-cert7/res/res_xmpp.c

Propchange: certified/tags/11.6-cert7/
------------------------------------------------------------------------------
Binary property 'branch-11-merged' - no diff available.

Propchange: certified/tags/11.6-cert7/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Mon Oct 20 09:45:42 2014
@@ -1,3 +1,3 @@
 /branches/11:399513,401167,401179,401182,415825
 /certified/branches/1.8.15:382389
-/certified/branches/11.6:423426
+/certified/branches/11.6:423426,426053

Modified: certified/tags/11.6-cert7/.version
URL: http://svnview.digium.com/svn/asterisk/certified/tags/11.6-cert7/.version?view=diff&rev=426055&r1=426054&r2=426055
==============================================================================
--- certified/tags/11.6-cert7/.version (original)
+++ certified/tags/11.6-cert7/.version Mon Oct 20 09:45:42 2014
@@ -1,1 +1,1 @@
-11.6-cert6
+11.6-cert7

Modified: certified/tags/11.6-cert7/ChangeLog
URL: http://svnview.digium.com/svn/asterisk/certified/tags/11.6-cert7/ChangeLog?view=diff&rev=426055&r1=426054&r2=426055
==============================================================================
--- certified/tags/11.6-cert7/ChangeLog (original)
+++ certified/tags/11.6-cert7/ChangeLog Mon Oct 20 09:45:42 2014
@@ -1,3 +1,29 @@
+2014-10-20  Asterisk Development Team <asteriskteam at digium.com>
+
+	* Certified Asterisk 11.6-cert7 Released.
+
+	* AST-2014-011: Fix POODLE security issues
+
+	  There are two aspects to the vulnerability:
+	  (1) res_jabber/res_xmpp use SSLv3 only. This patch updates the module
+	      to use TLSv1+. At this time, it does not refactor res_jabber/
+	      res_xmpp to use the TCP/TLS core, which should be done as an
+	      improvement at a latter date.
+	  (2) The TCP/TLS core, when tlsclientmethod/sslclientmethod is left
+	      unspecified, will default to the OpenSSL SSLv23_method. This
+	      method allows for all encryption methods, including SSLv2/SSLv3.
+	      A MITM can exploit this by forcing a fallback to SSLv3, which
+	      leaves the server vulnerable to POODLE. This patch adds WARNINGS
+	      if a user uses SSLv2/SSLv3 in their configuration, and explicitly
+	      disables SSLv2/SSLv3 if using SSLv23_method.
+
+	  For TLS clients, Asterisk will default to TLSv1+ and WARN if SSLv2 or
+	  SSLv3 is explicitly chosen. For TLS servers, Asterisk will no longer
+	  support SSLv2 or SSLv3.
+
+	  Much thanks to abelbeck for reporting the vulnerability and providing
+	  a patch for the res_jabber/res_xmpp modules.
+
 2014-09-18  Asterisk Development Team <asteriskteam at digium.com>
 
 	* Certified Asterisk 11.6-cert6 Released.

Modified: certified/tags/11.6-cert7/UPGRADE.txt
URL: http://svnview.digium.com/svn/asterisk/certified/tags/11.6-cert7/UPGRADE.txt?view=diff&rev=426055&r1=426054&r2=426055
==============================================================================
--- certified/tags/11.6-cert7/UPGRADE.txt (original)
+++ certified/tags/11.6-cert7/UPGRADE.txt Mon Oct 20 09:45:42 2014
@@ -19,6 +19,18 @@
 === UPGRADE-10.txt -- Upgrade info for 1.8 to 10
 ===
 ===========================================================
+
+from 11.6-cert6 to 11.6-cert7:
+
+* Due to the POODLE vulnerability (see 
+  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566), the
+  default TLS method for TLS clients will no longer allow SSLv3. As
+  SSLv2 was already deprecated, it is no longer allowed by default as
+  well. TLS servers no longer allow SSLv2 or SSLv3 connections. This
+  affects the chan_sip channel driver, AMI, and the Asterisk HTTP server.
+
+* The res_jabber resource module no longer uses SSLv3 to connect to an
+  XMPP server. It will now only use TLSv1 or later methods.
 
 From 11.6-cert2 to 11.6-cert3:
 * MixMonitor AMI actions now require users to have authorization classes.

Modified: certified/tags/11.6-cert7/main/tcptls.c
URL: http://svnview.digium.com/svn/asterisk/certified/tags/11.6-cert7/main/tcptls.c?view=diff&rev=426055&r1=426054&r2=426055
==============================================================================
--- certified/tags/11.6-cert7/main/tcptls.c (original)
+++ certified/tags/11.6-cert7/main/tcptls.c Mon Oct 20 09:45:42 2014
@@ -741,6 +741,8 @@
 	cfg->enabled = 0;
 	return 0;
 #else
+	int disable_ssl = 0;
+ 
 	if (!cfg->enabled) {
 		return 0;
 	}
@@ -756,22 +758,21 @@
 	if (client) {
 #ifndef OPENSSL_NO_SSL2
 		if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) {
+			ast_log(LOG_WARNING, "Usage of SSLv2 is discouraged due to known vulnerabilities. Please use 'tlsv1' or leave the TLS method unspecified!\n");
 			cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());
 		} else
 #endif
 		if (ast_test_flag(&cfg->flags, AST_SSL_SSLV3_CLIENT)) {
+			ast_log(LOG_WARNING, "Usage of SSLv3 is discouraged due to known vulnerabilities. Please use 'tlsv1' or leave the TLS method unspecified!\n");
 			cfg->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
 		} else if (ast_test_flag(&cfg->flags, AST_SSL_TLSV1_CLIENT)) {
 			cfg->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
 		} else {
-			/* SSLv23_client_method() sends SSLv2, this was the original
-			 * default for ssl clients before the option was given to
-			 * pick what protocol a client should use.  In order not
-			 * to break expected behavior it remains the default. */
+			disable_ssl = 1;
 			cfg->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
 		}
 	} else {
-		/* SSLv23_server_method() supports TLSv1, SSLv2, and SSLv3 inbound connections. */
+		disable_ssl = 1;
 		cfg->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
 	}
 
@@ -779,6 +780,17 @@
 		ast_debug(1, "Sorry, SSL_CTX_new call returned null...\n");
 		cfg->enabled = 0;
 		return 0;
+	}
+
+	/* Due to the POODLE vulnerability, completely disable
+	 * SSLv2 and SSLv3 if we are not explicitly told to use
+	 * them. SSLv23_*_method supports TLSv1+.
+	 */
+	if (disable_ssl) {
+		long ssl_opts;
+
+		ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+		SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
 	}
 
 	SSL_CTX_set_verify(cfg->ssl_ctx,

Modified: certified/tags/11.6-cert7/res/res_jabber.c
URL: http://svnview.digium.com/svn/asterisk/certified/tags/11.6-cert7/res/res_jabber.c?view=diff&rev=426055&r1=426054&r2=426055
==============================================================================
--- certified/tags/11.6-cert7/res/res_jabber.c (original)
+++ certified/tags/11.6-cert7/res/res_jabber.c Mon Oct 20 09:45:42 2014
@@ -1282,14 +1282,17 @@
 static int aji_tls_handshake(struct aji_client *client)
 {
 	int sock;
+	long ssl_opts;
 
 	ast_debug(1, "Starting TLS handshake\n");
 
 	/* Choose an SSL/TLS protocol version, create SSL_CTX */
-	client->ssl_method = SSLv3_method();
+	client->ssl_method = SSLv23_method();
 	if (!(client->ssl_context = SSL_CTX_new((SSL_METHOD *) client->ssl_method))) {
 		return IKS_NET_TLSFAIL;
 	}
+	ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+	SSL_CTX_set_options(client->ssl_context, ssl_opts);
 
 	/* Create new SSL session */
 	if (!(client->ssl_session = SSL_new(client->ssl_context))) {

Modified: certified/tags/11.6-cert7/res/res_xmpp.c
URL: http://svnview.digium.com/svn/asterisk/certified/tags/11.6-cert7/res/res_xmpp.c?view=diff&rev=426055&r1=426054&r2=426055
==============================================================================
--- certified/tags/11.6-cert7/res/res_xmpp.c (original)
+++ certified/tags/11.6-cert7/res/res_xmpp.c Mon Oct 20 09:45:42 2014
@@ -2501,6 +2501,7 @@
 {
 #ifdef HAVE_OPENSSL
 	int sock;
+	long ssl_opts;
 #endif
 
 	if (!strcmp(iks_name(node), "success")) {
@@ -2519,10 +2520,13 @@
 	ast_log(LOG_ERROR, "Somehow we managed to try to start TLS negotiation on client '%s' without OpenSSL support, disconnecting\n", client->name);
 	return -1;
 #else
-	client->ssl_method = SSLv3_method();
+	client->ssl_method = SSLv23_method();
 	if (!(client->ssl_context = SSL_CTX_new((SSL_METHOD *) client->ssl_method))) {
 		goto failure;
 	}
+
+	ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+	SSL_CTX_set_options(client->ssl_context, ssl_opts);
 
 	if (!(client->ssl_session = SSL_new(client->ssl_context))) {
 		goto failure;

More information about the svn-commits mailing list