1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
|
--- configs/http.conf.sample.orig 2014-06-12 16:05:50 UTC
+++ configs/http.conf.sample
@@ -67,10 +67,31 @@ bindaddr=127.0.0.1
; If no path is given for tlscertfile or tlsprivatekey, default is to look in current
; directory. If no tlsprivatekey is given, default is to search tlscertfile for private key.
;
+;
; To produce a certificate you can e.g. use openssl. This places both the cert and
; private in same .pem file.
; openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem
;
+; tlscipher= ; The list of allowed ciphers
+; ; if none are specified the following cipher
+; ; list will be used instead:
+; ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
+; ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:
+; kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
+; ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
+; ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:
+; DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:
+; AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:
+; AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:
+; !EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+;
+; tlsdisablev1=yes ; Disable TLSv1 support - if not set this defaults to "yes"
+; tlsdisablev11=yes ; Disable TLSv1.1 support - if not set this defaults to "no"
+; tlsdisablev12=yes ; Disable TLSv1.2 support - if not set this defaults to "no"
+;
+; tlsservercipherorder=yes ; Use the server preference order instead of the client order
+; ; Defaults to "yes"
+;
; The post_mappings section maps URLs to real paths on the filesystem. If a
; POST is done from within an authenticated manager session to one of the
; configured POST mappings, then any files in the POST will be placed in the
--- include/asterisk/tcptls.h.orig 2014-06-13 04:58:51 UTC
+++ include/asterisk/tcptls.h
@@ -79,7 +79,15 @@ enum ast_ssl_flags {
/*! Use SSLv3 for outgoing client connections */
AST_SSL_SSLV3_CLIENT = (1 << 4),
/*! Use TLSv1 for outgoing client connections */
- AST_SSL_TLSV1_CLIENT = (1 << 5)
+ AST_SSL_TLSV1_CLIENT = (1 << 5),
+ /*! Use server cipher order instead of the client order */
+ AST_SSL_SERVER_CIPHER_ORDER = (1 << 6),
+ /*! Disable TLSv1 support */
+ AST_SSL_DISABLE_TLSV1 = (1 << 7),
+ /*! Disable TLSv1.1 support */
+ AST_SSL_DISABLE_TLSV11 = (1 << 8),
+ /*! Disable TLSv1.2 support */
+ AST_SSL_DISABLE_TLSV12 = (1 << 9),
};
struct ast_tls_config {
--- main/http.c.orig 2014-06-13 04:58:51 UTC
+++ main/http.c
@@ -1118,10 +1118,13 @@ static int __ast_http_load(int reload)
}
http_tls_cfg.pvtfile = ast_strdup("");
+ /* Apply modern intermediate settings according to the Mozilla OpSec team as of July 30th, 2015 but disable TLSv1 */
+ ast_set_flag(&http_tls_cfg.flags, AST_SSL_DISABLE_TLSV1 | AST_SSL_SERVER_CIPHER_ORDER);
+
if (http_tls_cfg.cipher) {
ast_free(http_tls_cfg.cipher);
}
- http_tls_cfg.cipher = ast_strdup("");
+ http_tls_cfg.cipher = ast_strdup("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA");
AST_RWLIST_WRLOCK(&uri_redirects);
while ((redirect = AST_RWLIST_REMOVE_HEAD(&uri_redirects, entry))) {
@@ -1146,8 +1149,6 @@ static int __ast_http_load(int reload)
&& strcasecmp(v->name, "tlsdontverifyserver")
&& strcasecmp(v->name, "tlsclientmethod")
&& strcasecmp(v->name, "sslclientmethod")
- && strcasecmp(v->name, "tlscipher")
- && strcasecmp(v->name, "sslcipher")
&& !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
continue;
}
--- main/tcptls.c.orig 2015-04-08 16:53:07 UTC
+++ main/tcptls.c
@@ -749,6 +749,7 @@ static int __ssl_setup(struct ast_tls_co
return 0;
#else
int disable_ssl = 0;
+ long ssl_opts = 0;
if (!cfg->enabled)
return 0;
@@ -793,12 +794,30 @@ static int __ssl_setup(struct ast_tls_co
* them. SSLv23_*_method supports TLSv1+.
*/
if (disable_ssl) {
- long ssl_opts;
+ ssl_opts |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+ }
- ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
- SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
+ if (ast_test_flag(&cfg->flags, AST_SSL_SERVER_CIPHER_ORDER)) {
+ ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE;
}
+ if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) {
+ ssl_opts |= SSL_OP_NO_TLSv1;
+ }
+#if defined(HAVE_SSL_OP_NO_TLSV1_1) && defined(HAVE_SSL_OP_NO_TLSV1_2)
+ if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) {
+ ssl_opts |= SSL_OP_NO_TLSv1_1;
+ }
+ if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) {
+ ssl_opts |= SSL_OP_NO_TLSv1_2;
+ }
+#else
+ ast_log(LOG_WARNING, "Your version of OpenSSL leaves you potentially vulnerable "
+ "to the SSL BEAST attack. Please upgrade to OpenSSL 1.0.1 or later\n");
+#endif
+
+ SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
+
SSL_CTX_set_verify(cfg->ssl_ctx,
ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE,
NULL);
@@ -1109,6 +1128,14 @@ int ast_tls_read_conf(struct ast_tls_con
ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
}
+ } else if (!strcasecmp(varname, "tlsservercipherorder")) {
+ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_SERVER_CIPHER_ORDER);
+ } else if (!strcasecmp(varname, "tlsdisablev1")) {
+ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV1);
+ } else if (!strcasecmp(varname, "tlsdisablev11")) {
+ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV11);
+ } else if (!strcasecmp(varname, "tlsdisablev12")) {
+ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV12);
} else {
return -1;
}
--- include/asterisk/autoconfig.h.in.orig 2014-06-20 23:12:25 UTC
+++ include/asterisk/autoconfig.h.in
@@ -752,6 +752,12 @@
/* Define to 1 if you have the ISDN SS7 library. */
#undef HAVE_SS7
+/* Define if your system has the SSL_OP_NO_TLSV1_1 headers. */
+#undef HAVE_SSL_OP_NO_TLSV1_1
+
+/* Define if your system has the SSL_OP_NO_TLSV1_2 headers. */
+#undef HAVE_SSL_OP_NO_TLSV1_2
+
/* Define to 1 if `stat' has the bug that it succeeds when given the
zero-length file name argument. */
#undef HAVE_STAT_EMPTY_STRING_BUG
|
