summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKoichiro IWAO <meta@vmeta.jp>2017-01-31 14:59:46 +0900
committermetalefty <meta@vmeta.jp>2017-02-27 14:17:25 +0900
commit849c1a22a24be80b2681e649f695126578740e6b (patch)
treef7362f96c09e739b83be65840e7dcbc76250541e
parentc126f81d9a4cba5d2bda296ff759caa8bfbb1ed6 (diff)
downloadxrdp-proprietary-849c1a22a24be80b2681e649f695126578740e6b.tar.gz
xrdp-proprietary-849c1a22a24be80b2681e649f695126578740e6b.zip
TLS: switch ssl_protocols to a comma separated list
-rw-r--r--docs/man/xrdp.ini.5.in2
-rw-r--r--libxrdp/xrdp_rdp.c18
-rw-r--r--xrdp/xrdp.ini4
3 files changed, 15 insertions, 9 deletions
diff --git a/docs/man/xrdp.ini.5.in b/docs/man/xrdp.ini.5.in
index d4607ea3..612adcd7 100644
--- a/docs/man/xrdp.ini.5.in
+++ b/docs/man/xrdp.ini.5.in
@@ -145,7 +145,7 @@ Negotiate these security methods with clients.
.TP
\fBssl_protocols\fP=\fI[SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]\fP
-Enables the specified SSL/TLS protocols. Each value should be separated by space.
+Enables the specified SSL/TLS protocols. Each value should be separated by comma.
SSLv2 is always disabled. At least one protocol should be given to accept TLS connections.
This parameter is effective only if \fBsecurity_layer\fP is set to \fBtls\fP or \fBnegotiate\fP.
diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c
index e84ff95b..a9909dcd 100644
--- a/libxrdp/xrdp_rdp.c
+++ b/libxrdp/xrdp_rdp.c
@@ -45,6 +45,7 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
char *item = (char *)NULL;
char *value = (char *)NULL;
char cfg_file[256];
+ char *p = (char *)NULL;
char *tmp = (char *)NULL;
int tmp_length = 0;
@@ -165,31 +166,36 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
}
else if (g_strcasecmp(item, "ssl_protocols") == 0)
{
- /* put leading/trailing space to properly detect "TLSv1" without regex */
+ /* put leading/trailing comma to properly detect "TLSv1" without regex */
tmp_length = g_strlen(value) + 3;
tmp = g_new(char, tmp_length);
- g_snprintf(tmp, tmp_length, "%s%s%s", " ", value, " ");
+ g_snprintf(tmp, tmp_length, "%s%s%s", ",", value, ",");
+ /* to accept space after comma */
+ while ((p = (char *) g_strchr(tmp, ' ')) != NULL)
+ {
+ *p = ',';
+ }
/* disable all protocols first, enable later */
client_info->ssl_protocols =
SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
- if (g_pos(tmp, " TLSv1.2 ") >= 0)
+ if (g_pos(tmp, ",TLSv1.2,") >= 0)
{
log_message(LOG_LEVEL_DEBUG, "TLSv1.2 enabled");
client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_2;
}
- if (g_pos(tmp, " TLSv1.1 ") >= 0)
+ if (g_pos(tmp, ",TLSv1.1,") >= 0)
{
log_message(LOG_LEVEL_DEBUG, "TLSv1.1 enabled");
client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_1;
}
- if (g_pos(tmp, " TLSv1 ") >= 0)
+ if (g_pos(tmp, ",TLSv1,") >= 0)
{
log_message(LOG_LEVEL_DEBUG, "TLSv1 enabled");
client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1;
}
- if (g_pos(tmp, " SSLv3 ") >= 0)
+ if (g_pos(tmp, ",SSLv3,") >= 0)
{
log_message(LOG_LEVEL_DEBUG, "SSLv3 enabled");
client_info->ssl_protocols &= ~SSL_OP_NO_SSLv3;
diff --git a/xrdp/xrdp.ini b/xrdp/xrdp.ini
index 58b82bb5..fd421e35 100644
--- a/xrdp/xrdp.ini
+++ b/xrdp/xrdp.ini
@@ -26,8 +26,8 @@ crypt_level=high
certificate=
key_file=
; set SSL protocols
-; can be space separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2'
-ssl_protocols=TLSv1 TLSv1.1 TLSv1.2
+; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2'
+ssl_protocols=TLSv1, TLSv1.1, TLSv1.2
; set TLS cipher suites (up to 63 characters)
#tls_ciphers=HIGH