new options for xrdp.ini disableSSlv3=yes and tls_ciphers=HIGH and code to implement

1 files changed, 22 insertions, 5 deletions

diff --git a/common/ssl_calls.c b/common/ssl_calls.c
index e3d3e67e..04e7a177 100644
--- a/common/ssl_calls.c
+++ b/common/ssl_calls.c
@@ -590,18 +590,25 @@ ssl_tls_print_error(const char *func, SSL *connection, int value)
 
 /*****************************************************************************/
 int APP_CC
-ssl_tls_accept(struct ssl_tls *self)
+ssl_tls_accept(struct ssl_tls *self, int disableSSLv3,
+               const char *tls_ciphers)
 {
     int connection_status;
     long options = 0;
 
     /**
-     * SSL_OP_NO_SSLv2:
-     *
-     * We only want SSLv3 and TLSv1, so disable SSLv2.
+     * SSL_OP_NO_SSLv2
      * SSLv3 is used by, eg. Microsoft RDC for Mac OS X.
+     * No SSLv3 if disableSSLv3=yes so only tls used
      */
-    options |= SSL_OP_NO_SSLv2;
+    if (disableSSLv3)
+    {
+        options |= SSL_OP_NO_SSLv3;
+    }
+    else
+    {
+        options |= SSL_OP_NO_SSLv2;
+    }
 
 #if defined(SSL_OP_NO_COMPRESSION)
     /**
@@ -638,6 +645,16 @@ ssl_tls_accept(struct ssl_tls *self)
                      SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
                      SSL_MODE_ENABLE_PARTIAL_WRITE);
     SSL_CTX_set_options(self->ctx, options);
+
+    if (g_strlen(tls_ciphers) > 1)
+    {
+        if (SSL_CTX_set_cipher_list(self->ctx, tls_ciphers) == 0)
+        {
+            g_writeln("ssl_tls_accept: invalid cipher options");
+            return 1;
+        }
+    }
+
     SSL_CTX_set_read_ahead(self->ctx, 1);
 
     if (self->ctx == NULL)