summaryrefslogtreecommitdiffstats
path: root/libxrdp
diff options
context:
space:
mode:
authorKoichiro IWAO <meta@vmeta.jp>2016-12-13 15:49:13 +0900
committermetalefty <meta@vmeta.jp>2017-02-27 14:17:25 +0900
commite94ab10e14edd2f6ca021cb2c77b9f9031665452 (patch)
tree135cc7231f151da007081c6b1ca4798a846c74c6 /libxrdp
parent657f6f3756f883e2a5899eaff9e0e59c4bc67995 (diff)
downloadxrdp-proprietary-e94ab10e14edd2f6ca021cb2c77b9f9031665452.tar.gz
xrdp-proprietary-e94ab10e14edd2f6ca021cb2c77b9f9031665452.zip
TLS: new method to specify SSL/TLS version
SSL/TLS protocols only listed in ssl_protocols should be used. The name "ssl_protocols" comes from nginx. Resolves #428.
Diffstat (limited to 'libxrdp')
-rw-r--r--libxrdp/xrdp_rdp.c35
-rw-r--r--libxrdp/xrdp_sec.c2
2 files changed, 34 insertions, 3 deletions
diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c
index 5159ba5b..bdb552c8 100644
--- a/libxrdp/xrdp_rdp.c
+++ b/libxrdp/xrdp_rdp.c
@@ -18,6 +18,7 @@
* rdp layer
*/
+#include <openssl/ssl.h>
#include "libxrdp.h"
#include "log.h"
@@ -44,6 +45,8 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
char *item = (char *)NULL;
char *value = (char *)NULL;
char cfg_file[256];
+ char *tmp = (char *)NULL;
+ int tmp_length = 0;
/* initialize (zero out) local variables: */
g_memset(cfg_file, 0, sizeof(char) * 256);
@@ -160,9 +163,37 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
client_info->use_fast_path = 0;
}
}
- else if (g_strcasecmp(item, "disableSSLv3") == 0)
+ else if (g_strcasecmp(item, "ssl_protocols") == 0)
{
- client_info->disableSSLv3 = g_text2bool(value);
+ /* put leading/trailing space to properly detect "TLSv1" without regex */
+ tmp_length = g_strlen(value) + 3;
+ tmp = g_new(char, tmp_length);
+ g_snprintf(tmp, tmp_length, "%s%s%s", " ", value, " ");
+
+ /* disable all protocols first, enable later */
+ client_info->ssl_protocols =
+ SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
+
+ if (g_pos(tmp, " TLSv1.2 ") >= 0)
+ {
+ log_message(LOG_LEVEL_DEBUG, "TLSv1.2 enabled");
+ client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_2;
+ }
+ if (g_pos(tmp, " TLSv1.1 ") >= 0)
+ {
+ log_message(LOG_LEVEL_DEBUG, "TLSv1.1 enabled");
+ client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_1;
+ }
+ if (g_pos(tmp, " TLSv1 ") >= 0)
+ {
+ log_message(LOG_LEVEL_DEBUG, "TLSv1 enabled");
+ client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1;
+ }
+ if (g_pos(tmp, " SSLv3 ") >= 0)
+ {
+ log_message(LOG_LEVEL_DEBUG, "SSLv3 enabled");
+ client_info->ssl_protocols &= ~SSL_OP_NO_SSLv3;
+ }
}
else if (g_strcasecmp(item, "tls_ciphers") == 0)
{
diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c
index 422acfe2..b5d33863 100644
--- a/libxrdp/xrdp_sec.c
+++ b/libxrdp/xrdp_sec.c
@@ -2254,7 +2254,7 @@ xrdp_sec_incoming(struct xrdp_sec *self)
if (trans_set_tls_mode(self->mcs_layer->iso_layer->trans,
self->rdp_layer->client_info.key_file,
self->rdp_layer->client_info.certificate,
- self->rdp_layer->client_info.disableSSLv3,
+ self->rdp_layer->client_info.ssl_protocols,
self->rdp_layer->client_info.tls_ciphers) != 0)
{
g_writeln("xrdp_sec_incoming: trans_set_tls_mode failed");