diff options
author | Koichiro IWAO <meta@vmeta.jp> | 2016-12-13 15:49:13 +0900 |
---|---|---|
committer | metalefty <meta@vmeta.jp> | 2017-02-27 14:17:25 +0900 |
commit | e94ab10e14edd2f6ca021cb2c77b9f9031665452 (patch) | |
tree | 135cc7231f151da007081c6b1ca4798a846c74c6 /libxrdp | |
parent | 657f6f3756f883e2a5899eaff9e0e59c4bc67995 (diff) | |
download | xrdp-proprietary-e94ab10e14edd2f6ca021cb2c77b9f9031665452.tar.gz xrdp-proprietary-e94ab10e14edd2f6ca021cb2c77b9f9031665452.zip |
TLS: new method to specify SSL/TLS version
SSL/TLS protocols only listed in ssl_protocols should be used.
The name "ssl_protocols" comes from nginx.
Resolves #428.
Diffstat (limited to 'libxrdp')
-rw-r--r-- | libxrdp/xrdp_rdp.c | 35 | ||||
-rw-r--r-- | libxrdp/xrdp_sec.c | 2 |
2 files changed, 34 insertions, 3 deletions
diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c index 5159ba5b..bdb552c8 100644 --- a/libxrdp/xrdp_rdp.c +++ b/libxrdp/xrdp_rdp.c @@ -18,6 +18,7 @@ * rdp layer */ +#include <openssl/ssl.h> #include "libxrdp.h" #include "log.h" @@ -44,6 +45,8 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info) char *item = (char *)NULL; char *value = (char *)NULL; char cfg_file[256]; + char *tmp = (char *)NULL; + int tmp_length = 0; /* initialize (zero out) local variables: */ g_memset(cfg_file, 0, sizeof(char) * 256); @@ -160,9 +163,37 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info) client_info->use_fast_path = 0; } } - else if (g_strcasecmp(item, "disableSSLv3") == 0) + else if (g_strcasecmp(item, "ssl_protocols") == 0) { - client_info->disableSSLv3 = g_text2bool(value); + /* put leading/trailing space to properly detect "TLSv1" without regex */ + tmp_length = g_strlen(value) + 3; + tmp = g_new(char, tmp_length); + g_snprintf(tmp, tmp_length, "%s%s%s", " ", value, " "); + + /* disable all protocols first, enable later */ + client_info->ssl_protocols = + SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2; + + if (g_pos(tmp, " TLSv1.2 ") >= 0) + { + log_message(LOG_LEVEL_DEBUG, "TLSv1.2 enabled"); + client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_2; + } + if (g_pos(tmp, " TLSv1.1 ") >= 0) + { + log_message(LOG_LEVEL_DEBUG, "TLSv1.1 enabled"); + client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_1; + } + if (g_pos(tmp, " TLSv1 ") >= 0) + { + log_message(LOG_LEVEL_DEBUG, "TLSv1 enabled"); + client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1; + } + if (g_pos(tmp, " SSLv3 ") >= 0) + { + log_message(LOG_LEVEL_DEBUG, "SSLv3 enabled"); + client_info->ssl_protocols &= ~SSL_OP_NO_SSLv3; + } } else if (g_strcasecmp(item, "tls_ciphers") == 0) { diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c index 422acfe2..b5d33863 100644 --- a/libxrdp/xrdp_sec.c +++ b/libxrdp/xrdp_sec.c @@ -2254,7 +2254,7 @@ xrdp_sec_incoming(struct xrdp_sec *self) if (trans_set_tls_mode(self->mcs_layer->iso_layer->trans, self->rdp_layer->client_info.key_file, self->rdp_layer->client_info.certificate, - self->rdp_layer->client_info.disableSSLv3, + self->rdp_layer->client_info.ssl_protocols, self->rdp_layer->client_info.tls_ciphers) != 0) { g_writeln("xrdp_sec_incoming: trans_set_tls_mode failed"); |