summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--common/ssl_calls.c27
-rw-r--r--common/ssl_calls.h3
-rw-r--r--common/trans.c5
-rw-r--r--common/trans.h3
-rw-r--r--common/xrdp_client_info.h2
-rw-r--r--libxrdp/xrdp_rdp.c8
-rw-r--r--libxrdp/xrdp_sec.c4
-rw-r--r--xrdp/xrdp.ini4
8 files changed, 46 insertions, 10 deletions
diff --git a/common/ssl_calls.c b/common/ssl_calls.c
index e3d3e67e..04e7a177 100644
--- a/common/ssl_calls.c
+++ b/common/ssl_calls.c
@@ -590,18 +590,25 @@ ssl_tls_print_error(const char *func, SSL *connection, int value)
/*****************************************************************************/
int APP_CC
-ssl_tls_accept(struct ssl_tls *self)
+ssl_tls_accept(struct ssl_tls *self, int disableSSLv3,
+ const char *tls_ciphers)
{
int connection_status;
long options = 0;
/**
- * SSL_OP_NO_SSLv2:
- *
- * We only want SSLv3 and TLSv1, so disable SSLv2.
+ * SSL_OP_NO_SSLv2
* SSLv3 is used by, eg. Microsoft RDC for Mac OS X.
+ * No SSLv3 if disableSSLv3=yes so only tls used
*/
- options |= SSL_OP_NO_SSLv2;
+ if (disableSSLv3)
+ {
+ options |= SSL_OP_NO_SSLv3;
+ }
+ else
+ {
+ options |= SSL_OP_NO_SSLv2;
+ }
#if defined(SSL_OP_NO_COMPRESSION)
/**
@@ -638,6 +645,16 @@ ssl_tls_accept(struct ssl_tls *self)
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_ENABLE_PARTIAL_WRITE);
SSL_CTX_set_options(self->ctx, options);
+
+ if (g_strlen(tls_ciphers) > 1)
+ {
+ if (SSL_CTX_set_cipher_list(self->ctx, tls_ciphers) == 0)
+ {
+ g_writeln("ssl_tls_accept: invalid cipher options");
+ return 1;
+ }
+ }
+
SSL_CTX_set_read_ahead(self->ctx, 1);
if (self->ctx == NULL)
diff --git a/common/ssl_calls.h b/common/ssl_calls.h
index aa7cffb1..1277505c 100644
--- a/common/ssl_calls.h
+++ b/common/ssl_calls.h
@@ -96,7 +96,8 @@ struct ssl_tls
struct ssl_tls *APP_CC
ssl_tls_create(struct trans *trans, const char *key, const char *cert);
int APP_CC
-ssl_tls_accept(struct ssl_tls *self);
+ssl_tls_accept(struct ssl_tls *self, int disableSSLv3,
+ const char *tls_ciphers);
int APP_CC
ssl_tls_disconnect(struct ssl_tls *self);
void APP_CC
diff --git a/common/trans.c b/common/trans.c
index 9e877d5c..432b6334 100644
--- a/common/trans.c
+++ b/common/trans.c
@@ -881,7 +881,8 @@ trans_get_out_s(struct trans *self, int size)
/*****************************************************************************/
/* returns error */
int APP_CC
-trans_set_tls_mode(struct trans *self, const char *key, const char *cert)
+trans_set_tls_mode(struct trans *self, const char *key, const char *cert,
+ int disableSSLv3, const char *tls_ciphers)
{
self->tls = ssl_tls_create(self, key, cert);
if (self->tls == NULL)
@@ -890,7 +891,7 @@ trans_set_tls_mode(struct trans *self, const char *key, const char *cert)
return 1;
}
- if (ssl_tls_accept(self->tls) != 0)
+ if (ssl_tls_accept(self->tls, disableSSLv3, tls_ciphers) != 0)
{
g_writeln("trans_set_tls_mode: ssl_tls_accept failed");
return 1;
diff --git a/common/trans.h b/common/trans.h
index 1bb15bcf..39fba5c0 100644
--- a/common/trans.h
+++ b/common/trans.h
@@ -122,7 +122,8 @@ trans_get_in_s(struct trans* self);
struct stream* APP_CC
trans_get_out_s(struct trans* self, int size);
int APP_CC
-trans_set_tls_mode(struct trans *self, const char *key, const char *cert);
+trans_set_tls_mode(struct trans *self, const char *key, const char *cert,
+ int disableSSLv3, const char *tls_ciphers);
int APP_CC
trans_shutdown_tls_mode(struct trans *self);
int APP_CC
diff --git a/common/xrdp_client_info.h b/common/xrdp_client_info.h
index f003ee2a..46589e30 100644
--- a/common/xrdp_client_info.h
+++ b/common/xrdp_client_info.h
@@ -143,6 +143,8 @@ struct xrdp_client_info
int use_frame_acks;
int max_unacknowledged_frame_count;
+ int disableSSLv3; /* 0 = no, 1 = yes */
+ char tls_ciphers[64];
};
#endif
diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c
index 852a50bf..3cb075b3 100644
--- a/libxrdp/xrdp_rdp.c
+++ b/libxrdp/xrdp_rdp.c
@@ -160,6 +160,14 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
client_info->use_fast_path = 0;
}
}
+ else if (g_strcasecmp(item, "disableSSLv3") == 0)
+ {
+ client_info->disableSSLv3 = g_text2bool(value);
+ }
+ else if (g_strcasecmp(item, "tls_ciphers") == 0)
+ {
+ g_strcpy(client_info->tls_ciphers, value);
+ }
else if (g_strcasecmp(item, "security_layer") == 0)
{
if (g_strcasecmp(value, "rdp") == 0)
diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c
index a31190ca..d2101b60 100644
--- a/libxrdp/xrdp_sec.c
+++ b/libxrdp/xrdp_sec.c
@@ -2236,7 +2236,9 @@ xrdp_sec_incoming(struct xrdp_sec *self)
if (trans_set_tls_mode(self->mcs_layer->iso_layer->trans,
self->rdp_layer->client_info.key_file,
- self->rdp_layer->client_info.certificate) != 0)
+ self->rdp_layer->client_info.certificate,
+ self->rdp_layer->client_info.disableSSLv3,
+ self->rdp_layer->client_info.tls_ciphers) != 0)
{
g_writeln("xrdp_sec_incoming: trans_set_tls_mode failed");
return 1;
diff --git a/xrdp/xrdp.ini b/xrdp/xrdp.ini
index 34adb077..b4967050 100644
--- a/xrdp/xrdp.ini
+++ b/xrdp/xrdp.ini
@@ -18,6 +18,10 @@ security_layer=rdp
# openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365
certificate=
key_file=
+# disable SSlv3
+#disableSSLv3=yes
+# set TLS cipher suites
+#tls_ciphers=HIGH
# regulate if the listening socket use socket option tcp_nodelay
# no buffering will be performed in the TCP stack
generated by cgit v1.2.1 (git 2.18.0) at 2024-12-17 19:23:12 +0000