Bug#804615: sflphone: SSLv3 method
Kurt Roeckx
kurt at roeckx.be
Sat Nov 14 17:55:39 UTC 2015
Hi,
I see various things like:
typedef enum pj_ssl_sock_proto
{
PJ_SSL_SOCK_PROTO_DEFAULT, /**< Default protocol of backend. */
PJ_SSL_SOCK_PROTO_TLS1, /**< TLSv1.0 protocol. */
PJ_SSL_SOCK_PROTO_SSL3, /**< SSLv3.0 protocol. */
PJ_SSL_SOCK_PROTO_SSL23, /**< SSLv3.0 but can roll back to
SSLv2.0. */
PJ_SSL_SOCK_PROTO_SSL2, /**< SSLv2.0 protocol. */
PJ_SSL_SOCK_PROTO_DTLS1 /**< DTLSv1.0 protocol. */
} pj_ssl_sock_proto;
At least that description for PJ_SSL_SOCK_PROTO_SSL23 is wrong.
It supports more protocols, including things like TLS 1.2.
It's used in this code:
/* Determine SSL method to use */
switch (ssock->param.proto) {
case PJ_SSL_SOCK_PROTO_DEFAULT:
case PJ_SSL_SOCK_PROTO_TLS1:
ssl_method = (SSL_METHOD*)TLSv1_method();
break;
#ifndef OPENSSL_NO_SSL2
case PJ_SSL_SOCK_PROTO_SSL2:
ssl_method = (SSL_METHOD*)SSLv2_method();
break;
#endif
case PJ_SSL_SOCK_PROTO_SSL3:
ssl_method = (SSL_METHOD*)SSLv3_method();
break;
case PJ_SSL_SOCK_PROTO_SSL23:
ssl_method = (SSL_METHOD*)SSLv23_method();
break;
//case PJ_SSL_SOCK_PROTO_DTLS1:
//ssl_method = (SSL_METHOD*)DTLSv1_method();
//break;
default:
return PJ_EINVAL;
}
So this seems to mean the default only supports TLS 1.0, and not
newer protocols like TLS 1.2.
I recommend you remove almost all of this. You should only use
the SSLv23_* method and the DTLS_*. Those are the only methods
that support multiple versions.
If you have a need to restrict the supported protocols please use
SSL_(CTX_)_set_options with something like SSL_OP_NO_SSLv3.
There is also code like this:
meth = (SSL_METHOD*)SSLv23_server_method();
if (!meth)
meth = (SSL_METHOD*)TLSv1_server_method();
if (!meth)
meth = (SSL_METHOD*)SSLv3_server_method();
#ifndef OPENSSL_NO_SSL2
if (!meth)
meth = (SSL_METHOD*)SSLv2_server_method();
#endif
This doesn't make any sense. They will all always succeed, and
you only want the first one anyway.
Kurt
More information about the Pkg-voip-maintainers
mailing list