new options for xrdp.ini disableSSlv3=yes and tls_ciphers=HIGH and code to implement

8 years ago · 47124df4ed
parent e28f529a94
commit 47124df4ed
8 changed files with 46 additions and 10 deletions
--- a/common/ssl_calls.c
+++ b/common/ssl_calls.c
@ -590,18 +590,25 @@ ssl_tls_print_error(const char *func, SSL *connection, int value)

 /*****************************************************************************/
 int APP_CC
-ssl_tls_accept(struct ssl_tls *self)
+ssl_tls_accept(struct ssl_tls *self, int disableSSLv3,
+               const char *tls_ciphers)
 {
    int connection_status;
    long options = 0;

    /**
-     * SSL_OP_NO_SSLv2:
-     *
-     * We only want SSLv3 and TLSv1, so disable SSLv2.
+     * SSL_OP_NO_SSLv2
     * SSLv3 is used by, eg. Microsoft RDC for Mac OS X.
+     * No SSLv3 if disableSSLv3=yes so only tls used
     */
-    options |= SSL_OP_NO_SSLv2;
+    if (disableSSLv3)
+    {
+        options |= SSL_OP_NO_SSLv3;
+    }
+    else
+    {
+        options |= SSL_OP_NO_SSLv2;
+    }

 #if defined(SSL_OP_NO_COMPRESSION)
    /**
@ -638,6 +645,16 @@ ssl_tls_accept(struct ssl_tls *self)
                     SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
                     SSL_MODE_ENABLE_PARTIAL_WRITE);
    SSL_CTX_set_options(self->ctx, options);
+
+    if (g_strlen(tls_ciphers) > 1)
+    {
+        if (SSL_CTX_set_cipher_list(self->ctx, tls_ciphers) == 0)
+        {
+            g_writeln("ssl_tls_accept: invalid cipher options");
+            return 1;
+        }
+    }
+
    SSL_CTX_set_read_ahead(self->ctx, 1);

    if (self->ctx == NULL)
--- a/common/ssl_calls.h
+++ b/common/ssl_calls.h
@ -96,7 +96,8 @@ struct ssl_tls
 struct ssl_tls *APP_CC
 ssl_tls_create(struct trans *trans, const char *key, const char *cert);
 int APP_CC
-ssl_tls_accept(struct ssl_tls *self);
+ssl_tls_accept(struct ssl_tls *self, int disableSSLv3,
+               const char *tls_ciphers);
 int APP_CC
 ssl_tls_disconnect(struct ssl_tls *self);
 void APP_CC
--- a/common/trans.c
+++ b/common/trans.c
@ -881,7 +881,8 @@ trans_get_out_s(struct trans *self, int size)
 /*****************************************************************************/
 /* returns error */
 int APP_CC
-trans_set_tls_mode(struct trans *self, const char *key, const char *cert)
+trans_set_tls_mode(struct trans *self, const char *key, const char *cert,
+                   int disableSSLv3, const char *tls_ciphers)
 {
    self->tls = ssl_tls_create(self, key, cert);
    if (self->tls == NULL)
@ -890,7 +891,7 @@ trans_set_tls_mode(struct trans *self, const char *key, const char *cert)
        return 1;
    }

-    if (ssl_tls_accept(self->tls) != 0)
+    if (ssl_tls_accept(self->tls, disableSSLv3, tls_ciphers) != 0)
    {
        g_writeln("trans_set_tls_mode: ssl_tls_accept failed");
        return 1;
--- a/common/trans.h
+++ b/common/trans.h
@ -122,7 +122,8 @@ trans_get_in_s(struct trans* self);
 struct stream* APP_CC
 trans_get_out_s(struct trans* self, int size);
 int APP_CC
-trans_set_tls_mode(struct trans *self, const char *key, const char *cert);
+trans_set_tls_mode(struct trans *self, const char *key, const char *cert,
+                   int disableSSLv3, const char *tls_ciphers);
 int APP_CC
 trans_shutdown_tls_mode(struct trans *self);
 int APP_CC
--- a/common/xrdp_client_info.h
+++ b/common/xrdp_client_info.h
@ -143,6 +143,8 @@ struct xrdp_client_info
  int use_frame_acks;
  int max_unacknowledged_frame_count;

+  int disableSSLv3; /* 0 = no, 1 = yes */
+  char tls_ciphers[64];
 };

 #endif
--- a/libxrdp/xrdp_rdp.c
+++ b/libxrdp/xrdp_rdp.c
@ -160,6 +160,14 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
                client_info->use_fast_path = 0;
            }
        }
+        else if (g_strcasecmp(item, "disableSSLv3") == 0)
+        {
+            client_info->disableSSLv3 = g_text2bool(value);
+        }
+        else if (g_strcasecmp(item, "tls_ciphers") == 0)
+        {
+            g_strcpy(client_info->tls_ciphers, value);
+        }
        else if (g_strcasecmp(item, "security_layer") == 0)
        {
            if (g_strcasecmp(value, "rdp") == 0)
--- a/libxrdp/xrdp_sec.c
+++ b/libxrdp/xrdp_sec.c
@ -2236,7 +2236,9 @@ xrdp_sec_incoming(struct xrdp_sec *self)

        if (trans_set_tls_mode(self->mcs_layer->iso_layer->trans,
                self->rdp_layer->client_info.key_file,
-                self->rdp_layer->client_info.certificate) != 0)
+                self->rdp_layer->client_info.certificate,
+                self->rdp_layer->client_info.disableSSLv3,
+                self->rdp_layer->client_info.tls_ciphers) != 0)
        {
            g_writeln("xrdp_sec_incoming: trans_set_tls_mode failed");
            return 1;
--- a/xrdp/xrdp.ini
+++ b/xrdp/xrdp.ini
@ -18,6 +18,10 @@ security_layer=rdp
 # openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365
 certificate=
 key_file=
+# disable SSlv3
+#disableSSLv3=yes
+# set TLS cipher suites
+#tls_ciphers=HIGH

 # regulate if the listening socket use socket option tcp_nodelay
 # no buffering will be performed in the TCP stack