TLS: switch ssl_protocols to a comma separated list

master
Koichiro IWAO 8 years ago committed by metalefty
parent c126f81d9a
commit 849c1a22a2

@ -145,7 +145,7 @@ Negotiate these security methods with clients.
.TP .TP
\fBssl_protocols\fP=\fI[SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]\fP \fBssl_protocols\fP=\fI[SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]\fP
Enables the specified SSL/TLS protocols. Each value should be separated by space. Enables the specified SSL/TLS protocols. Each value should be separated by comma.
SSLv2 is always disabled. At least one protocol should be given to accept TLS connections. SSLv2 is always disabled. At least one protocol should be given to accept TLS connections.
This parameter is effective only if \fBsecurity_layer\fP is set to \fBtls\fP or \fBnegotiate\fP. This parameter is effective only if \fBsecurity_layer\fP is set to \fBtls\fP or \fBnegotiate\fP.

@ -45,6 +45,7 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
char *item = (char *)NULL; char *item = (char *)NULL;
char *value = (char *)NULL; char *value = (char *)NULL;
char cfg_file[256]; char cfg_file[256];
char *p = (char *)NULL;
char *tmp = (char *)NULL; char *tmp = (char *)NULL;
int tmp_length = 0; int tmp_length = 0;
@ -165,31 +166,36 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
} }
else if (g_strcasecmp(item, "ssl_protocols") == 0) else if (g_strcasecmp(item, "ssl_protocols") == 0)
{ {
/* put leading/trailing space to properly detect "TLSv1" without regex */ /* put leading/trailing comma to properly detect "TLSv1" without regex */
tmp_length = g_strlen(value) + 3; tmp_length = g_strlen(value) + 3;
tmp = g_new(char, tmp_length); tmp = g_new(char, tmp_length);
g_snprintf(tmp, tmp_length, "%s%s%s", " ", value, " "); g_snprintf(tmp, tmp_length, "%s%s%s", ",", value, ",");
/* to accept space after comma */
while ((p = (char *) g_strchr(tmp, ' ')) != NULL)
{
*p = ',';
}
/* disable all protocols first, enable later */ /* disable all protocols first, enable later */
client_info->ssl_protocols = client_info->ssl_protocols =
SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2; SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
if (g_pos(tmp, " TLSv1.2 ") >= 0) if (g_pos(tmp, ",TLSv1.2,") >= 0)
{ {
log_message(LOG_LEVEL_DEBUG, "TLSv1.2 enabled"); log_message(LOG_LEVEL_DEBUG, "TLSv1.2 enabled");
client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_2; client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_2;
} }
if (g_pos(tmp, " TLSv1.1 ") >= 0) if (g_pos(tmp, ",TLSv1.1,") >= 0)
{ {
log_message(LOG_LEVEL_DEBUG, "TLSv1.1 enabled"); log_message(LOG_LEVEL_DEBUG, "TLSv1.1 enabled");
client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_1; client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_1;
} }
if (g_pos(tmp, " TLSv1 ") >= 0) if (g_pos(tmp, ",TLSv1,") >= 0)
{ {
log_message(LOG_LEVEL_DEBUG, "TLSv1 enabled"); log_message(LOG_LEVEL_DEBUG, "TLSv1 enabled");
client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1; client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1;
} }
if (g_pos(tmp, " SSLv3 ") >= 0) if (g_pos(tmp, ",SSLv3,") >= 0)
{ {
log_message(LOG_LEVEL_DEBUG, "SSLv3 enabled"); log_message(LOG_LEVEL_DEBUG, "SSLv3 enabled");
client_info->ssl_protocols &= ~SSL_OP_NO_SSLv3; client_info->ssl_protocols &= ~SSL_OP_NO_SSLv3;

@ -26,8 +26,8 @@ crypt_level=high
certificate= certificate=
key_file= key_file=
; set SSL protocols ; set SSL protocols
; can be space separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2' ; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2'
ssl_protocols=TLSv1 TLSv1.1 TLSv1.2 ssl_protocols=TLSv1, TLSv1.1, TLSv1.2
; set TLS cipher suites (up to 63 characters) ; set TLS cipher suites (up to 63 characters)
#tls_ciphers=HIGH #tls_ciphers=HIGH

Loading…
Cancel
Save