diff options
| author | xebd <xeb@mail.ru> | 2018-10-26 06:24:59 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-10-26 06:24:59 +0300 |
| commit | 975b5470544503bc8c70b21320b33d715fd0850b (patch) | |
| tree | 607f87e1e1c94d871c9c6c4062e5be65a64d1731 | |
| parent | 938bad250baa7bd6f0761e70ce68a2de063c528c (diff) | |
| parent | aa96b94f6726d35c8966bb4ce55636696f8db431 (diff) | |
| download | accel-ppp-975b5470544503bc8c70b21320b33d715fd0850b.tar.gz accel-ppp-975b5470544503bc8c70b21320b33d715fd0850b.zip | |
Merge pull request #55 from themiron/sstp
sstp updates
| -rw-r--r-- | accel-pppd/ctrl/sstp/sstp.c | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/accel-pppd/ctrl/sstp/sstp.c b/accel-pppd/ctrl/sstp/sstp.c index e60d2cb0..af6bc77e 100644 --- a/accel-pppd/ctrl/sstp/sstp.c +++ b/accel-pppd/ctrl/sstp/sstp.c @@ -2328,6 +2328,16 @@ static int ssl_servername(SSL *ssl, int *al, void *arg) } #endif +#if !defined(SSL_OP_NO_RENGOTIATION) && defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) +static void ssl_info_cb(const SSL *ssl, int where, int ret) +{ + if ((where & SSL_CB_HANDSHAKE_DONE) != 0) { + /* disable renegotiation (CVE-2009-3555) */ + ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; + } +} +#endif + static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) { SSL_CTX *old_ctx, *ssl_ctx = NULL; @@ -2358,7 +2368,11 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) opt = conf_get_opt("sstp", "accept"); if (opt && strhas(opt, "ssl", ',')) { legacy_ssl: +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + ssl_ctx = SSL_CTX_new(TLS_server_method()); +#else ssl_ctx = SSL_CTX_new(SSLv23_server_method()); +#endif if (!ssl_ctx) { log_error("sstp: SSL_CTX error: %s\n", ERR_error_string(ERR_get_error(), NULL)); goto error; @@ -2368,11 +2382,14 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS | #endif +#ifdef SSL_OP_NO_RENGOTIATION + SSL_OP_NO_RENGOTIATION | +#endif #ifndef OPENSSL_NO_DH SSL_OP_SINGLE_DH_USE | #endif #ifndef OPENSSL_NO_ECDH - SSL_OP_SINGLE_ECDH_USE | + SSL_OP_SINGLE_ECDH_USE | #endif SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | @@ -2469,6 +2486,10 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) if (servername && SSL_CTX_set_tlsext_servername_callback(ssl_ctx, ssl_servername) != 1) log_warn("sstp: SSL server name check error: %s\n", ERR_error_string(ERR_get_error(), NULL)); #endif + +#if !defined(SSL_OP_NO_RENGOTIATION) && defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) + SSL_CTX_set_info_callback(ssl_ctx, ssl_info_cb); +#endif } else { /* legacy option, to be removed */ opt = conf_get_opt("sstp", "ssl"); |