diff options
| author | Vladislav Grishenko <themiron@mail.ru> | 2019-07-27 16:44:22 +0500 |
|---|---|---|
| committer | Vladislav Grishenko <themiron@mail.ru> | 2019-07-27 16:45:10 +0500 |
| commit | 7c14a51276b7bb2e50d04aff1351e5147e416846 (patch) | |
| tree | 4aae0a7e4c90a84b3884b78abbef706e4812f45c /accel-pppd/ctrl/sstp | |
| parent | 90f30c5c33577ab5cb50bd93863908ab97c40749 (diff) | |
| download | accel-ppp-7c14a51276b7bb2e50d04aff1351e5147e416846.tar.gz accel-ppp-7c14a51276b7bb2e50d04aff1351e5147e416846.zip | |
sstp: implement ssl-protocol list option
possible protocols are ssl2, ssl3, tls1, tls1.1, tls1.2 and tls1.3,
but support does depend on openssl library.
defaults are up to openssl library w/o ssl2/ssl3.
Diffstat (limited to 'accel-pppd/ctrl/sstp')
| -rw-r--r-- | accel-pppd/ctrl/sstp/sstp.c | 60 |
1 files changed, 56 insertions, 4 deletions
diff --git a/accel-pppd/ctrl/sstp/sstp.c b/accel-pppd/ctrl/sstp/sstp.c index 0e991bc0..8df838d5 100644 --- a/accel-pppd/ctrl/sstp/sstp.c +++ b/accel-pppd/ctrl/sstp/sstp.c @@ -2381,11 +2381,7 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) opt = conf_get_opt("sstp", "accept"); if (opt && strhas(opt, "ssl", ',')) { legacy_ssl: -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - ssl_ctx = SSL_CTX_new(TLS_server_method()); -#else ssl_ctx = SSL_CTX_new(SSLv23_server_method()); -#endif if (!ssl_ctx) { log_error("sstp: SSL_CTX error: %s\n", ERR_error_string(ERR_get_error(), NULL)); goto error; @@ -2404,14 +2400,70 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) #ifndef OPENSSL_NO_ECDH SSL_OP_SINGLE_ECDH_USE | #endif +#ifdef OPENSSL_NO_SSL2 SSL_OP_NO_SSLv2 | +#endif +#ifdef OPENSSL_NO_SSL3 SSL_OP_NO_SSLv3 | +#endif SSL_OP_NO_COMPRESSION); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); SSL_CTX_set_read_ahead(ssl_ctx, 1); + opt = conf_get_opt("sstp", "ssl-protocol"); + if (opt) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + SSL_CTX_set_min_proto_version(ssl_ctx, 0); + SSL_CTX_set_max_proto_version(ssl_ctx, 0); +#endif + if (strhas(opt, "ssl2", ',')) +#if defined(OPENSSL_NO_SSL2) || OPENSSL_VERSION_NUMBER >= 0x10100000L + log_warn("sstp: %s warning: %s is not suported\n", "ssl-protocol", "SSLv2"); +#else + SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_SSLv2); + else + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2); +#endif + if (strhas(opt, "ssl3", ',')) +#ifdef OPENSSL_NO_SSL3 + log_warn("sstp: %s warning: %s is not suported\n", "ssl-protocol", "SSLv3"); +#else + SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_SSLv3); + else + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); +#endif + if (strhas(opt, "tls1", ',')) + SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1); + else + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1); + if (strhas(opt, "tls11", ',') || strhas(opt, "tls1.1", ',')) +#ifndef SSL_OP_NO_TLSv1_1 + log_warn("sstp: %s warning: %s is not suported\n", "ssl-protocol", "TLSv1.1"); +#else + SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1); + else + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1); +#endif + if (strhas(opt, "tls12", ',') || strhas(opt, "tls1.2", ',')) +#ifndef SSL_OP_NO_TLSv1_2 + log_warn("sstp: %s warning: %s is not suported\n", "ssl-protocol", "TLSv1.2"); +#else + SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2); + else + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2); +#endif + if (strhas(opt, "tls13", ',') || strhas(opt, "tls1.3", ',')) +#ifndef SSL_OP_NO_TLSv1_3 + log_warn("sstp: %s warning: %s is not suported\n", "ssl-protocol", "TLSv1.3"); +#else + SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_3); + else + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_3); +#endif + } + #ifndef OPENSSL_NO_DH opt = conf_get_opt("sstp", "ssl-dhparam"); if (opt) { |