diff options
| author | Vladislav Grishenko <themiron@mail.ru> | 2017-11-28 06:30:11 +0500 |
|---|---|---|
| committer | Vladislav Grishenko <themiron@mail.ru> | 2017-12-30 22:48:46 +0500 |
| commit | 004ff247ffaad4016bb631b238a11abc285c1d0c (patch) | |
| tree | c711f3963460ffe0e00cb1ac05f2e2f9acc60433 /accel-pppd | |
| parent | 0ac7701588db59aeb443f0b26bee0a3cb9ebb7b4 (diff) | |
| download | accel-ppp-004ff247ffaad4016bb631b238a11abc285c1d0c.tar.gz accel-ppp-004ff247ffaad4016bb631b238a11abc285c1d0c.zip | |
sstp: allow to prefer server ciphers with ssl-prefer-server-ciphers option
Diffstat (limited to 'accel-pppd')
| -rw-r--r-- | accel-pppd/accel-ppp.conf | 1 | ||||
| -rw-r--r-- | accel-pppd/ctrl/sstp/sstp.c | 22 |
2 files changed, 18 insertions, 5 deletions
diff --git a/accel-pppd/accel-ppp.conf b/accel-pppd/accel-ppp.conf index a4a4a714..ce41e924 100644 --- a/accel-pppd/accel-ppp.conf +++ b/accel-pppd/accel-ppp.conf @@ -115,6 +115,7 @@ verbose=1 #cert-hash-sha256= #ssl=1 #ssl-ciphers=HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 +#ssl-prefer-server-ciphers=0 #ssl-ca-file=/etc/ssl/sstp-ca.crt #ssl-pemfile=/etc/ssl/sstp.pem #timeout=60 diff --git a/accel-pppd/ctrl/sstp/sstp.c b/accel-pppd/ctrl/sstp/sstp.c index 281c3320..d3e945de 100644 --- a/accel-pppd/ctrl/sstp/sstp.c +++ b/accel-pppd/ctrl/sstp/sstp.c @@ -171,6 +171,7 @@ static EVP_PKEY *conf_ssl_pkey = NULL; static const char *conf_ssl_ca_file = NULL; static const char *conf_ssl_ciphers = "HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4"; +static int conf_ssl_prefer_server_ciphers = 0; static int conf_ssl = 1; #endif @@ -1681,7 +1682,18 @@ static void sstp_start(struct sstp_conn_t *conn) goto error; } - SSL_CTX_set_options(conn->ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION); + SSL_CTX_set_options(conn->ssl_ctx, +#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS | +#endif + SSL_OP_NO_SSLv2 | + SSL_OP_NO_SSLv3 | + SSL_OP_NO_COMPRESSION | + (conf_ssl_prefer_server_ciphers ? SSL_OP_CIPHER_SERVER_PREFERENCE : 0)); + SSL_CTX_set_mode(conn->ssl_ctx, + SSL_MODE_ENABLE_PARTIAL_WRITE | + SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); + SSL_CTX_set_read_ahead(conn->ssl_ctx, 1); if (conf_ssl_ciphers && SSL_CTX_set_cipher_list(conn->ssl_ctx, conf_ssl_ciphers) != 1) { @@ -1701,10 +1713,6 @@ static void sstp_start(struct sstp_conn_t *conn) goto error; } - SSL_CTX_set_default_read_ahead(conn->ssl_ctx, 1); - SSL_CTX_set_mode(conn->ssl_ctx, SSL_CTX_get_mode(conn->ssl_ctx) | - SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE); - conn->stream = ssl_stream_init(conn->hnd.fd, conn->ssl_ctx); } else #endif @@ -1924,6 +1932,10 @@ static void load_config(void) conf_ssl_ciphers = conf_get_opt("sstp", "ssl-ciphers"); + opt = conf_get_opt("sstp", "ssl-prefer-server-ciphers"); + if (opt) + conf_ssl_prefer_server_ciphers = atoi(opt); + conf_ssl_ca_file = conf_get_opt("sstp", "ssl-ca-file"); opt = conf_get_opt("sstp", "ssl-pemfile"); |