From 7c14a51276b7bb2e50d04aff1351e5147e416846 Mon Sep 17 00:00:00 2001 From: Vladislav Grishenko Date: Sat, 27 Jul 2019 16:44:22 +0500 Subject: sstp: implement ssl-protocol list option possible protocols are ssl2, ssl3, tls1, tls1.1, tls1.2 and tls1.3, but support does depend on openssl library. defaults are up to openssl library w/o ssl2/ssl3. --- accel-pppd/accel-ppp.conf | 1 + accel-pppd/accel-ppp.conf.5 | 3 +++ accel-pppd/ctrl/sstp/sstp.c | 60 ++++++++++++++++++++++++++++++++++++++++++--- 3 files changed, 60 insertions(+), 4 deletions(-) (limited to 'accel-pppd') diff --git a/accel-pppd/accel-ppp.conf b/accel-pppd/accel-ppp.conf index 929402b0..86739125 100644 --- a/accel-pppd/accel-ppp.conf +++ b/accel-pppd/accel-ppp.conf @@ -112,6 +112,7 @@ verbose=1 #cert-hash-sha1= #cert-hash-sha256= #accept=ssl,proxy +#ssl-protocol=tls1,tls1.1,tls1.2,tls1.3 #ssl-dhparam=/etc/ssl/dhparam.pem #ssl-ecdh-curve=prime256v1 #ssl-ciphers=DEFAULT diff --git a/accel-pppd/accel-ppp.conf.5 b/accel-pppd/accel-ppp.conf.5 index 15becb3f..ed1738ed 100644 --- a/accel-pppd/accel-ppp.conf.5 +++ b/accel-pppd/accel-ppp.conf.5 @@ -715,6 +715,9 @@ Specifies incoming connection acceptance mode. .B proxy - enable PROXY protocol 1 & 2 support. .TP +.BI "ssl-protocol=" ssl2|ssl3|tls1|tls1.1|tls1.2|tls1.3 +Specifies the enabled SSL/TLS protocols supported by OpenSSL library. +.TP .BI "ssl-dhparam=" pemfile Specifies a file with DH parameters for DHE ciphers. .TP diff --git a/accel-pppd/ctrl/sstp/sstp.c b/accel-pppd/ctrl/sstp/sstp.c index 0e991bc0..8df838d5 100644 --- a/accel-pppd/ctrl/sstp/sstp.c +++ b/accel-pppd/ctrl/sstp/sstp.c @@ -2381,11 +2381,7 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) opt = conf_get_opt("sstp", "accept"); if (opt && strhas(opt, "ssl", ',')) { legacy_ssl: -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - ssl_ctx = SSL_CTX_new(TLS_server_method()); -#else ssl_ctx = SSL_CTX_new(SSLv23_server_method()); -#endif if (!ssl_ctx) { log_error("sstp: SSL_CTX error: %s\n", ERR_error_string(ERR_get_error(), NULL)); goto error; @@ -2404,14 +2400,70 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) #ifndef OPENSSL_NO_ECDH SSL_OP_SINGLE_ECDH_USE | #endif +#ifdef OPENSSL_NO_SSL2 SSL_OP_NO_SSLv2 | +#endif +#ifdef OPENSSL_NO_SSL3 SSL_OP_NO_SSLv3 | +#endif SSL_OP_NO_COMPRESSION); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); SSL_CTX_set_read_ahead(ssl_ctx, 1); + opt = conf_get_opt("sstp", "ssl-protocol"); + if (opt) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + SSL_CTX_set_min_proto_version(ssl_ctx, 0); + SSL_CTX_set_max_proto_version(ssl_ctx, 0); +#endif + if (strhas(opt, "ssl2", ',')) +#if defined(OPENSSL_NO_SSL2) || OPENSSL_VERSION_NUMBER >= 0x10100000L + log_warn("sstp: %s warning: %s is not suported\n", "ssl-protocol", "SSLv2"); +#else + SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_SSLv2); + else + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2); +#endif + if (strhas(opt, "ssl3", ',')) +#ifdef OPENSSL_NO_SSL3 + log_warn("sstp: %s warning: %s is not suported\n", "ssl-protocol", "SSLv3"); +#else + SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_SSLv3); + else + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); +#endif + if (strhas(opt, "tls1", ',')) + SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1); + else + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1); + if (strhas(opt, "tls11", ',') || strhas(opt, "tls1.1", ',')) +#ifndef SSL_OP_NO_TLSv1_1 + log_warn("sstp: %s warning: %s is not suported\n", "ssl-protocol", "TLSv1.1"); +#else + SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1); + else + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1); +#endif + if (strhas(opt, "tls12", ',') || strhas(opt, "tls1.2", ',')) +#ifndef SSL_OP_NO_TLSv1_2 + log_warn("sstp: %s warning: %s is not suported\n", "ssl-protocol", "TLSv1.2"); +#else + SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2); + else + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2); +#endif + if (strhas(opt, "tls13", ',') || strhas(opt, "tls1.3", ',')) +#ifndef SSL_OP_NO_TLSv1_3 + log_warn("sstp: %s warning: %s is not suported\n", "ssl-protocol", "TLSv1.3"); +#else + SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_3); + else + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_3); +#endif + } + #ifndef OPENSSL_NO_DH opt = conf_get_opt("sstp", "ssl-dhparam"); if (opt) { -- cgit v1.2.3 From 601a828d2931a80644a271e70afdd483319d2049 Mon Sep 17 00:00:00 2001 From: Vladislav Grishenko Date: Sat, 27 Jul 2019 16:48:38 +0500 Subject: sstp: log DH/ECDH support warnings as well --- accel-pppd/ctrl/sstp/sstp.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'accel-pppd') diff --git a/accel-pppd/ctrl/sstp/sstp.c b/accel-pppd/ctrl/sstp/sstp.c index 8df838d5..c5d8466b 100644 --- a/accel-pppd/ctrl/sstp/sstp.c +++ b/accel-pppd/ctrl/sstp/sstp.c @@ -2464,9 +2464,11 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) #endif } -#ifndef OPENSSL_NO_DH opt = conf_get_opt("sstp", "ssl-dhparam"); if (opt) { +#ifdef OPENSSL_NO_DH + log_warn("sstp: %s warning: %s is not suported\n", "ssl-protocol", "DH"); +#else DH *dh; if (BIO_read_filename(in, opt) <= 0) { @@ -2482,11 +2484,14 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) SSL_CTX_set_tmp_dh(ssl_ctx, dh); DH_free(dh); - } #endif + } -#ifndef OPENSSL_NO_ECDH opt = conf_get_opt("sstp", "ssl-ecdh-curve"); +#ifdef OPENSSL_NO_ECDH + if (opt) + log_warn("sstp: %s warning: %s is not suported\n", "ssl-protocol", "ECDH"); +#else { #if defined(SSL_CTX_set1_curves_list) || defined(SSL_CTRL_SET_CURVES_LIST) #ifdef SSL_CTRL_SET_ECDH_AUTO -- cgit v1.2.3 From f1e56999dc41f712464fa1bd627a05254d4eacc8 Mon Sep 17 00:00:00 2001 From: Vladislav Grishenko Date: Sat, 27 Jul 2019 16:50:46 +0500 Subject: sstp: tie log errors with config options --- accel-pppd/ctrl/sstp/sstp.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) (limited to 'accel-pppd') diff --git a/accel-pppd/ctrl/sstp/sstp.c b/accel-pppd/ctrl/sstp/sstp.c index c5d8466b..ae9fe997 100644 --- a/accel-pppd/ctrl/sstp/sstp.c +++ b/accel-pppd/ctrl/sstp/sstp.c @@ -2362,18 +2362,18 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) if (opt) { in = BIO_new(BIO_s_file()); if (!in) { - log_error("sstp: SSL certificate error: %s\n", ERR_error_string(ERR_get_error(), NULL)); + log_error("sstp: %s error: %s\n", "ssl-pemfile", ERR_error_string(ERR_get_error(), NULL)); goto error; } if (BIO_read_filename(in, opt) <= 0) { - log_error("sstp: SSL certificate error: %s\n", ERR_error_string(ERR_get_error(), NULL)); + log_error("sstp: %s error: %s\n", "ssl-pemfile", ERR_error_string(ERR_get_error(), NULL)); goto error; } cert = PEM_read_bio_X509(in, NULL, NULL, NULL); if (!cert) { - log_error("sstp: SSL certificate error: %s\n", ERR_error_string(ERR_get_error(), NULL)); + log_error("sstp: %s error: %s\n", "ssl-pemfile", ERR_error_string(ERR_get_error(), NULL)); goto error; } } @@ -2383,7 +2383,7 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) legacy_ssl: ssl_ctx = SSL_CTX_new(SSLv23_server_method()); if (!ssl_ctx) { - log_error("sstp: SSL_CTX error: %s\n", ERR_error_string(ERR_get_error(), NULL)); + log_error("sstp: %s error: %s\n", "SSL_CTX_new", ERR_error_string(ERR_get_error(), NULL)); goto error; } @@ -2472,13 +2472,13 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) DH *dh; if (BIO_read_filename(in, opt) <= 0) { - log_error("sstp: SSL dhparam error: %s\n", ERR_error_string(ERR_get_error(), NULL)); + log_error("sstp: %s error: %s\n", "ssl-dhparam", ERR_error_string(ERR_get_error(), NULL)); goto error; } dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL); if (dh == NULL) { - log_error("sstp: SSL dhparam error: %s\n", ERR_error_string(ERR_get_error(), NULL)); + log_error("sstp: %s error: %s\n", "ssl-dhparam", ERR_error_string(ERR_get_error(), NULL)); goto error; } @@ -2499,7 +2499,7 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) SSL_CTX_set_ecdh_auto(ssl_ctx, 1); #endif if (opt && SSL_CTX_set1_curves_list(ssl_ctx, opt) == 0) { - log_error("sstp: SSL ecdh-curve error: %s\n", ERR_error_string(ERR_get_error(), NULL)); + log_error("sstp: %s error: %s\n", "ssl-ecdh-curve", ERR_error_string(ERR_get_error(), NULL)); goto error; } #else @@ -2508,13 +2508,13 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) nid = OBJ_sn2nid(opt ? : "prime256v1"); if (nid == 0) { - log_error("sstp: SSL ecdh-curve error: %s\n", ERR_error_string(ERR_get_error(), NULL)); + log_error("sstp: %s error: %s\n", "ssl-ecdh-curve", ERR_error_string(ERR_get_error(), NULL)); goto error; } ecdh = EC_KEY_new_by_curve_name(nid); if (ecdh == NULL) { - log_error("sstp: SSL ecdh-curve error: %s\n", ERR_error_string(ERR_get_error(), NULL)); + log_error("sstp: %s error: %s\n", "ssl-ecdh-curve", ERR_error_string(ERR_get_error(), NULL)); goto error; } @@ -2526,7 +2526,7 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) opt = conf_get_opt("sstp", "ssl-ciphers"); if (opt && SSL_CTX_set_cipher_list(ssl_ctx, opt) != 1) { - log_error("sstp: SSL cipher list error: %s\n", ERR_error_string(ERR_get_error(), NULL)); + log_error("sstp: %s error: %s\n", "ssl-ciphers", ERR_error_string(ERR_get_error(), NULL)); goto error; } @@ -2535,26 +2535,26 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); if (cert && SSL_CTX_use_certificate(ssl_ctx, cert) != 1) { - log_error("sstp: SSL certificate error: %s\n", ERR_error_string(ERR_get_error(), NULL)); + log_error("sstp: %s error: %s\n", "ssl-pemfile", ERR_error_string(ERR_get_error(), NULL)); goto error; } opt = conf_get_opt("sstp", "ssl-keyfile") ? : conf_get_opt("sstp", "ssl-pemfile"); if ((opt && SSL_CTX_use_PrivateKey_file(ssl_ctx, opt, SSL_FILETYPE_PEM) != 1) || SSL_CTX_check_private_key(ssl_ctx) != 1) { - log_error("sstp: SSL private key error: %s\n", ERR_error_string(ERR_get_error(), NULL)); + log_error("sstp: %s error: %s\n", "ssl-keyfile", ERR_error_string(ERR_get_error(), NULL)); goto error; } opt = conf_get_opt("sstp", "ssl-ca-file"); if (opt && SSL_CTX_load_verify_locations(ssl_ctx, opt, NULL) != 1) { - log_error("sstp: SSL ca file error: %s\n", ERR_error_string(ERR_get_error(), NULL)); + log_error("sstp: %s error: %s\n", "ssl-ca-file", ERR_error_string(ERR_get_error(), NULL)); goto error; } #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME if (servername && SSL_CTX_set_tlsext_servername_callback(ssl_ctx, ssl_servername) != 1) - log_warn("sstp: SSL server name check error: %s\n", ERR_error_string(ERR_get_error(), NULL)); + log_warn("sstp: %s error: %s\n", "host-name", ERR_error_string(ERR_get_error(), NULL)); #endif #ifndef SSL_OP_NO_RENEGOTIATION -- cgit v1.2.3 From 61f0be6286a741f44b5bf6736e4bac132ea04495 Mon Sep 17 00:00:00 2001 From: Vladislav Grishenko Date: Sat, 27 Jul 2019 16:51:14 +0500 Subject: sstp: enable all client-compat opts --- accel-pppd/ctrl/sstp/sstp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'accel-pppd') diff --git a/accel-pppd/ctrl/sstp/sstp.c b/accel-pppd/ctrl/sstp/sstp.c index ae9fe997..62e574c7 100644 --- a/accel-pppd/ctrl/sstp/sstp.c +++ b/accel-pppd/ctrl/sstp/sstp.c @@ -2387,7 +2387,7 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) goto error; } - SSL_CTX_set_options(ssl_ctx, + SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL | #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS | #endif -- cgit v1.2.3