new options for xrdp.ini disableSSlv3=yes and tls_ciphers=HIGH and code to implement

master
Alex Illsley 8 years ago committed by Jay Sorg
parent e28f529a94
commit 47124df4ed

@ -590,18 +590,25 @@ ssl_tls_print_error(const char *func, SSL *connection, int value)
/*****************************************************************************/
int APP_CC
ssl_tls_accept(struct ssl_tls *self)
ssl_tls_accept(struct ssl_tls *self, int disableSSLv3,
const char *tls_ciphers)
{
int connection_status;
long options = 0;
/**
* SSL_OP_NO_SSLv2:
*
* We only want SSLv3 and TLSv1, so disable SSLv2.
* SSL_OP_NO_SSLv2
* SSLv3 is used by, eg. Microsoft RDC for Mac OS X.
* No SSLv3 if disableSSLv3=yes so only tls used
*/
if (disableSSLv3)
{
options |= SSL_OP_NO_SSLv3;
}
else
{
options |= SSL_OP_NO_SSLv2;
}
#if defined(SSL_OP_NO_COMPRESSION)
/**
@ -638,6 +645,16 @@ ssl_tls_accept(struct ssl_tls *self)
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_ENABLE_PARTIAL_WRITE);
SSL_CTX_set_options(self->ctx, options);
if (g_strlen(tls_ciphers) > 1)
{
if (SSL_CTX_set_cipher_list(self->ctx, tls_ciphers) == 0)
{
g_writeln("ssl_tls_accept: invalid cipher options");
return 1;
}
}
SSL_CTX_set_read_ahead(self->ctx, 1);
if (self->ctx == NULL)

@ -96,7 +96,8 @@ struct ssl_tls
struct ssl_tls *APP_CC
ssl_tls_create(struct trans *trans, const char *key, const char *cert);
int APP_CC
ssl_tls_accept(struct ssl_tls *self);
ssl_tls_accept(struct ssl_tls *self, int disableSSLv3,
const char *tls_ciphers);
int APP_CC
ssl_tls_disconnect(struct ssl_tls *self);
void APP_CC

@ -881,7 +881,8 @@ trans_get_out_s(struct trans *self, int size)
/*****************************************************************************/
/* returns error */
int APP_CC
trans_set_tls_mode(struct trans *self, const char *key, const char *cert)
trans_set_tls_mode(struct trans *self, const char *key, const char *cert,
int disableSSLv3, const char *tls_ciphers)
{
self->tls = ssl_tls_create(self, key, cert);
if (self->tls == NULL)
@ -890,7 +891,7 @@ trans_set_tls_mode(struct trans *self, const char *key, const char *cert)
return 1;
}
if (ssl_tls_accept(self->tls) != 0)
if (ssl_tls_accept(self->tls, disableSSLv3, tls_ciphers) != 0)
{
g_writeln("trans_set_tls_mode: ssl_tls_accept failed");
return 1;

@ -122,7 +122,8 @@ trans_get_in_s(struct trans* self);
struct stream* APP_CC
trans_get_out_s(struct trans* self, int size);
int APP_CC
trans_set_tls_mode(struct trans *self, const char *key, const char *cert);
trans_set_tls_mode(struct trans *self, const char *key, const char *cert,
int disableSSLv3, const char *tls_ciphers);
int APP_CC
trans_shutdown_tls_mode(struct trans *self);
int APP_CC

@ -143,6 +143,8 @@ struct xrdp_client_info
int use_frame_acks;
int max_unacknowledged_frame_count;
int disableSSLv3; /* 0 = no, 1 = yes */
char tls_ciphers[64];
};
#endif

@ -160,6 +160,14 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
client_info->use_fast_path = 0;
}
}
else if (g_strcasecmp(item, "disableSSLv3") == 0)
{
client_info->disableSSLv3 = g_text2bool(value);
}
else if (g_strcasecmp(item, "tls_ciphers") == 0)
{
g_strcpy(client_info->tls_ciphers, value);
}
else if (g_strcasecmp(item, "security_layer") == 0)
{
if (g_strcasecmp(value, "rdp") == 0)

@ -2236,7 +2236,9 @@ xrdp_sec_incoming(struct xrdp_sec *self)
if (trans_set_tls_mode(self->mcs_layer->iso_layer->trans,
self->rdp_layer->client_info.key_file,
self->rdp_layer->client_info.certificate) != 0)
self->rdp_layer->client_info.certificate,
self->rdp_layer->client_info.disableSSLv3,
self->rdp_layer->client_info.tls_ciphers) != 0)
{
g_writeln("xrdp_sec_incoming: trans_set_tls_mode failed");
return 1;

@ -18,6 +18,10 @@ security_layer=rdp
# openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365
certificate=
key_file=
# disable SSlv3
#disableSSLv3=yes
# set TLS cipher suites
#tls_ciphers=HIGH
# regulate if the listening socket use socket option tcp_nodelay
# no buffering will be performed in the TCP stack

Loading…
Cancel
Save