From 74497752dc062d1c2dc9594654a3770e23d989ec Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Thu, 16 Aug 2018 11:31:35 +0900 Subject: [PATCH 1/3] Add TLSv1.3 support Actually, TLSv1.3 will be enabled without this change if xrdp is compiled with OpenSSL or alternatives which support TLSv1.3. This commit makes to enable or disable TLSv1.3 explicitly. Also, this commit adds a log "TLSv1.3 enabled by config, but not supported by system OpenSSL". if xrdp installation doesn't support TLSv1.3. It should be user-friendly. --- common/ssl_calls.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/common/ssl_calls.c b/common/ssl_calls.c index cb13825e..d1003b8a 100644 --- a/common/ssl_calls.c +++ b/common/ssl_calls.c @@ -1004,8 +1004,23 @@ ssl_get_protocols_from_string(const char *str, long *ssl_protocols) #endif #if defined(SSL_OP_NO_TLSv1_2) protocols |= SSL_OP_NO_TLSv1_2; +#endif +#if defined(SSL_OP_NO_TLSv1_3) + protocols |= SSL_OP_NO_TLSv1_3; #endif bad_protocols = protocols; + if (g_pos(str, ",TLSv1.3,") >= 0) + { +#if defined(SSL_OP_NO_TLSv1_3) + log_message(LOG_LEVEL_DEBUG, "TLSv1.3 enabled"); + protocols &= ~SSL_OP_NO_TLSv1_3; +#else + log_message(LOG_LEVEL_WARNING, + "TLSv1.3 enabled by config, " + "but not supported by system OpenSSL"); + rv |= (1 << 6); +#endif + } if (g_pos(str, ",TLSv1.2,") >= 0) { #if defined(SSL_OP_NO_TLSv1_2) From 1ad8cbb2a0f8e54e518dcda4bcfe43db90488964 Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Thu, 16 Aug 2018 11:42:46 +0900 Subject: [PATCH 2/3] Document TLSv1.3 support --- docs/man/xrdp.ini.5.in | 2 +- xrdp/xrdp.ini.in | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/man/xrdp.ini.5.in b/docs/man/xrdp.ini.5.in index b43c6aa1..834f258b 100644 --- a/docs/man/xrdp.ini.5.in +++ b/docs/man/xrdp.ini.5.in @@ -144,7 +144,7 @@ Negotiate these security methods with clients. .RE .TP -\fBssl_protocols\fP=\fI[SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]\fP +\fBssl_protocols\fP=\fI[SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3]\fP Enables the specified SSL/TLS protocols. Each value should be separated by comma. SSLv2 is always disabled. At least one protocol should be given to accept TLS connections. This parameter is effective only if \fBsecurity_layer\fP is set to \fBtls\fP or \fBnegotiate\fP. diff --git a/xrdp/xrdp.ini.in b/xrdp/xrdp.ini.in index fb09bbd9..97fc81f9 100644 --- a/xrdp/xrdp.ini.in +++ b/xrdp/xrdp.ini.in @@ -28,8 +28,8 @@ crypt_level=high certificate= key_file= ; set SSL protocols -; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2' -ssl_protocols=TLSv1, TLSv1.1, TLSv1.2 +; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3' +ssl_protocols=TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 ; set TLS cipher suites #tls_ciphers=HIGH From 171f8e79ed76113bdfb8fa6d89822647ab31b297 Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Fri, 14 Sep 2018 00:41:09 +0900 Subject: [PATCH 3/3] xrdp: deprecate TLSv1 and TLSv1.1 Most websites disabled TLSv1 (1.0) and TLSv1.1 since March 2018 [1][2][3]. It is HTTPS context but there's few differences between HTTPS and other TLS connections. Users can whenever re-enable these deprecated TLS versions by editing xrdp.ini but not enabled by default. [1] https://www.globalsign.com/en/blog/disable-tls-10-and-all-ssl-versions/ [2] https://www.thesslstore.com/blog/deprecation-tls-1-0-1-1-underway/ [3] https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1/ --- xrdp/xrdp.ini.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xrdp/xrdp.ini.in b/xrdp/xrdp.ini.in index 97fc81f9..76da53b5 100644 --- a/xrdp/xrdp.ini.in +++ b/xrdp/xrdp.ini.in @@ -29,7 +29,7 @@ certificate= key_file= ; set SSL protocols ; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3' -ssl_protocols=TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 +ssl_protocols=TLSv1.2, TLSv1.3 ; set TLS cipher suites #tls_ciphers=HIGH