xrdp-proprietary

Commit Graph

Author	SHA1	Message	Date
Koichiro IWAO	74497752dc	Add TLSv1.3 support Actually, TLSv1.3 will be enabled without this change if xrdp is compiled with OpenSSL or alternatives which support TLSv1.3. This commit makes to enable or disable TLSv1.3 explicitly. Also, this commit adds a log "TLSv1.3 enabled by config, but not supported by system OpenSSL". if xrdp installation doesn't support TLSv1.3. It should be user-friendly.	6 years ago
daixj	88b3c06311	fix issue #1112 : set SSL object's read_ahead flag to be 0	7 years ago
Koichiro IWAO	b2b42d28f3	xrdp: add OpenSSL version to --version While here, cleanup --help, --version, and when unknown option.	7 years ago
speidy	a432969746	common: ssl_calls: add support for OpenSSL>=1.1.0 API for DH keys also fixes some memory leak introduced in PR#1024. and adds a check that DH params generated successfully. write a proper log message if not.	7 years ago
speidy	8effc09ab7	common: ssl_calls: check if SSL object created right after its creation.	7 years ago
Koichiro IWAO	e3d0fd6d46	common: temporarily disable DHE until make it possible to use generated DH parameters per installation.	7 years ago
Koichiro IWAO	1690950cc8	common: regenerate dhparam Generated by: openssl dhparam -C 2236	7 years ago
Koichiro IWAO	578d23477c	common: obey coding style, remove trailing space	7 years ago
Enrico Tagliavini	70b5adb396	add support for DHE ciphers via compiled in dhparam make it possible to use regular (non EC) EDH ciphers. To make this possible a Diffie-Hellman parameter must be passed to the openssl library. There are a few options possible as described in the manuals at [1] and [2]. Simplest approach is to generate a DH parameter using openssl dhparam -C <lenght> and include the code into the application. The lenght used for this commit is 2236 bits long, which is the longest possible without risking backward incompatibilities with old systems as stated in [1]. Newer systems should use ECDH anyway, so it makes sense to keep this method as compatible with older system as possible. Paramters longer than 2048 should still be secure enough at the time of writing. [1] https://wiki.openssl.org/index.php/Diffie-Hellman_parameters [2] https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_tmp_dh_callback(3)	7 years ago
Enrico Tagliavini	6cdc0f31b0	enable automatic ECDH when possible (openssl 1.0.2) Openssl 1.1.0 and later are enabling ECDH automatically, but for older version it must be enabled explicitly or all Perfect Forward Secrecy ciphers will be silently ignored. See also [1]. This commit applies the same fix as found in CnetOS 7 httpd package to enable automatic ECDH as found in [2]. [1] https://wiki.openssl.org/index.php/Diffie-Hellman_parameters [2] https://git.centos.org/blob/rpms!httpd.git/c7/SOURCES!httpd-2.4.6-ssl-ecdh-auto.patch	7 years ago
Koichiro IWAO	793a418cfb	common: log what value is set to tls_ciphers Related to #1033.	7 years ago
Jay Sorg	a9eb21e6d7	common: avoid 100% cpu on ssl accept, can be fake client	7 years ago
Koichiro IWAO	04187945a8	move base64 functions to base64.c	7 years ago
Koichiro IWAO	d57e02626d	add base64_decode function	7 years ago
Koichiro IWAO	aa4b90d250	Change log level DEBUG -> WARNING since unavailability of ssl protocols defined in config file may weaken security and it is important for users.	7 years ago
Koichiro IWAO	455c341efc	Reword log messages in ssl_get_protocols_from_string()	7 years ago
Jay Sorg	8d63c32899	move openssl calls to common/libssl.c, check for defines	7 years ago
Jay Sorg	2c96908ea5	common: if SSL_shutdown fails, only call one more time	8 years ago
Jay Sorg	75fd3fcf89	common: ssl_tls_write / read return 0 on socket close	8 years ago
Pavel Roskin	6ed4c969f4	Eliminate APP_CC and DEFAULT_CC	8 years ago
Pavel Roskin	b2d3dcf169	Include config_ac.h from all source files	8 years ago
Koichiro IWAO	e94ab10e14	TLS: new method to specify SSL/TLS version SSL/TLS protocols only listed in ssl_protocols should be used. The name "ssl_protocols" comes from nginx. Resolves #428.	8 years ago
Jay Sorg	657f6f3756	common: use select for SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE tls errors	8 years ago
Pavel Roskin	dc1e341f5a	Constify input arguments of ssl_mod_exp() and ssl_gen_key_xrdp1()	8 years ago
Pavel Roskin	6a3f0a75bd	Remove support for OpenSSL older than 0.9.8 It's hard to find an older version of OpenSSL even on long term support distros.	8 years ago
Idan Freiberg	19375dda7a	Merge pull request #426 from metalefty/log-tls-version-and-cipher TLS: log TLS version and cipher	8 years ago
Koichiro IWAO	c89c1318f8	obey coding standard, no logic change	8 years ago
Pavel Roskin	6664aac00f	Use "void" for empty argument list in declarations In C, an empty argument list in a declaration means that the function can accept any arguments. Use "void" instead, it means "no arguments". C++ treats void and empty list as "no arguments".	8 years ago
Koichiro IWAO	40e8194122	TLS: log TLS version and cipher	8 years ago
Pavel Roskin	4324084d58	Use static inline functions for OpenSSL 1.0 backport Conditional preprocessor directives spread throughout the code set a bad example. The new backport code is located in one place. The compiler checks argument types. The backport code has no access to the caller variables. The main code has all advantages of the new, more compact API.	8 years ago
Dominik George	e5cf45d1ac	Add backwards compatibility to OpenSSL < 1.1.0.	8 years ago
Dominik George	1b5fb8f1c8	Fix ssl_calls for OpenSSL 1.1.0, closes #458 .	8 years ago
Jay Sorg	8f747e37ca	always set SSL_OP_NO_SSLv2 in TLS options	8 years ago
Alex Illsley	47124df4ed	new options for xrdp.ini disableSSlv3=yes and tls_ciphers=HIGH and code to implement	8 years ago
Pavel Roskin	5829323ad8	Use g_new or g_new0 when C++ compiler would complain about implicit cast	8 years ago
Pavel Roskin	aeeb3d2c2e	Fix warnings detected by -Wwrite-strings	8 years ago
Jay Sorg	f100036cd9	common: minor fix for older openssl keygen	9 years ago
Jay Sorg	0d192aee62	common: fix for key generated smaller than asked for	9 years ago
Jay Sorg	fd793bd213	rename g_tcp_can_recv to g_sck_can_recv	9 years ago
Koichiro IWAO	cd6ab20e94	common: shut up some messages in ssl_tls_print_error SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE are not fatal error but just indicate SSL_read, SSL_write, SSL_accept functions to repeat.	10 years ago
Koichiro IWAO	2a2b8bcd59	common: fix #248 TLS on FreeBSD According to document[1][2][3], retry when SSL_get_error returns SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE. [1] https://www.openssl.org/docs/ssl/SSL_read.html [2] https://www.openssl.org/docs/ssl/SSL_write.html [3] https://www.openssl.org/docs/ssl/SSL_accept.html	10 years ago
speidy	86005c5bcc	ssl_calls: fix to read certificate chains	10 years ago
Jay Sorg	d9d746ce5c	common: avoid possible SSL_shutdown crash	10 years ago
Jay Sorg	cc0406dddf	common: move tls calls to ssl_calls	10 years ago
Jay Sorg	09de814ff0	common: allow RSA keys bigger than 512 bit	11 years ago
Jay Sorg	25ad4d8a36	common: add more fips ssl calls	11 years ago
Jay Sorg	2921400083	common: check for nil in fips cleanup	11 years ago
Jay Sorg	926cd095fc	common: added des3 calls for fips	11 years ago
Laxmikant Rashinkar	1123323fda	o moved from GNU General Public License to Apache License, Version 2.0 o applied new coding standards to all .c files o moved some files around	12 years ago
Jay Sorg	0da32da2d8	add ssl init to common	14 years ago

1 2

68 Commits (435295e5bff9e75d464e63c80a8c82a6c34e55aa)