Index: UPGRADE.txt =================================================================== --- UPGRADE.txt (revision 426051) +++ UPGRADE.txt (revision 426052) @@ -18,6 +18,18 @@ === =========================================================== +from 1.8.28-cert1 to 1.8.28-cert2: + +* Due to the POODLE vulnerability (see + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566), the + default TLS method for TLS clients will no longer allow SSLv3. As + SSLv2 was already deprecated, it is no longer allowed by default as + well. TLS servers no longer allow SSLv2 or SSLv3 connections. This + affects the chan_sip channel driver, AMI, and the Asterisk HTTP server. + +* The res_jabber resource module no longer uses SSLv3 to connect to an + XMPP server. It will now only use TLSv1 or later methods. + from 1.8.28-cert0 to 1.8.28-cert1 * Added http.conf session_inactivity timer option to close HTTP connections that aren't doing anything. Index: main/tcptls.c =================================================================== --- main/tcptls.c (revision 426051) +++ main/tcptls.c (revision 426052) @@ -736,6 +736,8 @@ cfg->enabled = 0; return 0; #else + int disable_ssl = 0; + if (!cfg->enabled) return 0; @@ -750,22 +752,21 @@ if (client) { #ifndef OPENSSL_NO_SSL2 if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) { + ast_log(LOG_WARNING, "Usage of SSLv2 is discouraged due to known vulnerabilities. Please use 'tlsv1' or leave the TLS method unspecified!\n"); cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method()); } else #endif if (ast_test_flag(&cfg->flags, AST_SSL_SSLV3_CLIENT)) { + ast_log(LOG_WARNING, "Usage of SSLv3 is discouraged due to known vulnerabilities. Please use 'tlsv1' or leave the TLS method unspecified!\n"); cfg->ssl_ctx = SSL_CTX_new(SSLv3_client_method()); } else if (ast_test_flag(&cfg->flags, AST_SSL_TLSV1_CLIENT)) { cfg->ssl_ctx = SSL_CTX_new(TLSv1_client_method()); } else { - /* SSLv23_client_method() sends SSLv2, this was the original - * default for ssl clients before the option was given to - * pick what protocol a client should use. In order not - * to break expected behavior it remains the default. */ + disable_ssl = 1; cfg->ssl_ctx = SSL_CTX_new(SSLv23_client_method()); } } else { - /* SSLv23_server_method() supports TLSv1, SSLv2, and SSLv3 inbound connections. */ + disable_ssl = 1; cfg->ssl_ctx = SSL_CTX_new(SSLv23_server_method()); } @@ -775,6 +776,17 @@ return 0; } + /* Due to the POODLE vulnerability, completely disable + * SSLv2 and SSLv3 if we are not explicitly told to use + * them. SSLv23_*_method supports TLSv1+. + */ + if (disable_ssl) { + long ssl_opts; + + ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts); + } + SSL_CTX_set_verify(cfg->ssl_ctx, ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE, NULL); Index: res/res_jabber.c =================================================================== --- res/res_jabber.c (revision 426051) +++ res/res_jabber.c (revision 426052) @@ -1287,14 +1287,17 @@ { int ret; int sock; + long ssl_opts; ast_debug(1, "Starting TLS handshake\n"); /* Choose an SSL/TLS protocol version, create SSL_CTX */ - client->ssl_method = SSLv3_method(); + client->ssl_method = SSLv23_method(); if (!(client->ssl_context = SSL_CTX_new((SSL_METHOD *) client->ssl_method))) { return IKS_NET_TLSFAIL; } + ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + SSL_CTX_set_options(client->ssl_context, ssl_opts); /* Create new SSL session */ if (!(client->ssl_session = SSL_new(client->ssl_context))) { Index: . =================================================================== --- . (revision 426051) +++ . (revision 426052) Property changes on: . ___________________________________________________________________ Modified: branch-1.8-merged ## -1 +1 ## -/branches/1.8:1-415260,415841,416066,419630,420434 \ No newline at end of property +/branches/1.8:1-415260,415841,416066,419630,420434,425985 \ No newline at end of property