[Pkg-voip-commits] [resiprocate] 01/02: Use SSLv23 mode and avoid TLS 1.2 when acting as client.
Daniel Pocock
pocock at moszumanska.debian.org
Sat Feb 7 18:47:49 UTC 2015
This is an automated email from the git hooks/post-receive script.
pocock pushed a commit to branch debian-wheezy-backports
in repository resiprocate.
commit c02dcd38a3b28d4ced94e9476b74a8be0000f465
Author: Daniel Pocock <daniel at pocock.pro>
Date: Tue Dec 9 11:34:36 2014 +0100
Use SSLv23 mode and avoid TLS 1.2 when acting as client.
---
debian/patches/0001-use-SSLv23_method.patch | 50 ++++++++++++++++++++++++++
debian/patches/0002-client-avoid-TLSv1_2.patch | 16 +++++++++
debian/patches/series | 2 ++
3 files changed, 68 insertions(+)
diff --git a/debian/patches/0001-use-SSLv23_method.patch b/debian/patches/0001-use-SSLv23_method.patch
new file mode 100644
index 0000000..ce1263b
--- /dev/null
+++ b/debian/patches/0001-use-SSLv23_method.patch
@@ -0,0 +1,50 @@
+diff --git a/repro/ReproRunner.cxx b/repro/ReproRunner.cxx
+index 929392b..a2f09de 100644
+--- a/repro/ReproRunner.cxx
++++ b/repro/ReproRunner.cxx
+@@ -1338,6 +1338,7 @@ ReproRunner::addTransports(bool& allTransportsSpecifyRecordRoute)
+ wsCookieContextFactory.reset(new BasicWsCookieContextFactory(infoCookieName, extraCookieName, macCookieName));
+ }
+
++ SecurityTypes::SSLType defaultSSLType = SecurityTypes::SSLv23;
+ try
+ {
+ // Check if advanced transport settings are provided
+@@ -1448,7 +1449,7 @@ ReproRunner::addTransports(bool& allTransportsSpecifyRecordRoute)
+ ipAddr, // interface to bind to
+ tlsDomain,
+ Data::Empty, // private key passphrase - not currently used
+- SecurityTypes::TLSv1, // sslType
++ defaultSSLType, // sslType
+ 0, // transport flags
+ tlsCertificate, tlsPrivateKey,
+ cvm, // tls client verification mode
+@@ -1576,8 +1577,8 @@ ReproRunner::addTransports(bool& allTransportsSpecifyRecordRoute)
+ }
+ if (tlsPort)
+ {
+- if (mUseV4) mSipStack->addTransport(TLS, tlsPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP);
+- if (mUseV6) mSipStack->addTransport(TLS, tlsPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP);
++ if (mUseV4) mSipStack->addTransport(TLS, tlsPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP);
++ if (mUseV6) mSipStack->addTransport(TLS, tlsPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP);
+ }
+ if (wsPort)
+ {
+@@ -1586,13 +1587,13 @@ ReproRunner::addTransports(bool& allTransportsSpecifyRecordRoute)
+ }
+ if (wssPort)
+ {
+- if (mUseV4) mSipStack->addTransport(WSS, wssPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, wsCookieContextFactory);
+- if (mUseV6) mSipStack->addTransport(WSS, wssPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, wsCookieContextFactory);
++ if (mUseV4) mSipStack->addTransport(WSS, wssPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, wsCookieContextFactory);
++ if (mUseV6) mSipStack->addTransport(WSS, wssPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey, cvm, useEmailAsSIP, basicWsConnectionValidator, wsCookieContextFactory);
+ }
+ if (dtlsPort)
+ {
+- if (mUseV4) mSipStack->addTransport(DTLS, dtlsPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey);
+- if (mUseV6) mSipStack->addTransport(DTLS, dtlsPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, SecurityTypes::TLSv1, 0, tlsCertificate, tlsPrivateKey);
++ if (mUseV4) mSipStack->addTransport(DTLS, dtlsPort, V4, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey);
++ if (mUseV6) mSipStack->addTransport(DTLS, dtlsPort, V6, StunEnabled, Data::Empty, tlsDomain, Data::Empty, defaultSSLType, 0, tlsCertificate, tlsPrivateKey);
+ }
+ }
+ }
diff --git a/debian/patches/0002-client-avoid-TLSv1_2.patch b/debian/patches/0002-client-avoid-TLSv1_2.patch
new file mode 100644
index 0000000..d313425
--- /dev/null
+++ b/debian/patches/0002-client-avoid-TLSv1_2.patch
@@ -0,0 +1,16 @@
+diff --git a/resip/stack/ssl/TlsConnection.cxx b/resip/stack/ssl/TlsConnection.cxx
+index c3537aa..145d089 100644
+--- a/resip/stack/ssl/TlsConnection.cxx
++++ b/resip/stack/ssl/TlsConnection.cxx
+@@ -122,6 +122,11 @@ TlsConnection::TlsConnection( Transport* transport, const Tuple& tuple,
+ }
+ SSL_set_verify(mSsl, verify_mode, 0);
+ }
++ else
++ {
++ // some TLS v1.2 servers have been troublesome
++ SSL_set_options(mSsl, SSL_OP_NO_TLSv1_2);
++ }
+
+ mBio = BIO_new_socket((int)fd,0/*close flag*/);
+ assert( mBio );
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..123eaf0
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+0001-use-SSLv23_method.patch
+0002-client-avoid-TLSv1_2.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-voip/resiprocate.git
More information about the Pkg-voip-commits
mailing list