[Pkg-voip-commits] [asterisk] 09/10: AST-2016-001: BEAST vulnerability in HTTP server (CVE-2011-3389)

Bernhard Schmidt berni at moszumanska.debian.org
Sun Oct 23 19:48:53 UTC 2016 

This is an automated email from the git hooks/post-receive script.

berni pushed a commit to branch jessie
in repository asterisk.

commit e2fbe8ded25be65cdc5431f87e7dd31a8476b4c8
Author: Bernhard Schmidt <berni at debian.org>
Date:   Tue Oct 11 11:58:45 2016 +0200

    AST-2016-001: BEAST vulnerability in HTTP server (CVE-2011-3389)
---
 debian/patches/AST-2016-001-11.diff | 142 ++++++++++++++++++++++++++++++++++++
 debian/patches/series               |   1 +
 2 files changed, 143 insertions(+)

diff --git a/debian/patches/AST-2016-001-11.diff b/debian/patches/AST-2016-001-11.diff
new file mode 100644
index 0000000..519e83a
--- /dev/null
+++ b/debian/patches/AST-2016-001-11.diff
@@ -0,0 +1,142 @@
+diff --git a/configs/http.conf.sample b/configs/http.conf.sample
+index 98c672b..f47b8de 100644
+--- a/configs/http.conf.sample
++++ b/configs/http.conf.sample
+@@ -69,10 +69,31 @@ bindaddr=127.0.0.1
+ ; If no path is given for tlscertfile or tlsprivatekey, default is to look in current
+ ; directory. If no tlsprivatekey is given, default is to search tlscertfile for private key.
+ ;
++;
+ ; To produce a certificate you can e.g. use openssl. This places both the cert and
+ ; private in same .pem file.
+ ; openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem
+ ;
++; tlscipher=                             ; The list of allowed ciphers
++;                                        ; if none are specified the following cipher
++;                                        ; list will be used instead:
++; ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
++; ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:
++; kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
++; ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
++; ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:
++; DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:
++; AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:
++; AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:
++; !EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
++;
++; tlsdisablev1=yes                ; Disable TLSv1 support - if not set this defaults to "yes"
++; tlsdisablev11=yes               ; Disable TLSv1.1 support - if not set this defaults to "no"
++; tlsdisablev12=yes               ; Disable TLSv1.2 support - if not set this defaults to "no"
++;
++; tlsservercipherorder=yes        ; Use the server preference order instead of the client order
++;                                 ; Defaults to "yes"
++;
+ ; The post_mappings section maps URLs to real paths on the filesystem.  If a
+ ; POST is done from within an authenticated manager session to one of the
+ ; configured POST mappings, then any files in the POST will be placed in the
+diff --git a/include/asterisk/tcptls.h b/include/asterisk/tcptls.h
+index 3356a92..9110039 100644
+--- a/include/asterisk/tcptls.h
++++ b/include/asterisk/tcptls.h
+@@ -86,7 +86,15 @@ enum ast_ssl_flags {
+ 	/*! Use SSLv3 for outgoing client connections */
+ 	AST_SSL_SSLV3_CLIENT = (1 << 4),
+ 	/*! Use TLSv1 for outgoing client connections */
+-	AST_SSL_TLSV1_CLIENT = (1 << 5)
++	AST_SSL_TLSV1_CLIENT = (1 << 5),
++	/*! Use server cipher order instead of the client order */
++	AST_SSL_SERVER_CIPHER_ORDER = (1 << 6),
++	/*! Disable TLSv1 support */
++	AST_SSL_DISABLE_TLSV1 = (1 << 7),
++	/*! Disable TLSv1.1 support */
++	AST_SSL_DISABLE_TLSV11 = (1 << 8),
++	/*! Disable TLSv1.2 support */
++	AST_SSL_DISABLE_TLSV12 = (1 << 9),
+ };
+ 
+ struct ast_tls_config {
+diff --git a/main/http.c b/main/http.c
+index 533397b..5133dfa 100644
+--- a/main/http.c
++++ b/main/http.c
+@@ -1094,10 +1094,13 @@ static int __ast_http_load(int reload)
+ 	}
+ 	http_tls_cfg.pvtfile = ast_strdup("");
+ 
++	/* Apply modern intermediate settings according to the Mozilla OpSec team as of July 30th, 2015 but disable TLSv1 */
++	ast_set_flag(&http_tls_cfg.flags, AST_SSL_DISABLE_TLSV1 | AST_SSL_SERVER_CIPHER_ORDER);
++
+ 	if (http_tls_cfg.cipher) {
+ 		ast_free(http_tls_cfg.cipher);
+ 	}
+-	http_tls_cfg.cipher = ast_strdup("");
++	http_tls_cfg.cipher = ast_strdup("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE [...]
+ 
+ 	AST_RWLIST_WRLOCK(&uri_redirects);
+ 	while ((redirect = AST_RWLIST_REMOVE_HEAD(&uri_redirects, entry))) {
+@@ -1122,8 +1125,6 @@ static int __ast_http_load(int reload)
+ 				&& strcasecmp(v->name, "tlsdontverifyserver")
+ 				&& strcasecmp(v->name, "tlsclientmethod")
+ 				&& strcasecmp(v->name, "sslclientmethod")
+-				&& strcasecmp(v->name, "tlscipher")
+-				&& strcasecmp(v->name, "sslcipher")
+ 				&& !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
+ 				continue;
+ 			}
+diff --git a/main/tcptls.c b/main/tcptls.c
+index 14e4fcd..de753c1 100644
+--- a/main/tcptls.c
++++ b/main/tcptls.c
+@@ -758,7 +758,8 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
+ 	return 0;
+ #else
+ 	int disable_ssl = 0;
+- 
++	long ssl_opts = 0;
++
+ 	if (!cfg->enabled) {
+ 		return 0;
+ 	}
+@@ -806,11 +807,24 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
+ 	 * them. SSLv23_*_method supports TLSv1+.
+ 	 */
+ 	if (disable_ssl) {
+-		long ssl_opts;
++		ssl_opts |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
++	}
++
++	if (ast_test_flag(&cfg->flags, AST_SSL_SERVER_CIPHER_ORDER)) {
++		ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE;
++	}
+ 
+-		ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+-		SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
++	if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) {
++		ssl_opts |= SSL_OP_NO_TLSv1;
+ 	}
++	if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) {
++		ssl_opts |= SSL_OP_NO_TLSv1_1;
++	}
++	if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) {
++		ssl_opts |= SSL_OP_NO_TLSv1_2;
++	}
++
++	SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
+ 
+ 	SSL_CTX_set_verify(cfg->ssl_ctx,
+ 		ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE,
+@@ -1127,6 +1141,14 @@ int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_
+ 			ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
+ 			ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
+ 		}
++	} else if (!strcasecmp(varname, "tlsservercipherorder")) {
++		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_SERVER_CIPHER_ORDER);
++	} else if (!strcasecmp(varname, "tlsdisablev1")) {
++		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV1);
++	} else if (!strcasecmp(varname, "tlsdisablev11")) {
++		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV11);
++	} else if (!strcasecmp(varname, "tlsdisablev12")) {
++		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV12);
+ 	} else {
+ 		return -1;
+ 	}
diff --git a/debian/patches/series b/debian/patches/series
index 4123fd4..ae39581 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -40,6 +40,7 @@ AST-2014-017.patch
 AST-2014-018.patch
 AST-2014-019.patch
 AST-2015-003-11.diff
+AST-2016-001-11.diff
 AST-2016-002-11.diff
 AST-2016-003-11.diff
 AST-2016-007.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-voip/asterisk.git

More information about the Pkg-voip-commits mailing list