[Pkg-voip-commits] [asterisk] 09/10: AST-2016-001: BEAST vulnerability in HTTP server (CVE-2011-3389)
Bernhard Schmidt
berni at moszumanska.debian.org
Sun Oct 23 19:48:53 UTC 2016
This is an automated email from the git hooks/post-receive script.
berni pushed a commit to branch jessie
in repository asterisk.
commit e2fbe8ded25be65cdc5431f87e7dd31a8476b4c8
Author: Bernhard Schmidt <berni at debian.org>
Date: Tue Oct 11 11:58:45 2016 +0200
AST-2016-001: BEAST vulnerability in HTTP server (CVE-2011-3389)
---
debian/patches/AST-2016-001-11.diff | 142 ++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 143 insertions(+)
diff --git a/debian/patches/AST-2016-001-11.diff b/debian/patches/AST-2016-001-11.diff
new file mode 100644
index 0000000..519e83a
--- /dev/null
+++ b/debian/patches/AST-2016-001-11.diff
@@ -0,0 +1,142 @@
+diff --git a/configs/http.conf.sample b/configs/http.conf.sample
+index 98c672b..f47b8de 100644
+--- a/configs/http.conf.sample
++++ b/configs/http.conf.sample
+@@ -69,10 +69,31 @@ bindaddr=127.0.0.1
+ ; If no path is given for tlscertfile or tlsprivatekey, default is to look in current
+ ; directory. If no tlsprivatekey is given, default is to search tlscertfile for private key.
+ ;
++;
+ ; To produce a certificate you can e.g. use openssl. This places both the cert and
+ ; private in same .pem file.
+ ; openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem
+ ;
++; tlscipher= ; The list of allowed ciphers
++; ; if none are specified the following cipher
++; ; list will be used instead:
++; ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
++; ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:
++; kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
++; ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
++; ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:
++; DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:
++; AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:
++; AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:
++; !EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
++;
++; tlsdisablev1=yes ; Disable TLSv1 support - if not set this defaults to "yes"
++; tlsdisablev11=yes ; Disable TLSv1.1 support - if not set this defaults to "no"
++; tlsdisablev12=yes ; Disable TLSv1.2 support - if not set this defaults to "no"
++;
++; tlsservercipherorder=yes ; Use the server preference order instead of the client order
++; ; Defaults to "yes"
++;
+ ; The post_mappings section maps URLs to real paths on the filesystem. If a
+ ; POST is done from within an authenticated manager session to one of the
+ ; configured POST mappings, then any files in the POST will be placed in the
+diff --git a/include/asterisk/tcptls.h b/include/asterisk/tcptls.h
+index 3356a92..9110039 100644
+--- a/include/asterisk/tcptls.h
++++ b/include/asterisk/tcptls.h
+@@ -86,7 +86,15 @@ enum ast_ssl_flags {
+ /*! Use SSLv3 for outgoing client connections */
+ AST_SSL_SSLV3_CLIENT = (1 << 4),
+ /*! Use TLSv1 for outgoing client connections */
+- AST_SSL_TLSV1_CLIENT = (1 << 5)
++ AST_SSL_TLSV1_CLIENT = (1 << 5),
++ /*! Use server cipher order instead of the client order */
++ AST_SSL_SERVER_CIPHER_ORDER = (1 << 6),
++ /*! Disable TLSv1 support */
++ AST_SSL_DISABLE_TLSV1 = (1 << 7),
++ /*! Disable TLSv1.1 support */
++ AST_SSL_DISABLE_TLSV11 = (1 << 8),
++ /*! Disable TLSv1.2 support */
++ AST_SSL_DISABLE_TLSV12 = (1 << 9),
+ };
+
+ struct ast_tls_config {
+diff --git a/main/http.c b/main/http.c
+index 533397b..5133dfa 100644
+--- a/main/http.c
++++ b/main/http.c
+@@ -1094,10 +1094,13 @@ static int __ast_http_load(int reload)
+ }
+ http_tls_cfg.pvtfile = ast_strdup("");
+
++ /* Apply modern intermediate settings according to the Mozilla OpSec team as of July 30th, 2015 but disable TLSv1 */
++ ast_set_flag(&http_tls_cfg.flags, AST_SSL_DISABLE_TLSV1 | AST_SSL_SERVER_CIPHER_ORDER);
++
+ if (http_tls_cfg.cipher) {
+ ast_free(http_tls_cfg.cipher);
+ }
+- http_tls_cfg.cipher = ast_strdup("");
++ http_tls_cfg.cipher = ast_strdup("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE [...]
+
+ AST_RWLIST_WRLOCK(&uri_redirects);
+ while ((redirect = AST_RWLIST_REMOVE_HEAD(&uri_redirects, entry))) {
+@@ -1122,8 +1125,6 @@ static int __ast_http_load(int reload)
+ && strcasecmp(v->name, "tlsdontverifyserver")
+ && strcasecmp(v->name, "tlsclientmethod")
+ && strcasecmp(v->name, "sslclientmethod")
+- && strcasecmp(v->name, "tlscipher")
+- && strcasecmp(v->name, "sslcipher")
+ && !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
+ continue;
+ }
+diff --git a/main/tcptls.c b/main/tcptls.c
+index 14e4fcd..de753c1 100644
+--- a/main/tcptls.c
++++ b/main/tcptls.c
+@@ -758,7 +758,8 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
+ return 0;
+ #else
+ int disable_ssl = 0;
+-
++ long ssl_opts = 0;
++
+ if (!cfg->enabled) {
+ return 0;
+ }
+@@ -806,11 +807,24 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
+ * them. SSLv23_*_method supports TLSv1+.
+ */
+ if (disable_ssl) {
+- long ssl_opts;
++ ssl_opts |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
++ }
++
++ if (ast_test_flag(&cfg->flags, AST_SSL_SERVER_CIPHER_ORDER)) {
++ ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE;
++ }
+
+- ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+- SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
++ if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) {
++ ssl_opts |= SSL_OP_NO_TLSv1;
+ }
++ if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) {
++ ssl_opts |= SSL_OP_NO_TLSv1_1;
++ }
++ if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) {
++ ssl_opts |= SSL_OP_NO_TLSv1_2;
++ }
++
++ SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
+
+ SSL_CTX_set_verify(cfg->ssl_ctx,
+ ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE,
+@@ -1127,6 +1141,14 @@ int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_
+ ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
+ ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
+ }
++ } else if (!strcasecmp(varname, "tlsservercipherorder")) {
++ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_SERVER_CIPHER_ORDER);
++ } else if (!strcasecmp(varname, "tlsdisablev1")) {
++ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV1);
++ } else if (!strcasecmp(varname, "tlsdisablev11")) {
++ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV11);
++ } else if (!strcasecmp(varname, "tlsdisablev12")) {
++ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV12);
+ } else {
+ return -1;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 4123fd4..ae39581 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -40,6 +40,7 @@ AST-2014-017.patch
AST-2014-018.patch
AST-2014-019.patch
AST-2015-003-11.diff
+AST-2016-001-11.diff
AST-2016-002-11.diff
AST-2016-003-11.diff
AST-2016-007.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-voip/asterisk.git
More information about the Pkg-voip-commits
mailing list