Module: sip-router Branch: master Commit: 16649609796ec336278b073d86045f72a9dd7886 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=16649609...
Author: Daniel-Constantin Mierla miconda@gmail.com Committer: Daniel-Constantin Mierla miconda@gmail.com Date: Sun Nov 3 13:23:32 2013 +0100
tls: ifdef to use TLSv1.1 only for openssl/libssl v1.0.0+
---
modules/tls/tls_config.c | 9 ++++++++- modules/tls/tls_init.c | 4 ++++ 2 files changed, 12 insertions(+), 1 deletions(-)
diff --git a/modules/tls/tls_config.c b/modules/tls/tls_config.c index 8742021..4a78e9e 100644 --- a/modules/tls/tls_config.c +++ b/modules/tls/tls_config.c @@ -460,10 +460,17 @@ int tls_parse_method(str* method) opt = cfg_lookup_token(methods, method); if (!opt) return -1;
+#if OPENSSL_VERSION_NUMBER < 0x01000000L + if(opt->val == TLS_USE_TLSv1_1) { + LM_ERR("tls v1.1 not supported by this libssl version: %ld\n", + (long)OPENSSL_VERSION_NUMBER); + return -1; + } +#endif #if OPENSSL_VERSION_NUMBER < 0x1000105fL if(opt->val == TLS_USE_TLSv1_2) { LM_ERR("tls v1.2 not supported by this libssl version: %ld\n", - OPENSSL_VERSION_NUMBER); + (long)OPENSSL_VERSION_NUMBER); return -1; } #endif diff --git a/modules/tls/tls_init.c b/modules/tls/tls_init.c index 4b55c40..5118f15 100644 --- a/modules/tls/tls_init.c +++ b/modules/tls/tls_init.c @@ -341,6 +341,8 @@ int tls_h_init_si(struct socket_info *si) */ static void init_ssl_methods(void) { + memset(ssl_methods, 0, sizeof(ssl_methods)); + #ifndef OPENSSL_NO_SSL2 ssl_methods[TLS_USE_SSLv2_cli - 1] = SSLv2_client_method(); ssl_methods[TLS_USE_SSLv2_srv - 1] = SSLv2_server_method(); @@ -359,9 +361,11 @@ static void init_ssl_methods(void) ssl_methods[TLS_USE_SSLv23_srv - 1] = SSLv23_server_method(); ssl_methods[TLS_USE_SSLv23 - 1] = SSLv23_method();
+#if OPENSSL_VERSION_NUMBER >= 0x01000000L ssl_methods[TLS_USE_TLSv1_1_cli - 1] = TLSv1_1_client_method(); ssl_methods[TLS_USE_TLSv1_1_srv - 1] = TLSv1_1_server_method(); ssl_methods[TLS_USE_TLSv1_1 - 1] = TLSv1_1_method(); +#endif
#if OPENSSL_VERSION_NUMBER >= 0x1000105fL ssl_methods[TLS_USE_TLSv1_2_cli - 1] = TLSv1_2_client_method();
Hi,
According to http://www.openssl.org/news/changelog.html, Initial TLSv1.1 support was introduced in the first release of openssl v1.0.1, Initial v1.2 support was added at the same time.
I'm using CentOS 6.4 with openssl-devel 1.0.0-27 (which has version 0x10000003L) and the tls module does not compile (without warnings) and fails to run due to undefined v1.1 methods.
Was there a reason for selecting the 05 release of v1.0.1 (i.e. v1.0.1e) for TLSv1.2 support? As far as I can see the TLSv1_2_method() is available from the first release? Maybe a required bugfix?
Hugh
On 03/11/2013 12:26, Daniel-Constantin Mierla wrote:
Module: sip-router Branch: master Commit: 16649609796ec336278b073d86045f72a9dd7886 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=16649609...
Author: Daniel-Constantin Mierla miconda@gmail.com Committer: Daniel-Constantin Mierla miconda@gmail.com Date: Sun Nov 3 13:23:32 2013 +0100
tls: ifdef to use TLSv1.1 only for openssl/libssl v1.0.0+
modules/tls/tls_config.c | 9 ++++++++- modules/tls/tls_init.c | 4 ++++ 2 files changed, 12 insertions(+), 1 deletions(-)
diff --git a/modules/tls/tls_config.c b/modules/tls/tls_config.c index 8742021..4a78e9e 100644 --- a/modules/tls/tls_config.c +++ b/modules/tls/tls_config.c @@ -460,10 +460,17 @@ int tls_parse_method(str* method) opt = cfg_lookup_token(methods, method); if (!opt) return -1;
+#if OPENSSL_VERSION_NUMBER < 0x01000000L
- if(opt->val == TLS_USE_TLSv1_1) {
LM_ERR("tls v1.1 not supported by this libssl version: %ld\n",(long)OPENSSL_VERSION_NUMBER);return -1;- }
+#endif #if OPENSSL_VERSION_NUMBER < 0x1000105fL if(opt->val == TLS_USE_TLSv1_2) { LM_ERR("tls v1.2 not supported by this libssl version: %ld\n",
OPENSSL_VERSION_NUMBER);
(long)OPENSSL_VERSION_NUMBER);diff --git a/modules/tls/tls_init.c b/modules/tls/tls_init.c index 4b55c40..5118f15 100644 --- a/modules/tls/tls_init.c +++ b/modules/tls/tls_init.c @@ -341,6 +341,8 @@ int tls_h_init_si(struct socket_info *si) */ static void init_ssl_methods(void) {
- memset(ssl_methods, 0, sizeof(ssl_methods));
- #ifndef OPENSSL_NO_SSL2 ssl_methods[TLS_USE_SSLv2_cli - 1] = SSLv2_client_method(); ssl_methods[TLS_USE_SSLv2_srv - 1] = SSLv2_server_method();
@@ -359,9 +361,11 @@ static void init_ssl_methods(void) ssl_methods[TLS_USE_SSLv23_srv - 1] = SSLv23_server_method(); ssl_methods[TLS_USE_SSLv23 - 1] = SSLv23_method();
+#if OPENSSL_VERSION_NUMBER >= 0x01000000L ssl_methods[TLS_USE_TLSv1_1_cli - 1] = TLSv1_1_client_method(); ssl_methods[TLS_USE_TLSv1_1_srv - 1] = TLSv1_1_server_method(); ssl_methods[TLS_USE_TLSv1_1 - 1] = TLSv1_1_method(); +#endif
#if OPENSSL_VERSION_NUMBER >= 0x1000105fL ssl_methods[TLS_USE_TLSv1_2_cli - 1] = TLSv1_2_client_method();
sr-dev mailing list sr-dev@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
-
Daniel-Constantin Mierla -
Hugh Waite