mirror of
https://github.com/asterisk/asterisk.git
synced 2026-07-02 04:53:32 -07:00
res_rtp_asterisk: Enable Forward Secrecy (PFS) for DTLS.
Since July 2014, TLS based protocols (SIP over TLS, Secure WebSockets, HTTPS) support PFS thanks to ASTERISK-23905. In July 2015, the same feature was added for DTLS. The source code from main/tcptls.c should have been re-used to ease security audits. Therefore, this change rolls back the change from July 2015 and re-uses the code from July 2014. This has the additional benefits to work under CentOS 7 and enabling not just ECDHE but DHE based cipher suites as well. ASTERISK-25659 #close Reported by: StefanEng86, urbaniak, pay123 Tested by: sarumjanuch, traud patches: res_rtp_asterisk.patch submitted by sarumjanuch dtls_centos_step_1.patch submitted by traud dtls_centos_step_2.patch submitted by traud Change-Id: I537cadf4421f092a613146b230f2c0ee1be28d5c
This commit is contained in:
@@ -8,6 +8,28 @@
|
||||
===
|
||||
==============================================================================
|
||||
|
||||
------------------------------------------------------------------------------
|
||||
--- Functionality changes since Asterisk 11.24 -------------------------------
|
||||
------------------------------------------------------------------------------
|
||||
|
||||
res_rtp_asterisk
|
||||
------------------
|
||||
* The DTLS part in Asterisk now supports Perfect Forward Secrecy (PFS).
|
||||
Enabling PFS is attempted by default, and is dependent on the configuration
|
||||
of the module using TLS.
|
||||
- Ephemeral ECDH (ECDHE) is enabled by default. To disable it, do not
|
||||
specify a ECDHE cipher suite in sip.conf, for example:
|
||||
dtlscipher=AES128-SHA
|
||||
- Ephemeral DH (DHE) is disabled by default. To enable it, add DH parameters
|
||||
into the private key file, e.g., sip.conf dtlsprivatekey. For example:
|
||||
openssl dhparam -out ./dh.pem 2048
|
||||
- Because clients expect the server to prefer PFS, and because OpenSSL sorts
|
||||
its cipher suites by bit strength, see "openssl ciphers -v DEFAULT".
|
||||
Consider re-ordering your cipher suites in the respective configuration
|
||||
file. For example:
|
||||
dtlscipher=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
|
||||
which forces PFS and requires at least DTLS 1.2.
|
||||
|
||||
------------------------------------------------------------------------------
|
||||
--- Functionality changes since Asterisk 11.21 -------------------------------
|
||||
------------------------------------------------------------------------------
|
||||
|
||||
@@ -1056,10 +1056,6 @@ PBX_DAHDI
|
||||
DAHDI_DIR
|
||||
DAHDI_INCLUDE
|
||||
DAHDI_LIB
|
||||
PBX_OPENSSL_ECDH_AUTO
|
||||
OPENSSL_ECDH_AUTO_DIR
|
||||
OPENSSL_ECDH_AUTO_INCLUDE
|
||||
OPENSSL_ECDH_AUTO_LIB
|
||||
PBX_OPENSSL_SRTP
|
||||
OPENSSL_SRTP_DIR
|
||||
OPENSSL_SRTP_INCLUDE
|
||||
@@ -8527,18 +8523,6 @@ PBX_OPENSSL_SRTP=0
|
||||
|
||||
|
||||
|
||||
OPENSSL_ECDH_AUTO_DESCRIP="OpenSSL Auto ECDH Support"
|
||||
OPENSSL_ECDH_AUTO_OPTION=crypto
|
||||
OPENSSL_ECDH_AUTO_DIR=${CRYPTO_DIR}
|
||||
|
||||
PBX_OPENSSL_ECDH_AUTO=0
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
DAHDI_DESCRIP="DAHDI"
|
||||
DAHDI_OPTION="dahdi"
|
||||
PBX_DAHDI=0
|
||||
@@ -28475,53 +28459,6 @@ _ACEOF
|
||||
fi
|
||||
|
||||
|
||||
fi
|
||||
|
||||
if test "$PBX_OPENSSL" = "1";
|
||||
then
|
||||
|
||||
if test "x${PBX_OPENSSL_ECDH_AUTO}" != "x1" -a "${USE_OPENSSL_ECDH_AUTO}" != "no"; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_ecdh_auto declared in openssl/ssl.h" >&5
|
||||
$as_echo_n "checking for SSL_CTX_set_ecdh_auto declared in openssl/ssl.h... " >&6; }
|
||||
saved_cppflags="${CPPFLAGS}"
|
||||
if test "x${OPENSSL_ECDH_AUTO_DIR}" != "x"; then
|
||||
OPENSSL_ECDH_AUTO_INCLUDE="-I${OPENSSL_ECDH_AUTO_DIR}/include"
|
||||
fi
|
||||
CPPFLAGS="${CPPFLAGS} ${OPENSSL_ECDH_AUTO_INCLUDE}"
|
||||
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
#include <openssl/ssl.h>
|
||||
int
|
||||
main ()
|
||||
{
|
||||
#if !defined(SSL_CTX_set_ecdh_auto)
|
||||
(void) SSL_CTX_set_ecdh_auto;
|
||||
#endif
|
||||
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
if ac_fn_c_try_compile "$LINENO"; then :
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
|
||||
$as_echo "yes" >&6; }
|
||||
PBX_OPENSSL_ECDH_AUTO=1
|
||||
|
||||
$as_echo "#define HAVE_OPENSSL_ECDH_AUTO 1" >>confdefs.h
|
||||
|
||||
|
||||
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
|
||||
$as_echo "no" >&6; }
|
||||
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
|
||||
|
||||
CPPFLAGS="${saved_cppflags}"
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
if test "$PBX_OPENSSL" = "1";
|
||||
|
||||
@@ -392,7 +392,6 @@ AST_EXT_LIB_SETUP_OPTIONAL([COROSYNC_CFG_STATE_TRACK], [A callback only in coros
|
||||
AST_EXT_LIB_SETUP([CURSES], [curses], [curses])
|
||||
AST_EXT_LIB_SETUP([CRYPTO], [OpenSSL Cryptography], [crypto])
|
||||
AST_EXT_LIB_SETUP_OPTIONAL([OPENSSL_SRTP], [OpenSSL SRTP Extension Support], [CRYPTO], [crypto])
|
||||
AST_EXT_LIB_SETUP_OPTIONAL([OPENSSL_ECDH_AUTO], [OpenSSL Auto ECDH Support], [CRYPTO], [crypto])
|
||||
AST_EXT_LIB_SETUP([DAHDI], [DAHDI], [dahdi])
|
||||
AST_EXT_LIB_SETUP([FFMPEG], [Ffmpeg and avcodec], [avcodec])
|
||||
AST_EXT_LIB_SETUP([GSM], [External GSM], [gsm], [, use 'internal' GSM otherwise])
|
||||
@@ -2229,11 +2228,6 @@ then
|
||||
AST_EXT_LIB_CHECK([OPENSSL_SRTP], [ssl], [SSL_CTX_set_tlsext_use_srtp], [openssl/ssl.h], [-lcrypto])
|
||||
fi
|
||||
|
||||
if test "$PBX_OPENSSL" = "1";
|
||||
then
|
||||
AST_C_DECLARE_CHECK([OPENSSL_ECDH_AUTO], [SSL_CTX_set_ecdh_auto], [openssl/ssl.h])
|
||||
fi
|
||||
|
||||
if test "$PBX_OPENSSL" = "1";
|
||||
then
|
||||
AST_C_DEFINE_CHECK([SSL_OP_NO_TLSV1_1], [SSL_OP_NO_TLSv1_1], [openssl/ssl.h])
|
||||
|
||||
@@ -530,9 +530,6 @@
|
||||
/* Define to 1 if you have the OpenSSL Secure Sockets Layer library. */
|
||||
#undef HAVE_OPENSSL
|
||||
|
||||
/* Define if your system has SSL_CTX_set_ecdh_auto declared. */
|
||||
#undef HAVE_OPENSSL_ECDH_AUTO
|
||||
|
||||
/* Define to 1 if CRYPTO has the OpenSSL SRTP Extension Support feature. */
|
||||
#undef HAVE_OPENSSL_SRTP
|
||||
|
||||
|
||||
+33
-7
@@ -1285,7 +1285,7 @@ static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, con
|
||||
{
|
||||
struct ast_rtp *rtp = ast_rtp_instance_get_data(instance);
|
||||
int res;
|
||||
#ifndef HAVE_OPENSSL_ECDH_AUTO
|
||||
#ifdef HAVE_OPENSSL_EC
|
||||
EC_KEY *ecdh;
|
||||
#endif
|
||||
|
||||
@@ -1309,15 +1309,41 @@ static int ast_rtp_dtls_set_configuration(struct ast_rtp_instance *instance, con
|
||||
|
||||
SSL_CTX_set_read_ahead(rtp->ssl_ctx, 1);
|
||||
|
||||
#ifdef HAVE_OPENSSL_ECDH_AUTO
|
||||
SSL_CTX_set_ecdh_auto(rtp->ssl_ctx, 1);
|
||||
#else
|
||||
#ifdef HAVE_OPENSSL_EC
|
||||
|
||||
if (!ast_strlen_zero(dtls_cfg->pvtfile)) {
|
||||
BIO *bio = BIO_new_file(dtls_cfg->pvtfile, "r");
|
||||
if (bio != NULL) {
|
||||
DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
|
||||
if (dh != NULL) {
|
||||
if (SSL_CTX_set_tmp_dh(rtp->ssl_ctx, dh)) {
|
||||
long options = SSL_OP_CIPHER_SERVER_PREFERENCE |
|
||||
SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE;
|
||||
options = SSL_CTX_set_options(rtp->ssl_ctx, options);
|
||||
ast_verb(2, "DTLS DH initialized, PFS enabled\n");
|
||||
}
|
||||
DH_free(dh);
|
||||
}
|
||||
BIO_free(bio);
|
||||
}
|
||||
}
|
||||
/* enables AES-128 ciphers, to get AES-256 use NID_secp384r1 */
|
||||
ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
|
||||
if (ecdh) {
|
||||
SSL_CTX_set_tmp_ecdh(rtp->ssl_ctx, ecdh);
|
||||
if (ecdh != NULL) {
|
||||
if (SSL_CTX_set_tmp_ecdh(rtp->ssl_ctx, ecdh)) {
|
||||
#ifndef SSL_CTRL_SET_ECDH_AUTO
|
||||
#define SSL_CTRL_SET_ECDH_AUTO 94
|
||||
#endif
|
||||
/* SSL_CTX_set_ecdh_auto(rtp->ssl_ctx, on); requires OpenSSL 1.0.2 which wraps: */
|
||||
if (SSL_CTX_ctrl(rtp->ssl_ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL)) {
|
||||
ast_verb(2, "DTLS ECDH initialized (automatic), faster PFS enabled\n");
|
||||
} else {
|
||||
ast_verb(2, "DTLS ECDH initialized (secp256r1), faster PFS enabled\n");
|
||||
}
|
||||
EC_KEY_free(ecdh);
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif /* #ifdef HAVE_OPENSSL_EC */
|
||||
|
||||
rtp->dtls_verify = dtls_cfg->verify;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user