kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-10-15 00:41:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

AST-2014-011: Fix POODLE security issues

Browse Source 
There are two aspects to the vulnerability:
(1) res_jabber/res_xmpp use SSLv3 only. This patch updates the module to use
    TLSv1+. At this time, it does not refactor res_jabber/res_xmpp to use the
    TCP/TLS core, which should be done as an improvement at a latter date.
(2) The TCP/TLS core, when tlsclientmethod/sslclientmethod is left unspecified,
    will default to the OpenSSL SSLv23_method. This method allows for all
    ecnryption methods, including SSLv2/SSLv3. A MITM can exploit this by
    forcing a fallback to SSLv3, which leaves the server vulnerable to POODLE.
    This patch adds WARNINGS if a user uses SSLv2/SSLv3 in their configuration,
    and explicitly disables SSLv2/SSLv3 if using SSLv23_method.

For TLS clients, Asterisk will default to TLSv1+ and WARN if SSLv2 or SSLv3 is
explicitly chosen. For TLS servers, Asterisk will no longer support SSLv2 or
SSLv3.

Much thanks to abelbeck for reporting the vulnerability and providing a patch
for the res_jabber/res_xmpp modules.

Review: https://reviewboard.asterisk.org/r/4096/

ASTERISK-24425 #close
Reported by: abelbeck
Tested by: abelbeck, opsmonitor, gtjoseph
patches:
  asterisk-1.8-jabber-tls.patch uploaded by abelbeck (License 5903)
  asterisk-11-jabber-xmpp-tls.patch uploaded by abelbeck (License 5903)
  AST-2014-011-1.8.diff uploaded by mjordan (License 6283)
  AST-2014-011-11.diff uploaded by mjordan (License 6283)
........

Merged revisions 425987 from http://svn.asterisk.org/svn/asterisk/branches/12
........

Merged revisions 425991 from http://svn.asterisk.org/svn/asterisk/branches/13


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@426003 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This commit is contained in:
Matthew Jordan
2014-10-20 14:20:15 +00:00
parent 5e10e369b1
commit dad0334cf1
2 changed files with 22 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
res/res_xmpp.c
View File

@@ -2637,6 +2637,7 @@ static int xmpp_client_requested_tls(struct ast_xmpp_client *client, struct ast_
{
#ifdef HAVE_OPENSSL
int sock;
long ssl_opts;
#endif
if (!strcmp(iks_name(node), "success")) {
@@ -2655,11 +2656,14 @@ static int xmpp_client_requested_tls(struct ast_xmpp_client *client, struct ast_
ast_log(LOG_ERROR, "Somehow we managed to try to start TLS negotiation on client '%s' without OpenSSL support, disconnecting\n", client->name);
return -1;
#else
client->ssl_method = SSLv3_method();
client->ssl_method = SSLv23_method();
if (!(client->ssl_context = SSL_CTX_new((SSL_METHOD *) client->ssl_method))) {
goto failure;
}
ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
SSL_CTX_set_options(client->ssl_context, ssl_opts);
if (!(client->ssl_session = SSL_new(client->ssl_context))) {
goto failure;
}