ChangeLog: Updated for 11.21.2

The SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 defines did not exist prior
to OpenSSL version 1.0.1. A recent commit attempts to, by default, set
these options, which can cause problems on systems with older OpenSSL
installations.

This commit adds a configure script check for those defines and will not
attempt to make use of those if they do not exist. We will print a
warning urging the user to upgrade their OpenSSL installation if those
defines are not present.

Change-Id: I6a2eb9a43fd0738b404d8f6f2cf4b5c22d9d752d
(cherry picked from commit f906843818)

.lastclean

@@ -0,0 +1 @@
+40

.version

@@ -0,0 +1 @@
+11.21.2

asterisk-11.21.2-summary.html

@@ -0,0 +1,19 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><title>Release Summary - asterisk-11.21.2</title><h1 align="center"><a name="top">Release Summary</a></h1><h3 align="center">asterisk-11.21.2</h3><h3 align="center">Date: 2016-02-10</h3><h3 align="center">&lt;asteriskteam@digium.com&gt;</h3><hr><h2 align="center">Table of Contents</h2><ol>
+<li><a href="#summary">Summary</a></li>
+<li><a href="#contributors">Contributors</a></li>
+<li><a href="#commits">Other Changes</a></li>
+<li><a href="#diffstat">Diffstat</a></li>
+</ol><hr><a name="summary"><h2 align="center">Summary</h2></a><center><a href="#top">[Back to Top]</a></center><p>This release is a point release of an existing major version. The changes included were made to address problems that have been identified in this release series, or are minor, backwards compatible new features or improvements. Users should be able to safely upgrade to this version if this release series is already in use. Users considering upgrading from a previous version are strongly encouraged to review the UPGRADE.txt document as well as the CHANGES document for information about upgrading to this release series.</p><p>The data in this summary reflects changes that have been made since the previous release, asterisk-11.21.1.</p><hr><a name="contributors"><h2 align="center">Contributors</h2></a><center><a href="#top">[Back to Top]</a></center><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.</p><table width="100%" border="0">
+<tr><th width="33%">Coders</th><th width="33%">Testers</th><th width="33%">Reporters</th></tr>
+<tr valign="top"><td width="33%">2 Kevin Harwell <kharwell@lunkwill><br/>1 Kevin Harwell <kharwell@lunkwill.digium.internal><br/>1 Mark Michelson <mmichelson@digium.com><br/></td><td width="33%"><td width="33%"></tr>
+</table><hr><a name="commits"><h2 align="center">Commits Not Associated with an Issue</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all changes that went into this release that did not reference a JIRA issue.</p><table width="100%" border="1">
+<tr><th>Revision</th><th>Author</th><th>Summary</th></tr>
+<tr><td><a href="https://code.asterisk.org/code/changelog/asterisk?cs=886911ec5c6f794ab8378cd4d723cf7be7244bdd">886911ec5c</a></td><td>Kevin Harwell</td><td>Release summaries: Remove previous versions</td></tr>
+<tr><td><a href="https://code.asterisk.org/code/changelog/asterisk?cs=f594015df0edcddb49fc2faf2e8de2a9a6c4d2fe">f594015df0</a></td><td>Kevin Harwell</td><td>.version: Update for 11.21.2</td></tr>
+<tr><td><a href="https://code.asterisk.org/code/changelog/asterisk?cs=1524003a459f1e85a6c2476d949b4e7518ecbfdf">1524003a45</a></td><td>Kevin Harwell</td><td>.lastclean: Update for 11.21.2</td></tr>
+<tr><td><a href="https://code.asterisk.org/code/changelog/asterisk?cs=e4138cca63bc586d5fc9bc90b00a03c3a9e7bb38">e4138cca63</a></td><td>Mark Michelson</td><td>Check for OpenSSL defines before trying to use them.</td></tr>
+</table><hr><a name="diffstat"><h2 align="center">Diffstat Results</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p><pre>asterisk-11.21.1-summary.html |   35 ---------
+asterisk-11.21.1-summary.txt  |  152 ------------------------------------------
+b/.version                    |    2
+b/configure                   |   98 +++++++++++++++++++++++++++
+4 files changed, 99 insertions(+), 188 deletions(-)</pre><br></html>

asterisk-11.21.2-summary.txt

@@ -0,0 +1,92 @@
+                                Release Summary
+
+                                asterisk-11.21.2
+
+                                Date: 2016-02-10
+
+                           <asteriskteam@digium.com>
+
+     ----------------------------------------------------------------------
+
+                               Table of Contents
+
+    1. Summary
+    2. Contributors
+    3. Other Changes
+    4. Diffstat
+
+     ----------------------------------------------------------------------
+
+                                    Summary
+
+                                 [Back to Top]
+
+   This release is a point release of an existing major version. The changes
+   included were made to address problems that have been identified in this
+   release series, or are minor, backwards compatible new features or
+   improvements. Users should be able to safely upgrade to this version if
+   this release series is already in use. Users considering upgrading from a
+   previous version are strongly encouraged to review the UPGRADE.txt
+   document as well as the CHANGES document for information about upgrading
+   to this release series.
+
+   The data in this summary reflects changes that have been made since the
+   previous release, asterisk-11.21.1.
+
+     ----------------------------------------------------------------------
+
+                                  Contributors
+
+                                 [Back to Top]
+
+   This table lists the people who have submitted code, those that have
+   tested patches, as well as those that reported issues on the issue tracker
+   that were resolved in this release. For coders, the number is how many of
+   their patches (of any size) were committed into this release. For testers,
+   the number is the number of times their name was listed as assisting with
+   testing a patch. Finally, for reporters, the number is the number of
+   issues that they reported that were affected by commits that went into
+   this release.
+
+   Coders                   Testers                  Reporters                
+   2 Kevin Harwell          
+   1 Kevin Harwell          
+   1 Mark Michelson         
+
+     ----------------------------------------------------------------------
+
+                      Commits Not Associated with an Issue
+
+                                 [Back to Top]
+
+   This is a list of all changes that went into this release that did not
+   reference a JIRA issue.
+
+   +------------------------------------------------------------------------+
+   | Revision   | Author         | Summary                                  |
+   |------------+----------------+------------------------------------------|
+   | 886911ec5c | Kevin Harwell  | Release summaries: Remove previous       |
+   |            |                | versions                                 |
+   |------------+----------------+------------------------------------------|
+   | f594015df0 | Kevin Harwell  | .version: Update for 11.21.2             |
+   |------------+----------------+------------------------------------------|
+   | 1524003a45 | Kevin Harwell  | .lastclean: Update for 11.21.2           |
+   |------------+----------------+------------------------------------------|
+   | e4138cca63 | Mark Michelson | Check for OpenSSL defines before trying  |
+   |            |                | to use them.                             |
+   +------------------------------------------------------------------------+
+
+     ----------------------------------------------------------------------
+
+                                Diffstat Results
+
+                                 [Back to Top]
+
+   This is a summary of the changes to the source code that went into this
+   release that was generated using the diffstat utility.
+
+ asterisk-11.21.1-summary.html |   35 ---------
+ asterisk-11.21.1-summary.txt  |  152 ------------------------------------------
+ b/.version                    |    2
+ b/configure                   |   98 +++++++++++++++++++++++++++
+ 4 files changed, 99 insertions(+), 188 deletions(-)

channels/chan_sip.c

@@ -3980,6 +3980,13 @@ static int retrans_pkt(const void *data)
 			}
 
 			/* For non-invites, a maximum of 4 secs */
+			if (INT_MAX / pkt->timer_a < pkt->timer_t1) {
+				/*
+				 * Uh Oh, we will have an integer overflow.
+				 * Recalculate previous timeout time instead.
+				 */
+				pkt->timer_a = pkt->timer_a / 2;
+			}
 			siptimer_a = pkt->timer_t1 * pkt->timer_a;	/* Double each time */
 			if (pkt->method != SIP_INVITE && siptimer_a > 4000) {
 				siptimer_a = 4000;

configs/http.conf.sample

@@ -69,10 +69,31 @@ bindaddr=127.0.0.1
 ; If no path is given for tlscertfile or tlsprivatekey, default is to look in current
 ; directory. If no tlsprivatekey is given, default is to search tlscertfile for private key.
 ;
+;
 ; To produce a certificate you can e.g. use openssl. This places both the cert and
 ; private in same .pem file.
 ; openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem
 ;
+; tlscipher=                             ; The list of allowed ciphers
+;                                        ; if none are specified the following cipher
+;                                        ; list will be used instead:
+; ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
+; ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:
+; kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
+; ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
+; ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:
+; DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:
+; AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:
+; AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:
+; !EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+;
+; tlsdisablev1=yes                ; Disable TLSv1 support - if not set this defaults to "yes"
+; tlsdisablev11=yes               ; Disable TLSv1.1 support - if not set this defaults to "no"
+; tlsdisablev12=yes               ; Disable TLSv1.2 support - if not set this defaults to "no"
+;
+; tlsservercipherorder=yes        ; Use the server preference order instead of the client order
+;                                 ; Defaults to "yes"
+;
 ; The post_mappings section maps URLs to real paths on the filesystem.  If a
 ; POST is done from within an authenticated manager session to one of the
 ; configured POST mappings, then any files in the POST will be placed in the

configure

@@ -652,6 +652,8 @@ PBX_IXJUSER
 PBX_H323
 GMIME_LIBS
 GMIME_CFLAGS
+PBX_SSL_OP_NO_TLSV1_2
+PBX_SSL_OP_NO_TLSV1_1
 OPENH323_BUILD
 OPENH323_SUFFIX
 OPENH323_LIBDIR
@@ -28390,6 +28392,102 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
 fi
 
+if test "$PBX_OPENSSL" = "1";
+then
+
+    if test "x${PBX_SSL_OP_NO_TLSV1_1}" != "x1"; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_OP_NO_TLSv1_1 in openssl/ssl.h" >&5
+$as_echo_n "checking for SSL_OP_NO_TLSv1_1 in openssl/ssl.h... " >&6; }
+	saved_cppflags="${CPPFLAGS}"
+	if test "x${SSL_OP_NO_TLSV1_1_DIR}" != "x"; then
+	    SSL_OP_NO_TLSV1_1_INCLUDE="-I${SSL_OP_NO_TLSV1_1_DIR}/include"
+	fi
+	CPPFLAGS="${CPPFLAGS} ${SSL_OP_NO_TLSV1_1_INCLUDE}"
+
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+ #include <openssl/ssl.h>
+int
+main ()
+{
+#if defined(SSL_OP_NO_TLSv1_1)
+				int foo = 0;
+			        #else
+			        int foo = bar;
+			        #endif
+				0
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+     { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+		PBX_SSL_OP_NO_TLSV1_1=1
+
+$as_echo "#define HAVE_SSL_OP_NO_TLSV1_1 1" >>confdefs.h
+
+
+
+else
+     { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+	CPPFLAGS="${saved_cppflags}"
+    fi
+
+
+
+    if test "x${PBX_SSL_OP_NO_TLSV1_2}" != "x1"; then
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_OP_NO_TLSv1_2 in openssl/ssl.h" >&5
+$as_echo_n "checking for SSL_OP_NO_TLSv1_2 in openssl/ssl.h... " >&6; }
+	saved_cppflags="${CPPFLAGS}"
+	if test "x${SSL_OP_NO_TLSV1_2_DIR}" != "x"; then
+	    SSL_OP_NO_TLSV1_2_INCLUDE="-I${SSL_OP_NO_TLSV1_2_DIR}/include"
+	fi
+	CPPFLAGS="${CPPFLAGS} ${SSL_OP_NO_TLSV1_2_INCLUDE}"
+
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+ #include <openssl/ssl.h>
+int
+main ()
+{
+#if defined(SSL_OP_NO_TLSv1_2)
+				int foo = 0;
+			        #else
+			        int foo = bar;
+			        #endif
+				0
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+     { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+		PBX_SSL_OP_NO_TLSV1_2=1
+
+$as_echo "#define HAVE_SSL_OP_NO_TLSV1_2 1" >>confdefs.h
+
+
+
+else
+     { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+	CPPFLAGS="${saved_cppflags}"
+    fi
+
+
+fi
+
 
 if test "x${PBX_SRTP}" != "x1" -a "${USE_SRTP}" != "no"; then
    pbxlibdir=""

configure.ac

@@ -2170,6 +2170,12 @@ then
         AST_C_DECLARE_CHECK([OPENSSL_ECDH_AUTO], [SSL_CTX_set_ecdh_auto], [openssl/ssl.h])
 fi
 
+if test "$PBX_OPENSSL" = "1";
+then
+        AST_C_DEFINE_CHECK([SSL_OP_NO_TLSV1_1], [SSL_OP_NO_TLSv1_1], [openssl/ssl.h])
+        AST_C_DEFINE_CHECK([SSL_OP_NO_TLSV1_2], [SSL_OP_NO_TLSv1_2], [openssl/ssl.h])
+fi
+
 AST_EXT_LIB_CHECK([SRTP], [srtp], [srtp_init], [srtp/srtp.h])
 
 if test "$PBX_SRTP" = "1";

include/asterisk/autoconfig.h.in

@@ -778,6 +778,12 @@
 /* Define to 1 if you have the ISDN SS7 library. */
 #undef HAVE_SS7
 
+/* Define if your system has the SSL_OP_NO_TLSV1_1 headers. */
+#undef HAVE_SSL_OP_NO_TLSV1_1
+
+/* Define if your system has the SSL_OP_NO_TLSV1_2 headers. */
+#undef HAVE_SSL_OP_NO_TLSV1_2
+
 /* Define to 1 if `stat' has the bug that it succeeds when given the
    zero-length file name argument. */
 #undef HAVE_STAT_EMPTY_STRING_BUG

include/asterisk/event_defs.h

@@ -60,8 +60,10 @@ enum ast_event_type {
 	AST_EVENT_ACL_CHANGE          = 0x0b,
 	/*! Send out a ping for debugging distributed events */
 	AST_EVENT_PING                = 0x0c,
+	/*! Used to alert listeners when a hint has changed. */
+	AST_EVENT_HINT_CHANGE         = 0x0d,
 	/*! Number of event types.  This should be the last event type + 1 */
-	AST_EVENT_TOTAL               = 0x0d,
+	AST_EVENT_TOTAL               = 0x0e,
 };
 
 /*! \brief Event Information Element types */
@@ -304,8 +306,16 @@ enum ast_event_ie_type {
 	 * Payload type: UINT
 	 */
 	AST_EVENT_IE_CACHABLE            = 0x003d,
+
+	/*!
+	 * \brief Event hint change payload
+	 * Used by: AST_EVENT_HINT_CHANGE
+	 * Payload type: RAW
+	 */
+	AST_EVENT_IE_HINT_CHANGE_PAYLOAD = 0x003e,
+
 	/*! \brief Must be the last IE value +1 */
-	AST_EVENT_IE_TOTAL               = 0x003e,
+	AST_EVENT_IE_TOTAL               = 0x003f,
 };
 
 /*!

include/asterisk/tcptls.h

@@ -86,7 +86,15 @@ enum ast_ssl_flags {
 	/*! Use SSLv3 for outgoing client connections */
 	AST_SSL_SSLV3_CLIENT = (1 << 4),
 	/*! Use TLSv1 for outgoing client connections */
-	AST_SSL_TLSV1_CLIENT = (1 << 5)
+	AST_SSL_TLSV1_CLIENT = (1 << 5),
+	/*! Use server cipher order instead of the client order */
+	AST_SSL_SERVER_CIPHER_ORDER = (1 << 6),
+	/*! Disable TLSv1 support */
+	AST_SSL_DISABLE_TLSV1 = (1 << 7),
+	/*! Disable TLSv1.1 support */
+	AST_SSL_DISABLE_TLSV11 = (1 << 8),
+	/*! Disable TLSv1.2 support */
+	AST_SSL_DISABLE_TLSV12 = (1 << 9),
 };
 
 struct ast_tls_config {

main/http.c

@@ -1094,10 +1094,13 @@ static int __ast_http_load(int reload)
 	}
 	http_tls_cfg.pvtfile = ast_strdup("");
 
+	/* Apply modern intermediate settings according to the Mozilla OpSec team as of July 30th, 2015 but disable TLSv1 */
+	ast_set_flag(&http_tls_cfg.flags, AST_SSL_DISABLE_TLSV1 | AST_SSL_SERVER_CIPHER_ORDER);
+
 	if (http_tls_cfg.cipher) {
 		ast_free(http_tls_cfg.cipher);
 	}
-	http_tls_cfg.cipher = ast_strdup("");
+	http_tls_cfg.cipher = ast_strdup("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA");
 
 	AST_RWLIST_WRLOCK(&uri_redirects);
 	while ((redirect = AST_RWLIST_REMOVE_HEAD(&uri_redirects, entry))) {
@@ -1122,8 +1125,6 @@ static int __ast_http_load(int reload)
 				&& strcasecmp(v->name, "tlsdontverifyserver")
 				&& strcasecmp(v->name, "tlsclientmethod")
 				&& strcasecmp(v->name, "sslclientmethod")
-				&& strcasecmp(v->name, "tlscipher")
-				&& strcasecmp(v->name, "sslcipher")
 				&& !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
 				continue;
 			}

main/pbx.c

@@ -1377,6 +1377,8 @@ static char *overrideswitch = NULL;
 static struct ast_event_sub *device_state_sub;
 /*! \brief Subscription for presence state change events */
 static struct ast_event_sub *presence_state_sub;
+/*! \brief Subscription for hint change events */
+static struct ast_event_sub *hint_change_sub;
 
 AST_MUTEX_DEFINE_STATIC(maxcalllock);
 static int countcalls;
@@ -5300,15 +5302,113 @@ static int execute_state_callback(ast_state_cb_type cb,
 	return res;
 }
 
-static int handle_presencechange(void *datap)
+static void presence_state_notify_callbacks(enum ast_event_type type, struct ast_hint *hint,
+					    struct ast_str **hint_app, struct presencechange *pc)
 {
-	struct ast_hint *hint;
-	struct ast_str *hint_app = NULL;
-	struct presencechange *pc = datap;
-	struct ao2_iterator i;
 	struct ao2_iterator cb_iter;
+	struct ast_state_cb *state_cb;
 	char context_name[AST_MAX_CONTEXT];
 	char exten_name[AST_MAX_EXTENSION];
+
+	ao2_lock(hint);
+
+	if (!hint->exten) {
+		/* The extension has already been destroyed */
+		ao2_unlock(hint);
+		return;
+	}
+
+	if (type != AST_EVENT_HINT_CHANGE) {
+		const char *app;
+		char *parse;
+
+		/* Does this hint monitor the device that changed state? */
+		app = ast_get_extension_app(hint->exten);
+		if (ast_strlen_zero(app)) {
+			/* The hint does not monitor presence at all. */
+			ao2_unlock(hint);
+			return;
+		}
+
+		ast_str_set(hint_app, 0, "%s", app);
+		parse = parse_hint_presence(*hint_app);
+		if (ast_strlen_zero(parse)) {
+			ao2_unlock(hint);
+			return;
+		}
+		if (strcasecmp(parse, pc->provider)) {
+			/* The hint does not monitor the presence provider. */
+			ao2_unlock(hint);
+			return;
+		}
+	}
+
+	/*
+	 * Save off strings in case the hint extension gets destroyed
+	 * while we are notifying the watchers.
+	 */
+	ast_copy_string(context_name,
+			ast_get_context_name(ast_get_extension_context(hint->exten)),
+			sizeof(context_name));
+	ast_copy_string(exten_name, ast_get_extension_name(hint->exten),
+			sizeof(exten_name));
+	ast_str_set(hint_app, 0, "%s", ast_get_extension_app(hint->exten));
+
+	/* Check to see if update is necessary */
+	if ((hint->last_presence_state == pc->state) &&
+	    ((hint->last_presence_subtype && pc->subtype &&
+	      !strcmp(hint->last_presence_subtype, pc->subtype)) ||
+	     (!hint->last_presence_subtype && !pc->subtype)) &&
+	    ((hint->last_presence_message && pc->message &&
+	      !strcmp(hint->last_presence_message, pc->message)) ||
+	     (!hint->last_presence_message && !pc->message))) {
+		/* this update is the same as the last, do nothing */
+		ao2_unlock(hint);
+		return;
+	}
+
+	/* update new values */
+	ast_free(hint->last_presence_subtype);
+	ast_free(hint->last_presence_message);
+	hint->last_presence_state = pc->state;
+	hint->last_presence_subtype = pc->subtype ? ast_strdup(pc->subtype) : NULL;
+	hint->last_presence_message = pc->message ? ast_strdup(pc->message) : NULL;
+
+	ao2_unlock(hint);
+
+	/* For general callbacks */
+	cb_iter = ao2_iterator_init(statecbs, 0);
+	for (; (state_cb = ao2_iterator_next(&cb_iter)); ao2_ref(state_cb, -1)) {
+		execute_state_callback(state_cb->change_cb,
+				       context_name,
+				       exten_name,
+				       state_cb->data,
+				       AST_HINT_UPDATE_PRESENCE,
+				       hint,
+				       NULL);
+	}
+	ao2_iterator_destroy(&cb_iter);
+
+	/* For extension callbacks */
+	cb_iter = ao2_iterator_init(hint->callbacks, 0);
+	for (; (state_cb = ao2_iterator_next(&cb_iter)); ao2_ref(state_cb, -1)) {
+		execute_state_callback(state_cb->change_cb,
+				       context_name,
+				       exten_name,
+				       state_cb->data,
+				       AST_HINT_UPDATE_PRESENCE,
+				       hint,
+				       NULL);
+	}
+	ao2_iterator_destroy(&cb_iter);
+}
+
+static int handle_presencechange(void *datap)
+{
+	struct presencechange *pc = datap;
+	struct ast_hint *hint;
+	struct ast_str *hint_app = NULL;
+	struct ao2_iterator i;
 	int res = -1;
 
 	hint_app = ast_str_create(1024);
@@ -5319,93 +5419,8 @@ static int handle_presencechange(void *datap)
 	ast_mutex_lock(&context_merge_lock);/* Hold off ast_merge_contexts_and_delete */
 	i = ao2_iterator_init(hints, 0);
 	for (; (hint = ao2_iterator_next(&i)); ao2_ref(hint, -1)) {
-		struct ast_state_cb *state_cb;
-		const char *app;
-		char *parse;
-
-		ao2_lock(hint);
-
-		if (!hint->exten) {
-			/* The extension has already been destroyed */
-			ao2_unlock(hint);
-			continue;
-		}
-
-		/* Does this hint monitor the device that changed state? */
-		app = ast_get_extension_app(hint->exten);
-		if (ast_strlen_zero(app)) {
-			/* The hint does not monitor presence at all. */
-			ao2_unlock(hint);
-			continue;
-		}
-
-		ast_str_set(&hint_app, 0, "%s", app);
-		parse = parse_hint_presence(hint_app);
-		if (ast_strlen_zero(parse)) {
-			ao2_unlock(hint);
-			continue;
-		}
-		if (strcasecmp(parse, pc->provider)) {
-			/* The hint does not monitor the presence provider. */
-			ao2_unlock(hint);
-			continue;
-		}
-
-		/*
-		 * Save off strings in case the hint extension gets destroyed
-		 * while we are notifying the watchers.
-		 */
-		ast_copy_string(context_name,
-			ast_get_context_name(ast_get_extension_context(hint->exten)),
-			sizeof(context_name));
-		ast_copy_string(exten_name, ast_get_extension_name(hint->exten),
-			sizeof(exten_name));
-		ast_str_set(&hint_app, 0, "%s", ast_get_extension_app(hint->exten));
-
-		/* Check to see if update is necessary */
-		if ((hint->last_presence_state == pc->state) &&
-			((hint->last_presence_subtype && pc->subtype && !strcmp(hint->last_presence_subtype, pc->subtype)) || (!hint->last_presence_subtype && !pc->subtype)) &&
-			((hint->last_presence_message && pc->message && !strcmp(hint->last_presence_message, pc->message)) || (!hint->last_presence_message && !pc->message))) {
-
-			/* this update is the same as the last, do nothing */
-			ao2_unlock(hint);
-			continue;
-		}
-
-		/* update new values */
-		ast_free(hint->last_presence_subtype);
-		ast_free(hint->last_presence_message);
-		hint->last_presence_state = pc->state;
-		hint->last_presence_subtype = pc->subtype ? ast_strdup(pc->subtype) : NULL;
-		hint->last_presence_message = pc->message ? ast_strdup(pc->message) : NULL;
-
-		ao2_unlock(hint);
-
-		/* For general callbacks */
-		cb_iter = ao2_iterator_init(statecbs, 0);
-		for (; (state_cb = ao2_iterator_next(&cb_iter)); ao2_ref(state_cb, -1)) {
-			execute_state_callback(state_cb->change_cb,
-				context_name,
-				exten_name,
-				state_cb->data,
-				AST_HINT_UPDATE_PRESENCE,
-				hint,
-				NULL);
-		}
-		ao2_iterator_destroy(&cb_iter);
-
-		/* For extension callbacks */
-		cb_iter = ao2_iterator_init(hint->callbacks, 0);
-		for (; (state_cb = ao2_iterator_next(&cb_iter)); ao2_ref(state_cb, -1)) {
-			execute_state_callback(state_cb->change_cb,
-				context_name,
-				exten_name,
-				state_cb->data,
-				AST_HINT_UPDATE_PRESENCE,
-				hint,
-				NULL);
-		}
-		ao2_iterator_destroy(&cb_iter);
+		presence_state_notify_callbacks(
+			AST_EVENT_PRESENCE_STATE, hint, &hint_app, pc);
 	}
 	ao2_iterator_destroy(&i);
 	ast_mutex_unlock(&context_merge_lock);
@@ -5500,17 +5515,102 @@ static void get_device_state_causing_channels(struct ao2_container *c)
 	ao2_iterator_destroy(&iter);
 }
 
+static void device_state_notify_callbacks(struct ast_hint *hint, struct ast_str **hint_app)
+{
+	struct ao2_iterator cb_iter;
+	struct ast_state_cb *state_cb;
+	int state, same_state;
+	struct ao2_container *device_state_info;
+	int first_extended_cb_call = 1;
+	char context_name[AST_MAX_CONTEXT];
+	char exten_name[AST_MAX_EXTENSION];
+
+	ao2_lock(hint);
+	if (!hint->exten) {
+		/* The extension has already been destroyed */
+		ao2_unlock(hint);
+		return;
+	}
+
+	/*
+	 * Save off strings in case the hint extension gets destroyed
+	 * while we are notifying the watchers.
+	 */
+	ast_copy_string(context_name,
+			ast_get_context_name(ast_get_extension_context(hint->exten)),
+			sizeof(context_name));
+	ast_copy_string(exten_name, ast_get_extension_name(hint->exten),
+			sizeof(exten_name));
+	ast_str_set(hint_app, 0, "%s", ast_get_extension_app(hint->exten));
+	ao2_unlock(hint);
+
+	/*
+	 * Get device state for this hint.
+	 *
+	 * NOTE: We cannot hold any locks while determining the hint
+	 * device state or notifying the watchers without causing a
+	 * deadlock.  (conlock, hints, and hint)
+	 */
+	/* Make a container so state3 can fill it if we wish.
+	 * If that failed we simply do not provide the extended state info.
+	 */
+	device_state_info = alloc_device_state_info();
+
+	state = ast_extension_state3(*hint_app, device_state_info);
+	if ((same_state = state == hint->laststate) && (~state & AST_EXTENSION_RINGING)) {
+		ao2_cleanup(device_state_info);
+		return;
+	}
+
+	/* Device state changed since last check - notify the watchers. */
+	hint->laststate = state;	/* record we saw the change */
+
+	/* For general callbacks */
+	cb_iter = ao2_iterator_init(statecbs, 0);
+	for (; !same_state && (state_cb = ao2_iterator_next(&cb_iter)); ao2_ref(state_cb, -1)) {
+		execute_state_callback(state_cb->change_cb,
+				       context_name,
+				       exten_name,
+				       state_cb->data,
+				       AST_HINT_UPDATE_DEVICE,
+				       hint,
+				       NULL);
+	}
+	ao2_iterator_destroy(&cb_iter);
+
+	/* For extension callbacks */
+	/* extended callbacks are called when the state changed or when AST_EVENT_RINGING is
+	 * included. Normal callbacks are only called when the state changed.
+	 */
+	cb_iter = ao2_iterator_init(hint->callbacks, 0);
+	for (; (state_cb = ao2_iterator_next(&cb_iter)); ao2_ref(state_cb, -1)) {
+		if (state_cb->extended && first_extended_cb_call) {
+			/* Fill detailed device_state_info now that we know it is used by extd. callback */
+			first_extended_cb_call = 0;
+			get_device_state_causing_channels(device_state_info);
+		}
+		if (state_cb->extended || !same_state) {
+			execute_state_callback(state_cb->change_cb,
+					       context_name,
+					       exten_name,
+					       state_cb->data,
+					       AST_HINT_UPDATE_DEVICE,
+					       hint,
+					       state_cb->extended ? device_state_info : NULL);
+		}
+	}
+	ao2_iterator_destroy(&cb_iter);
+
+	ao2_cleanup(device_state_info);
+}
+
 static int handle_statechange(void *datap)
 {
-	struct ast_hint *hint;
+	struct statechange *sc = datap;
 	struct ast_str *hint_app;
 	struct ast_hintdevice *device;
 	struct ast_hintdevice *cmpdevice;
-	struct statechange *sc = datap;
 	struct ao2_iterator *dev_iter;
-	struct ao2_iterator cb_iter;
-	char context_name[AST_MAX_CONTEXT];
-	char exten_name[AST_MAX_EXTENSION];
 
 	if (ao2_container_count(hintdevices) == 0) {
 		/* There are no hints monitoring devices. */
@@ -5541,94 +5641,9 @@ static int handle_statechange(void *datap)
 	}
 
 	for (; (device = ao2_iterator_next(dev_iter)); ao2_t_ref(device, -1, "Next device")) {
-		struct ast_state_cb *state_cb;
-		int state;
-		int same_state;
-		struct ao2_container *device_state_info;
-		int first_extended_cb_call = 1;
-
-		if (!device->hint) {
-			/* Should never happen. */
-			continue;
+		if (device->hint) {
+			device_state_notify_callbacks(device->hint, &hint_app);
 		}
-		hint = device->hint;
-
-		ao2_lock(hint);
-		if (!hint->exten) {
-			/* The extension has already been destroyed */
-			ao2_unlock(hint);
-			continue;
-		}
-
-		/*
-		 * Save off strings in case the hint extension gets destroyed
-		 * while we are notifying the watchers.
-		 */
-		ast_copy_string(context_name,
-			ast_get_context_name(ast_get_extension_context(hint->exten)),
-			sizeof(context_name));
-		ast_copy_string(exten_name, ast_get_extension_name(hint->exten),
-			sizeof(exten_name));
-		ast_str_set(&hint_app, 0, "%s", ast_get_extension_app(hint->exten));
-		ao2_unlock(hint);
-
-		/*
-		 * Get device state for this hint.
-		 *
-		 * NOTE: We cannot hold any locks while determining the hint
-		 * device state or notifying the watchers without causing a
-		 * deadlock.  (conlock, hints, and hint)
-		 */
-		/* Make a container so state3 can fill it if we wish.
-		 * If that failed we simply do not provide the extended state info.
-		 */
-		device_state_info = alloc_device_state_info();
-		state = ast_extension_state3(hint_app, device_state_info);
-		if ((same_state = state == hint->laststate) && (~state & AST_EXTENSION_RINGING)) {
-			ao2_cleanup(device_state_info);
-			continue;
-		}
-
-		/* Device state changed since last check - notify the watchers. */
-		hint->laststate = state;	/* record we saw the change */
-
-		/* For general callbacks */
-		cb_iter = ao2_iterator_init(statecbs, 0);
-		for (; !same_state && (state_cb = ao2_iterator_next(&cb_iter)); ao2_ref(state_cb, -1)) {
-			execute_state_callback(state_cb->change_cb,
-				context_name,
-				exten_name,
-				state_cb->data,
-				AST_HINT_UPDATE_DEVICE,
-				hint,
-				NULL);
-		}
-		ao2_iterator_destroy(&cb_iter);
-
-		/* For extension callbacks */
-		/* extended callbacks are called when the state changed or when AST_EVENT_RINGING is
-		 * included. Normal callbacks are only called when the state changed.
-		 */
-		cb_iter = ao2_iterator_init(hint->callbacks, 0);
-		for (; (state_cb = ao2_iterator_next(&cb_iter)); ao2_ref(state_cb, -1)) {
-			if (state_cb->extended && first_extended_cb_call) {
-				/* Fill detailed device_state_info now that we know it is used by extd. callback */
-				first_extended_cb_call = 0;
-				get_device_state_causing_channels(device_state_info);
-			}
-			if (state_cb->extended || !same_state) {
-				execute_state_callback(state_cb->change_cb,
-					context_name,
-					exten_name,
-					state_cb->data,
-					AST_HINT_UPDATE_DEVICE,
-					hint,
-					state_cb->extended ? device_state_info : NULL);
-			}
-		}
-		ao2_iterator_destroy(&cb_iter);
-
-		ao2_cleanup(device_state_info);
 	}
 	ast_mutex_unlock(&context_merge_lock);
 
@@ -5990,31 +6005,38 @@ static int ast_add_hint(struct ast_exten *e)
 	return 0;
 }
 
+/*! \brief Publish a hint changed event  */
+static int publish_hint_change(struct ast_hint *hint, struct ast_exten *ne)
+{
+	struct ast_event *event;
+
+	/*
+	 * Since hint is an ao2_object we need to pass in a pointer to the hint pointer,
+	 * which gets copied by the event subsystem. The event handler will take care of
+	 * de-referencing the hint.
+	 */
+	ao2_ref(hint, +1);
+	if (!(event = ast_event_new(AST_EVENT_HINT_CHANGE,
+				    AST_EVENT_IE_HINT_CHANGE_PAYLOAD, AST_EVENT_IE_PLTYPE_RAW, &hint,
+				    sizeof(hint), /* We actually want the size of the pointer */
+				    AST_EVENT_IE_END))) {
+		ao2_ref(hint, -1);
+		return -1;
+	}
+
+	ast_event_queue_and_cache(event);
+	return 0;
+}
+
 /*! \brief Change hint for an extension */
 static int ast_change_hint(struct ast_exten *oe, struct ast_exten *ne)
 {
-	struct ast_str *hint_app;
 	struct ast_hint *hint;
-	int previous_device_state;
-	char *previous_message = NULL;
-	char *message = NULL;
-	char *previous_subtype = NULL;
-	char *subtype = NULL;
-	int previous_presence_state;
-	int presence_state;
-	int presence_state_changed = 0;
 
 	if (!oe || !ne) {
 		return -1;
 	}
 
-	hint_app = ast_str_create(1024);
-	if (!hint_app) {
-		return -1;
-	}
-
-	ast_mutex_lock(&context_merge_lock); /* Hold off ast_merge_contexts_and_delete and state changes */
-
 	ao2_lock(hints);/* Locked to hold off others while we move the hint around. */
 
 	/*
@@ -6025,7 +6047,6 @@ static int ast_change_hint(struct ast_exten *oe, struct ast_exten *ne)
 	if (!hint) {
 		ao2_unlock(hints);
 		ast_mutex_unlock(&context_merge_lock);
-		ast_free(hint_app);
 		return -1;
 	}
 
@@ -6035,25 +6056,6 @@ static int ast_change_hint(struct ast_exten *oe, struct ast_exten *ne)
 	ao2_lock(hint);
 	hint->exten = ne;
 
-	/* Store the previous states so we know whether we need to notify state callbacks */
-	previous_device_state = hint->laststate;
-	previous_presence_state = hint->last_presence_state;
-	previous_message = hint->last_presence_message;
-	previous_subtype = hint->last_presence_subtype;
-
-	/* Update the saved device and presence state with the new extension */
-	hint->laststate = ast_extension_state2(ne, NULL);
-	hint->last_presence_state = AST_PRESENCE_INVALID;
-	hint->last_presence_subtype = NULL;
-	hint->last_presence_message = NULL;
-
-	presence_state = extension_presence_state_helper(ne, &subtype, &message);
-	if (presence_state > 0) {
-		hint->last_presence_state = presence_state;
-		hint->last_presence_subtype = subtype;
-		hint->last_presence_message = message;
-	}
-
 	ao2_unlock(hint);
 
 	ao2_link(hints, hint);
@@ -6062,103 +6064,59 @@ static int ast_change_hint(struct ast_exten *oe, struct ast_exten *ne)
 			ast_get_extension_name(ne),
 			ast_get_context_name(ast_get_extension_context(ne)));
 	}
-
 	ao2_unlock(hints);
 
-	/* Locking for state callbacks is respected here and only the context_merge_lock lock is
-	 * held during the state callback invocation. This will stop the normal state callback
-	 * thread from being able to handle incoming state changes if they occur.
-	 */
-
-	/* Determine if presence state has changed due to the change of the hint extension */
-	if ((hint->last_presence_state != previous_presence_state) ||
-		strcmp(S_OR(hint->last_presence_subtype, ""), S_OR(previous_subtype, "")) ||
-		strcmp(S_OR(hint->last_presence_message, ""), S_OR(previous_message, ""))) {
-		presence_state_changed = 1;
-	}
-
-	/* Notify any existing state callbacks if the device or presence state has changed */
-	if ((hint->laststate != previous_device_state) || presence_state_changed) {
-		struct ao2_iterator cb_iter;
-		struct ast_state_cb *state_cb;
-		struct ao2_container *device_state_info;
-		int first_extended_cb_call = 1;
-
-		/* For general callbacks */
-		cb_iter = ao2_iterator_init(statecbs, 0);
-		for (; (state_cb = ao2_iterator_next(&cb_iter)); ao2_ref(state_cb, -1)) {
-			/* Unlike the normal state callbacks since something has explicitly provided us this extension
-			 * it will remain valid and unchanged for the lifetime of this function invocation.
-			 */
-			if (hint->laststate != previous_device_state) {
-				execute_state_callback(state_cb->change_cb,
-					ast_get_context_name(ast_get_extension_context(ne)),
-					ast_get_extension_name(ne),
-					state_cb->data,
-					AST_HINT_UPDATE_DEVICE,
-					hint,
-					NULL);
-			}
-			if (presence_state_changed) {
-				execute_state_callback(state_cb->change_cb,
-					ast_get_context_name(ast_get_extension_context(ne)),
-					ast_get_extension_name(ne),
-					state_cb->data,
-					AST_HINT_UPDATE_PRESENCE,
-					hint,
-					NULL);
-			}
-		}
-		ao2_iterator_destroy(&cb_iter);
-
-		ast_str_set(&hint_app, 0, "%s", ast_get_extension_app(ne));
-
-		device_state_info = alloc_device_state_info();
-		ast_extension_state3(hint_app, device_state_info);
-
-		/* For extension callbacks */
-		cb_iter = ao2_iterator_init(hint->callbacks, 0);
-		for (; (state_cb = ao2_iterator_next(&cb_iter)); ao2_ref(state_cb, -1)) {
-			if (hint->laststate != previous_device_state) {
-				if (state_cb->extended && first_extended_cb_call) {
-				/* Fill detailed device_state_info now that we know it is used by extd. callback */
-					first_extended_cb_call = 0;
-					get_device_state_causing_channels(device_state_info);
-				}
-				execute_state_callback(state_cb->change_cb,
-					ast_get_context_name(ast_get_extension_context(ne)),
-					ast_get_extension_name(ne),
-					state_cb->data,
-					AST_HINT_UPDATE_DEVICE,
-					hint,
-					state_cb->extended ? device_state_info : NULL);
-			}
-			if (presence_state_changed) {
-				execute_state_callback(state_cb->change_cb,
-					ast_get_context_name(ast_get_extension_context(ne)),
-					ast_get_extension_name(ne),
-					state_cb->data,
-					AST_HINT_UPDATE_PRESENCE,
-					hint,
-					NULL);
-			}
-		}
-		ao2_iterator_destroy(&cb_iter);
-
-		ao2_cleanup(device_state_info);
-	}
+	publish_hint_change(hint, ne);
 
 	ao2_ref(hint, -1);
 
-	ast_mutex_unlock(&context_merge_lock);
-
-	ast_free(hint_app);
-	ast_free(previous_message);
-	ast_free(previous_subtype);
-
 	return 0;
 }
 
+static int handle_hint_change(void *data)
+{
+	struct ast_hint *hint = data;
+	struct ast_str *hint_app;
+	int state;
+	struct presencechange presence_state;
+
+	if (!(hint_app = ast_str_create(1024))) {
+		return -1;
+	}
+
+	device_state_notify_callbacks(hint, &hint_app);
+
+	state = extension_presence_state_helper(
+		hint->exten, &presence_state.subtype, &presence_state.message);
+
+	presence_state.state = state > 0 ? state : AST_PRESENCE_INVALID;
+
+	presence_state_notify_callbacks(AST_EVENT_HINT_CHANGE, hint, &hint_app, &presence_state);
+
+	ast_free(hint_app);
+	ao2_ref(hint, -1);
+
+	ast_free(presence_state.subtype);
+	ast_free(presence_state.message);
+
+	return 0;
+}
+
+static void hint_change_cb(const struct ast_event *event, void *unused)
+{
+	/* The event data is a pointer to a hint (an ao2_object) */
+	struct ast_hint **hint = (struct ast_hint **)
+		ast_event_get_ie_raw(event, AST_EVENT_IE_HINT_CHANGE_PAYLOAD);
+
+	if (!hint || !*hint) {
+		return;
+	}
+
+	/* The task processor thread is taking our reference to the hint object. */
+	if (ast_taskprocessor_push(extension_state_tps, handle_hint_change, *hint) < 0) {
+		ao2_ref(*hint, -1);
+	}
+}
 
 /*! \brief Get hint for channel */
 int ast_get_hint(char *hint, int hintsize, char *name, int namesize, struct ast_channel *c, const char *context, const char *exten)
@@ -12255,6 +12213,9 @@ static void unload_pbx(void)
 {
 	int x;
 
+	if (hint_change_sub) {
+		hint_change_sub = ast_event_unsubscribe(hint_change_sub);
+	}
 	if (presence_state_sub) {
 		presence_state_sub = ast_event_unsubscribe(presence_state_sub);
 	}
@@ -12316,6 +12277,11 @@ int load_pbx(void)
 		return -1;
 	}
 
+	if (!(hint_change_sub = ast_event_subscribe(AST_EVENT_HINT_CHANGE, hint_change_cb, "pbx Hint Change", NULL,
+			AST_EVENT_IE_END))) {
+		return -1;
+	}
+
 	return 0;
 }
 

main/tcptls.c

@@ -758,7 +758,8 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
 	return 0;
 #else
 	int disable_ssl = 0;
- 
+	long ssl_opts = 0;
+
 	if (!cfg->enabled) {
 		return 0;
 	}
@@ -806,12 +807,30 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
 	 * them. SSLv23_*_method supports TLSv1+.
 	 */
 	if (disable_ssl) {
-		long ssl_opts;
-
-		ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
-		SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
+		ssl_opts |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
 	}
 
+	if (ast_test_flag(&cfg->flags, AST_SSL_SERVER_CIPHER_ORDER)) {
+		ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+	}
+
+	if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) {
+		ssl_opts |= SSL_OP_NO_TLSv1;
+	}
+#if defined(HAVE_SSL_OP_NO_TLSV1_1) && defined(HAVE_SSL_OP_NO_TLSV1_2)
+	if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) {
+		ssl_opts |= SSL_OP_NO_TLSv1_1;
+	}
+	if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) {
+		ssl_opts |= SSL_OP_NO_TLSv1_2;
+	}
+#else
+	ast_log(LOG_WARNING, "Your version of OpenSSL leaves you potentially vulnerable "
+			"to the SSL BEAST attack. Please upgrade to OpenSSL 1.0.1 or later\n");
+#endif
+
+	SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
+
 	SSL_CTX_set_verify(cfg->ssl_ctx,
 		ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE,
 		NULL);
@@ -1127,6 +1146,14 @@ int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_
 			ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
 			ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
 		}
+	} else if (!strcasecmp(varname, "tlsservercipherorder")) {
+		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_SERVER_CIPHER_ORDER);
+	} else if (!strcasecmp(varname, "tlsdisablev1")) {
+		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV1);
+	} else if (!strcasecmp(varname, "tlsdisablev11")) {
+		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV11);
+	} else if (!strcasecmp(varname, "tlsdisablev12")) {
+		ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV12);
 	} else {
 		return -1;
 	}

main/udptl.c

@@ -263,16 +263,15 @@ static int decode_open_type(uint8_t *buf, unsigned int limit, unsigned int *len,
 	if (decode_length(buf, limit, len, &octet_cnt) != 0)
 		return -1;
 
-	if (octet_cnt > 0) {
-		/* Make sure the buffer contains at least the number of bits requested */
-		if ((*len + octet_cnt) > limit)
-			return -1;
-
-		*p_num_octets = octet_cnt;
-		*p_object = &buf[*len];
-		*len += octet_cnt;
+	/* Make sure the buffer contains at least the number of bits requested */
+	if ((*len + octet_cnt) > limit) {
+		return -1;
 	}
 
+	*p_num_octets = octet_cnt;
+	*p_object = &buf[*len];
+	*len += octet_cnt;
+
 	return 0;
 }
 /*- End of function --------------------------------------------------------*/