From 57abca11a81826d0195d37a49298dd02864af8b3 Mon Sep 17 00:00:00 2001
From: Travis Cross <tc@traviscross.com>
Date: Thu, 6 Feb 2014 03:13:13 +0000
Subject: [PATCH] Support setting TLS cipher suites in mod_sofia

This adds a parameter tls-ciphers in which we can specify the TLS
cipher suite specification for OpenSSL.
---
 src/mod/endpoints/mod_sofia/conf/sofia.conf.xml | 2 ++
 src/mod/endpoints/mod_sofia/mod_sofia.h         | 1 +
 src/mod/endpoints/mod_sofia/sofia.c             | 5 +++++
 3 files changed, 8 insertions(+)

diff --git a/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml b/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml
index deeb0c62cc..0b3c0c8da8 100644
--- a/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml
+++ b/src/mod/endpoints/mod_sofia/conf/sofia.conf.xml
@@ -249,6 +249,8 @@
              sets which subjects are allowed, multiple subjects can be split
              with a '|' pipe -->
         <param name="tls-verify-in-subjects" value=""/>
+        <!-- Set the OpenSSL cipher suite list -->
+        <!-- <param name="tls-ciphers" value="!aNULL:!LOW:!EXP:!kECDH:!ECDSA:!DSS:!PSK:!SRP:ALL"/> -->
         <!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not
              work with TLSv1 -->
         <param name="tls-version" value="$${sip_tls_version}"/>
diff --git a/src/mod/endpoints/mod_sofia/mod_sofia.h b/src/mod/endpoints/mod_sofia/mod_sofia.h
index 25b98725e7..1a457b2421 100644
--- a/src/mod/endpoints/mod_sofia/mod_sofia.h
+++ b/src/mod/endpoints/mod_sofia/mod_sofia.h
@@ -587,6 +587,7 @@ struct sofia_profile {
 	switch_port_t sip_port;
 	switch_port_t extsipport;
 	switch_port_t tls_sip_port;
+	char *tls_ciphers;
 	int tls_version;
 	unsigned int tls_timeout;
 	char *inbound_codec_string;
diff --git a/src/mod/endpoints/mod_sofia/sofia.c b/src/mod/endpoints/mod_sofia/sofia.c
index b55c972707..d26b1042bb 100644
--- a/src/mod/endpoints/mod_sofia/sofia.c
+++ b/src/mod/endpoints/mod_sofia/sofia.c
@@ -2535,6 +2535,8 @@ void *SWITCH_THREAD_FUNC sofia_profile_thread_run(switch_thread_t *thread, void
 									 TPTAG_TLS_VERIFY_DATE(profile->tls_verify_date)),
 							  TAG_IF(sofia_test_pflag(profile, PFLAG_TLS) && profile->tls_verify_in_subjects,
 									  TPTAG_TLS_VERIFY_SUBJECTS(profile->tls_verify_in_subjects)),
+							  TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
+									 TPTAG_TLS_CIPHERS(profile->tls_ciphers)),
 							  TAG_IF(sofia_test_pflag(profile, PFLAG_TLS),
 									 TPTAG_TLS_VERSION(profile->tls_version)),
 							  TAG_IF(sofia_test_pflag(profile, PFLAG_TLS) && profile->tls_timeout,
@@ -3764,6 +3766,7 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
 					profile->sip_force_expires = 0;
 					profile->sip_expires_max_deviation = 0;
 					profile->sip_subscription_max_deviation = 0;
+					profile->tls_ciphers = "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH";
 					profile->tls_version = SOFIA_TLS_VERSION_TLSv1;
 					profile->tls_version |= SOFIA_TLS_VERSION_TLSv1_1;
 					profile->tls_version |= SOFIA_TLS_VERSION_TLSv1_2;
@@ -4701,6 +4704,8 @@ switch_status_t config_sofia(sofia_config_t reload, char *profile_name)
 						profile->tls_passphrase = switch_core_strdup(profile->pool, val);
 					} else if (!strcasecmp(var, "tls-verify-in-subjects") && !zstr(val)) {
 						profile->tls_verify_in_subjects_str = switch_core_strdup(profile->pool, val);
+					} else if (!strcasecmp(var, "tls-ciphers") && !zstr(val)) {
+						profile->tls_ciphers = switch_core_strdup(profile->pool, val);
 					} else if (!strcasecmp(var, "tls-version") && !zstr(val)) {
 						char *ps = val, *pe;
 						profile->tls_version = 0;