TLS: switch ssl_protocols to a comma separated list

2017-01-31 14:59:46 +09:00 · 2017-01-31 14:59:46 +09:00 · 849c1a22a2
commit 849c1a22a2
parent c126f81d9a
3 changed files with 15 additions and 9 deletions
--- a/docs/man/xrdp.ini.5.in
+++ b/docs/man/xrdp.ini.5.in
@ -145,7 +145,7 @@ Negotiate these security methods with clients.

 .TP
 \fBssl_protocols\fP=\fI[SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]\fP
-Enables the specified SSL/TLS protocols. Each value should be separated by space.
+Enables the specified SSL/TLS protocols. Each value should be separated by comma.
 SSLv2 is always disabled. At least one protocol should be given to accept TLS connections.
 This parameter is effective only if \fBsecurity_layer\fP is set to \fBtls\fP or \fBnegotiate\fP.

--- a/libxrdp/xrdp_rdp.c
+++ b/libxrdp/xrdp_rdp.c
@ -45,6 +45,7 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
    char *item = (char *)NULL;
    char *value = (char *)NULL;
    char cfg_file[256];
+    char *p = (char *)NULL;
    char *tmp = (char *)NULL;
    int tmp_length = 0;

@ -165,31 +166,36 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
        }
        else if (g_strcasecmp(item, "ssl_protocols") == 0)
        {
-            /* put leading/trailing space to properly detect "TLSv1" without regex */
+            /* put leading/trailing comma to properly detect "TLSv1" without regex */
            tmp_length = g_strlen(value) + 3;
            tmp = g_new(char, tmp_length);
-            g_snprintf(tmp, tmp_length, "%s%s%s", " ", value, " ");
+            g_snprintf(tmp, tmp_length, "%s%s%s", ",", value, ",");
+            /* to accept space after comma */
+            while ((p = (char *) g_strchr(tmp, ' ')) != NULL)
+            {
+                *p = ',';
+            }

            /* disable all protocols first, enable later */
            client_info->ssl_protocols =
                SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;

-            if (g_pos(tmp, " TLSv1.2 ") >= 0)
+            if (g_pos(tmp, ",TLSv1.2,") >= 0)
            {
                log_message(LOG_LEVEL_DEBUG, "TLSv1.2 enabled");
                client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_2;
            }
-            if (g_pos(tmp, " TLSv1.1 ") >= 0)
+            if (g_pos(tmp, ",TLSv1.1,") >= 0)
            {
                log_message(LOG_LEVEL_DEBUG, "TLSv1.1 enabled");
                client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_1;
            }
-            if (g_pos(tmp, " TLSv1 ") >= 0)
+            if (g_pos(tmp, ",TLSv1,") >= 0)
            {
                log_message(LOG_LEVEL_DEBUG, "TLSv1 enabled");
                client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1;
            }
-            if (g_pos(tmp, " SSLv3 ") >= 0)
+            if (g_pos(tmp, ",SSLv3,") >= 0)
            {
                log_message(LOG_LEVEL_DEBUG, "SSLv3 enabled");
                client_info->ssl_protocols &= ~SSL_OP_NO_SSLv3;
--- a/xrdp/xrdp.ini
+++ b/xrdp/xrdp.ini
@ -26,8 +26,8 @@ crypt_level=high
 certificate=
 key_file=
 ; set SSL protocols
-; can be space separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2'
-ssl_protocols=TLSv1 TLSv1.1 TLSv1.2
+; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2'
+ssl_protocols=TLSv1, TLSv1.1, TLSv1.2
 ; set TLS cipher suites (up to 63 characters)
 #tls_ciphers=HIGH