From 849c1a22a24be80b2681e649f695126578740e6b Mon Sep 17 00:00:00 2001 From: Koichiro IWAO Date: Tue, 31 Jan 2017 14:59:46 +0900 Subject: [PATCH] TLS: switch ssl_protocols to a comma separated list --- docs/man/xrdp.ini.5.in | 2 +- libxrdp/xrdp_rdp.c | 18 ++++++++++++------ xrdp/xrdp.ini | 4 ++-- 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/docs/man/xrdp.ini.5.in b/docs/man/xrdp.ini.5.in index d4607ea3..612adcd7 100644 --- a/docs/man/xrdp.ini.5.in +++ b/docs/man/xrdp.ini.5.in @@ -145,7 +145,7 @@ Negotiate these security methods with clients. .TP \fBssl_protocols\fP=\fI[SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]\fP -Enables the specified SSL/TLS protocols. Each value should be separated by space. +Enables the specified SSL/TLS protocols. Each value should be separated by comma. SSLv2 is always disabled. At least one protocol should be given to accept TLS connections. This parameter is effective only if \fBsecurity_layer\fP is set to \fBtls\fP or \fBnegotiate\fP. diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c index e84ff95b..a9909dcd 100644 --- a/libxrdp/xrdp_rdp.c +++ b/libxrdp/xrdp_rdp.c @@ -45,6 +45,7 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info) char *item = (char *)NULL; char *value = (char *)NULL; char cfg_file[256]; + char *p = (char *)NULL; char *tmp = (char *)NULL; int tmp_length = 0; @@ -165,31 +166,36 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info) } else if (g_strcasecmp(item, "ssl_protocols") == 0) { - /* put leading/trailing space to properly detect "TLSv1" without regex */ + /* put leading/trailing comma to properly detect "TLSv1" without regex */ tmp_length = g_strlen(value) + 3; tmp = g_new(char, tmp_length); - g_snprintf(tmp, tmp_length, "%s%s%s", " ", value, " "); + g_snprintf(tmp, tmp_length, "%s%s%s", ",", value, ","); + /* to accept space after comma */ + while ((p = (char *) g_strchr(tmp, ' ')) != NULL) + { + *p = ','; + } /* disable all protocols first, enable later */ client_info->ssl_protocols = SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2; - if (g_pos(tmp, " TLSv1.2 ") >= 0) + if (g_pos(tmp, ",TLSv1.2,") >= 0) { log_message(LOG_LEVEL_DEBUG, "TLSv1.2 enabled"); client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_2; } - if (g_pos(tmp, " TLSv1.1 ") >= 0) + if (g_pos(tmp, ",TLSv1.1,") >= 0) { log_message(LOG_LEVEL_DEBUG, "TLSv1.1 enabled"); client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1_1; } - if (g_pos(tmp, " TLSv1 ") >= 0) + if (g_pos(tmp, ",TLSv1,") >= 0) { log_message(LOG_LEVEL_DEBUG, "TLSv1 enabled"); client_info->ssl_protocols &= ~SSL_OP_NO_TLSv1; } - if (g_pos(tmp, " SSLv3 ") >= 0) + if (g_pos(tmp, ",SSLv3,") >= 0) { log_message(LOG_LEVEL_DEBUG, "SSLv3 enabled"); client_info->ssl_protocols &= ~SSL_OP_NO_SSLv3; diff --git a/xrdp/xrdp.ini b/xrdp/xrdp.ini index 58b82bb5..fd421e35 100644 --- a/xrdp/xrdp.ini +++ b/xrdp/xrdp.ini @@ -26,8 +26,8 @@ crypt_level=high certificate= key_file= ; set SSL protocols -; can be space separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2' -ssl_protocols=TLSv1 TLSv1.1 TLSv1.2 +; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2' +ssl_protocols=TLSv1, TLSv1.1, TLSv1.2 ; set TLS cipher suites (up to 63 characters) #tls_ciphers=HIGH