matt335672
ea582429e1
Load any private key type, not just RSA ( #1776 )
...
Fix missing SSL logging and reformat with astyle
2021-01-07 10:34:39 +00:00
matt335672
0a1a8f40e5
Moved a lot of string funcs to string_calls module
2020-12-22 11:57:24 +00:00
Alexandre Quesnel
9cb6bfc3a4
Fix SSL compiler warning
2020-11-17 05:46:36 +00:00
Koichiro IWAO
74497752dc
Add TLSv1.3 support
...
Actually, TLSv1.3 will be enabled without this change if xrdp is compiled
with OpenSSL or alternatives which support TLSv1.3. This commit makes to
enable or disable TLSv1.3 explicitly. Also, this commit adds a log
"TLSv1.3 enabled by config, but not supported by system OpenSSL". if
xrdp installation doesn't support TLSv1.3. It should be user-friendly.
2018-09-14 11:50:55 +09:00
daixj
88b3c06311
fix issue #1112 : set SSL object's read_ahead flag to be 0
2018-05-21 11:08:41 +08:00
Koichiro IWAO
b2b42d28f3
xrdp: add OpenSSL version to --version
...
While here, cleanup --help, --version, and when unknown option.
2018-04-10 23:58:31 +09:00
speidy
a432969746
common: ssl_calls: add support for OpenSSL>=1.1.0 API for DH keys
...
also fixes some memory leak introduced in PR#1024.
and adds a check that DH params generated successfully. write a proper log message if not.
2018-03-22 02:20:47 +02:00
speidy
8effc09ab7
common: ssl_calls: check if SSL object created right after its creation.
2018-03-21 08:16:12 +02:00
Koichiro IWAO
e3d0fd6d46
common: temporarily disable DHE
...
until make it possible to use generated DH parameters per installation.
2018-03-18 21:14:06 +09:00
Koichiro IWAO
1690950cc8
common: regenerate dhparam
...
Generated by: openssl dhparam -C 2236
2018-03-01 13:48:22 +09:00
Koichiro IWAO
578d23477c
common: obey coding style, remove trailing space
2018-03-01 12:11:52 +09:00
Enrico Tagliavini
70b5adb396
add support for DHE ciphers via compiled in dhparam
...
make it possible to use regular (non EC) EDH ciphers. To make this
possible a Diffie-Hellman parameter must be passed to the openssl
library. There are a few options possible as described in the manuals at
[1] and [2]. Simplest approach is to generate a DH parameter using
openssl dhparam -C <lenght> and include the code into the application.
The lenght used for this commit is 2236 bits long, which is the longest
possible without risking backward incompatibilities with old systems as
stated in [1]. Newer systems should use ECDH anyway, so it makes sense
to keep this method as compatible with older system as possible.
Paramters longer than 2048 should still be secure enough at the time of
writing.
[1] https://wiki.openssl.org/index.php/Diffie-Hellman_parameters
[2] https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_tmp_dh_callback(3)
2018-03-01 09:57:35 +09:00
Enrico Tagliavini
6cdc0f31b0
enable automatic ECDH when possible (openssl 1.0.2)
...
Openssl 1.1.0 and later are enabling ECDH automatically, but for older
version it must be enabled explicitly or all Perfect Forward Secrecy
ciphers will be silently ignored. See also [1]. This commit applies the
same fix as found in CnetOS 7 httpd package to enable automatic ECDH as
found in [2].
[1] https://wiki.openssl.org/index.php/Diffie-Hellman_parameters
[2] https://git.centos.org/blob/rpms!httpd.git/c7/SOURCES!httpd-2.4.6-ssl-ecdh-auto.patch
2018-03-01 09:57:35 +09:00
Koichiro IWAO
793a418cfb
common: log what value is set to tls_ciphers
...
Related to #1033 .
2018-02-20 13:13:37 +09:00
Jay Sorg
a9eb21e6d7
common: avoid 100% cpu on ssl accept, can be fake client
2017-11-22 16:17:34 -08:00
Koichiro IWAO
04187945a8
move base64 functions to base64.c
2017-08-01 08:40:30 +09:00
Koichiro IWAO
d57e02626d
add base64_decode function
2017-08-01 08:40:30 +09:00
Koichiro IWAO
aa4b90d250
Change log level DEBUG -> WARNING
...
since unavailability of ssl protocols defined in config file
may weaken security and it is important for users.
2017-07-06 13:14:27 +09:00
Koichiro IWAO
455c341efc
Reword log messages in ssl_get_protocols_from_string()
2017-07-06 13:14:27 +09:00
Jay Sorg
8d63c32899
move openssl calls to common/libssl.c, check for defines
2017-06-22 11:47:48 +09:00
Jay Sorg
2c96908ea5
common: if SSL_shutdown fails, only call one more time
2017-05-10 14:56:20 -07:00
Jay Sorg
75fd3fcf89
common: ssl_tls_write / read return 0 on socket close
2017-05-10 14:56:20 -07:00
Pavel Roskin
6ed4c969f4
Eliminate APP_CC and DEFAULT_CC
2017-03-14 00:21:48 -07:00
Pavel Roskin
b2d3dcf169
Include config_ac.h from all source files
2017-03-04 00:52:34 -08:00
Koichiro IWAO
e94ab10e14
TLS: new method to specify SSL/TLS version
...
SSL/TLS protocols only listed in ssl_protocols should be used.
The name "ssl_protocols" comes from nginx.
Resolves #428 .
2017-02-27 14:17:25 +09:00
Jay Sorg
657f6f3756
common: use select for SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE tls errors
2017-02-25 20:52:27 -08:00
Pavel Roskin
dc1e341f5a
Constify input arguments of ssl_mod_exp() and ssl_gen_key_xrdp1()
2017-02-02 21:39:10 -08:00
Pavel Roskin
6a3f0a75bd
Remove support for OpenSSL older than 0.9.8
...
It's hard to find an older version of OpenSSL even on long term support
distros.
2017-02-02 21:39:10 -08:00
Idan Freiberg
19375dda7a
Merge pull request #426 from metalefty/log-tls-version-and-cipher
...
TLS: log TLS version and cipher
2017-01-16 07:26:51 +02:00
Koichiro IWAO
c89c1318f8
obey coding standard, no logic change
2017-01-12 09:28:22 +09:00
Pavel Roskin
6664aac00f
Use "void" for empty argument list in declarations
...
In C, an empty argument list in a declaration means that the function
can accept any arguments. Use "void" instead, it means "no arguments".
C++ treats void and empty list as "no arguments".
2017-01-05 17:27:20 -08:00
Koichiro IWAO
40e8194122
TLS: log TLS version and cipher
2016-11-22 10:50:30 +09:00
Pavel Roskin
4324084d58
Use static inline functions for OpenSSL 1.0 backport
...
Conditional preprocessor directives spread throughout the code set a bad
example.
The new backport code is located in one place. The compiler checks
argument types. The backport code has no access to the caller variables.
The main code has all advantages of the new, more compact API.
2016-11-01 11:09:15 -07:00
Dominik George
e5cf45d1ac
Add backwards compatibility to OpenSSL < 1.1.0.
2016-10-27 22:40:48 +02:00
Dominik George
1b5fb8f1c8
Fix ssl_calls for OpenSSL 1.1.0, closes #458 .
2016-10-27 21:56:22 +02:00
Jay Sorg
8f747e37ca
always set SSL_OP_NO_SSLv2 in TLS options
2016-08-25 11:38:03 -07:00
Alex Illsley
47124df4ed
new options for xrdp.ini disableSSlv3=yes and tls_ciphers=HIGH and code to implement
2016-08-25 11:20:47 -07:00
Pavel Roskin
5829323ad8
Use g_new or g_new0 when C++ compiler would complain about implicit cast
2016-07-08 04:29:49 +00:00
Pavel Roskin
aeeb3d2c2e
Fix warnings detected by -Wwrite-strings
2016-07-08 04:29:42 +00:00
Jay Sorg
f100036cd9
common: minor fix for older openssl keygen
2016-02-22 11:48:54 -08:00
Jay Sorg
0d192aee62
common: fix for key generated smaller than asked for
2016-02-22 11:38:03 -08:00
Jay Sorg
fd793bd213
rename g_tcp_can_recv to g_sck_can_recv
2015-10-07 22:17:12 -07:00
Koichiro IWAO
cd6ab20e94
common: shut up some messages in ssl_tls_print_error
...
SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE are not fatal error but just
indicate SSL_read, SSL_write, SSL_accept functions to repeat.
2015-06-12 13:03:07 +09:00
Koichiro IWAO
2a2b8bcd59
common: fix #248 TLS on FreeBSD
...
According to document[1][2][3], retry when SSL_get_error returns
SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE.
[1] https://www.openssl.org/docs/ssl/SSL_read.html
[2] https://www.openssl.org/docs/ssl/SSL_write.html
[3] https://www.openssl.org/docs/ssl/SSL_accept.html
2015-06-11 21:45:57 +09:00
speidy
86005c5bcc
ssl_calls: fix to read certificate chains
2014-12-10 00:04:38 +02:00
Jay Sorg
d9d746ce5c
common: avoid possible SSL_shutdown crash
2014-12-02 10:52:03 -08:00
Jay Sorg
cc0406dddf
common: move tls calls to ssl_calls
2014-11-25 18:55:37 -08:00
Jay Sorg
09de814ff0
common: allow RSA keys bigger than 512 bit
2014-06-05 17:52:02 -07:00
Jay Sorg
25ad4d8a36
common: add more fips ssl calls
2014-02-23 20:40:13 -08:00
Jay Sorg
2921400083
common: check for nil in fips cleanup
2014-02-23 12:27:41 -08:00