From 800e545ae3d98ef03f450a6c724afb66071d3a6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adrien=20B=C3=A9raud?= <adrien.beraud@savoirfairelinux.com>
Date: Wed, 12 Nov 2014 18:25:18 -0500
Subject: [PATCH] tls: don't hardcode a default cypher list

The crypto layer (GnuTLS) will provide a acceptable default list if no cypher is provided.

Refs #59541

Change-Id: I7114deb422c5cbaf34b27cfec29153a966a7af35
---
 daemon/src/dht/dhtaccount.cpp | 23 +++--------------------
 daemon/src/dht/dhtaccount.h   |  5 -----
 daemon/src/sip/sipaccount.cpp | 34 ++++------------------------------
 3 files changed, 7 insertions(+), 55 deletions(-)

diff --git a/daemon/src/dht/dhtaccount.cpp b/daemon/src/dht/dhtaccount.cpp
index c03fdda166..8551e2e630 100644
--- a/daemon/src/dht/dhtaccount.cpp
+++ b/daemon/src/dht/dhtaccount.cpp
@@ -74,20 +74,6 @@
 
 constexpr const char * const DHTAccount::ACCOUNT_TYPE;
 
-const CipherArray DHTAccount::TLS_CIPHER_LIST = {
-    PJ_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
-    PJ_TLS_DH_RSA_WITH_AES_256_CBC_SHA256,
-    PJ_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
-    PJ_TLS_DH_RSA_WITH_AES_128_CBC_SHA256,
-    PJ_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
-    PJ_TLS_DH_RSA_WITH_AES_256_CBC_SHA,
-    PJ_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
-    PJ_TLS_RSA_WITH_AES_256_CBC_SHA256,
-    PJ_TLS_RSA_WITH_AES_256_CBC_SHA,
-    PJ_TLS_RSA_WITH_AES_128_CBC_SHA256,
-    PJ_TLS_RSA_WITH_AES_128_CBC_SHA
-};
-
 DHTAccount::DHTAccount(const std::string& accountID, bool /* presenceEnabled */)
     : SIPAccountBase(accountID)
 {
@@ -621,16 +607,13 @@ void DHTAccount::initTlsConfiguration()
     // TLS listener is unique and should be only modified through IP2IP_PROFILE
     pjsip_tls_setting_default(&tlsSetting_);
 
-    SFL_WARN("cacertPath_ : %s", cacertPath_.c_str());
-    SFL_WARN("certPath_ : %s", certPath_.c_str());
-    SFL_WARN("privkeyPath_ : %s", privkeyPath_.c_str());
-    pj_cstr(&tlsSetting_.ca_list_file, "");//cacertPath_.c_str()
+    pj_cstr(&tlsSetting_.ca_list_file, cacertPath_.c_str());
     pj_cstr(&tlsSetting_.cert_file, certPath_.c_str());
     pj_cstr(&tlsSetting_.privkey_file, privkeyPath_.c_str());
     pj_cstr(&tlsSetting_.password, "");
     tlsSetting_.method = PJSIP_TLSV1_METHOD;
-    tlsSetting_.ciphers_num = 0;//ciphers_.size();
-    tlsSetting_.ciphers = nullptr;//&ciphers_.front();
+    tlsSetting_.ciphers_num = 0;
+    tlsSetting_.ciphers = nullptr;
     tlsSetting_.verify_server = false;
     tlsSetting_.verify_client = false;
     tlsSetting_.require_client_cert = false;
diff --git a/daemon/src/dht/dhtaccount.h b/daemon/src/dht/dhtaccount.h
index 3df46c0724..b849274287 100644
--- a/daemon/src/dht/dhtaccount.h
+++ b/daemon/src/dht/dhtaccount.h
@@ -325,11 +325,6 @@ class DHTAccount : public SIPAccountBase {
          */
         pjsip_tls_setting tlsSetting_ {};
 
-        /**
-         * Allocate a vector to be used by pjsip to store the supported ciphers on this system.
-         */
-        CipherArray ciphers_ {TLS_CIPHER_LIST};
-
         /**
          * Optional: "received" parameter from VIA header
          */
diff --git a/daemon/src/sip/sipaccount.cpp b/daemon/src/sip/sipaccount.cpp
index e002d3a9f1..471b42a6d3 100644
--- a/daemon/src/sip/sipaccount.cpp
+++ b/daemon/src/sip/sipaccount.cpp
@@ -81,36 +81,10 @@ constexpr const char * const SIPAccount::ACCOUNT_TYPE;
 
 #if HAVE_TLS
 
-const CipherArray SIPAccount::TLSv1_DEFAULT_CIPHER_LIST = {
-    PJ_TLS_RSA_WITH_AES_256_CBC_SHA256,
-    PJ_TLS_RSA_WITH_AES_256_CBC_SHA,
-    PJ_TLS_RSA_WITH_AES_128_CBC_SHA256,
-    PJ_TLS_RSA_WITH_AES_128_CBC_SHA,
-    PJ_TLS_RSA_WITH_RC4_128_SHA,
-    PJ_TLS_RSA_WITH_RC4_128_MD5
-};
-
-const CipherArray SIPAccount::SSLv3_DEFAULT_CIPHER_LIST = {
-    PJ_TLS_RSA_WITH_AES_256_CBC_SHA256,
-    PJ_TLS_RSA_WITH_AES_256_CBC_SHA,
-    PJ_TLS_RSA_WITH_AES_128_CBC_SHA256,
-    PJ_TLS_RSA_WITH_AES_128_CBC_SHA,
-    PJ_TLS_RSA_WITH_RC4_128_SHA,
-    PJ_TLS_RSA_WITH_RC4_128_MD5
-};
-
-const CipherArray SIPAccount::SSLv23_DEFAULT_CIPHER_LIST = {
-    PJ_TLS_RSA_WITH_AES_256_CBC_SHA256,
-    PJ_TLS_RSA_WITH_AES_256_CBC_SHA,
-    PJ_TLS_RSA_WITH_AES_128_CBC_SHA256,
-    PJ_TLS_RSA_WITH_AES_128_CBC_SHA,
-    PJ_TLS_RSA_WITH_RC4_128_SHA,
-    PJ_TLS_RSA_WITH_RC4_128_MD5,
-    PJ_SSL_CK_DES_192_EDE3_CBC_WITH_MD5,
-    PJ_SSL_CK_RC4_128_WITH_MD5,
-    PJ_SSL_CK_IDEA_128_CBC_WITH_MD5,
-    PJ_SSL_CK_RC2_128_CBC_WITH_MD5,
-};
+// Empty cypher list will use default cypher list for the transport type on GnuTLS
+const CipherArray SIPAccount::TLSv1_DEFAULT_CIPHER_LIST = {};
+const CipherArray SIPAccount::SSLv3_DEFAULT_CIPHER_LIST = {};
+const CipherArray SIPAccount::SSLv23_DEFAULT_CIPHER_LIST = {};
 
 #endif
 
-- 
GitLab