From 800e545ae3d98ef03f450a6c724afb66071d3a6a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrien=20B=C3=A9raud?= <adrien.beraud@savoirfairelinux.com> Date: Wed, 12 Nov 2014 18:25:18 -0500 Subject: [PATCH] tls: don't hardcode a default cypher list The crypto layer (GnuTLS) will provide a acceptable default list if no cypher is provided. Refs #59541 Change-Id: I7114deb422c5cbaf34b27cfec29153a966a7af35 --- daemon/src/dht/dhtaccount.cpp | 23 +++-------------------- daemon/src/dht/dhtaccount.h | 5 ----- daemon/src/sip/sipaccount.cpp | 34 ++++------------------------------ 3 files changed, 7 insertions(+), 55 deletions(-) diff --git a/daemon/src/dht/dhtaccount.cpp b/daemon/src/dht/dhtaccount.cpp index c03fdda166..8551e2e630 100644 --- a/daemon/src/dht/dhtaccount.cpp +++ b/daemon/src/dht/dhtaccount.cpp @@ -74,20 +74,6 @@ constexpr const char * const DHTAccount::ACCOUNT_TYPE; -const CipherArray DHTAccount::TLS_CIPHER_LIST = { - PJ_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, - PJ_TLS_DH_RSA_WITH_AES_256_CBC_SHA256, - PJ_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, - PJ_TLS_DH_RSA_WITH_AES_128_CBC_SHA256, - PJ_TLS_DHE_RSA_WITH_AES_256_CBC_SHA, - PJ_TLS_DH_RSA_WITH_AES_256_CBC_SHA, - PJ_TLS_DHE_RSA_WITH_AES_128_CBC_SHA, - PJ_TLS_RSA_WITH_AES_256_CBC_SHA256, - PJ_TLS_RSA_WITH_AES_256_CBC_SHA, - PJ_TLS_RSA_WITH_AES_128_CBC_SHA256, - PJ_TLS_RSA_WITH_AES_128_CBC_SHA -}; - DHTAccount::DHTAccount(const std::string& accountID, bool /* presenceEnabled */) : SIPAccountBase(accountID) { @@ -621,16 +607,13 @@ void DHTAccount::initTlsConfiguration() // TLS listener is unique and should be only modified through IP2IP_PROFILE pjsip_tls_setting_default(&tlsSetting_); - SFL_WARN("cacertPath_ : %s", cacertPath_.c_str()); - SFL_WARN("certPath_ : %s", certPath_.c_str()); - SFL_WARN("privkeyPath_ : %s", privkeyPath_.c_str()); - pj_cstr(&tlsSetting_.ca_list_file, "");//cacertPath_.c_str() + pj_cstr(&tlsSetting_.ca_list_file, cacertPath_.c_str()); pj_cstr(&tlsSetting_.cert_file, certPath_.c_str()); pj_cstr(&tlsSetting_.privkey_file, privkeyPath_.c_str()); pj_cstr(&tlsSetting_.password, ""); tlsSetting_.method = PJSIP_TLSV1_METHOD; - tlsSetting_.ciphers_num = 0;//ciphers_.size(); - tlsSetting_.ciphers = nullptr;//&ciphers_.front(); + tlsSetting_.ciphers_num = 0; + tlsSetting_.ciphers = nullptr; tlsSetting_.verify_server = false; tlsSetting_.verify_client = false; tlsSetting_.require_client_cert = false; diff --git a/daemon/src/dht/dhtaccount.h b/daemon/src/dht/dhtaccount.h index 3df46c0724..b849274287 100644 --- a/daemon/src/dht/dhtaccount.h +++ b/daemon/src/dht/dhtaccount.h @@ -325,11 +325,6 @@ class DHTAccount : public SIPAccountBase { */ pjsip_tls_setting tlsSetting_ {}; - /** - * Allocate a vector to be used by pjsip to store the supported ciphers on this system. - */ - CipherArray ciphers_ {TLS_CIPHER_LIST}; - /** * Optional: "received" parameter from VIA header */ diff --git a/daemon/src/sip/sipaccount.cpp b/daemon/src/sip/sipaccount.cpp index e002d3a9f1..471b42a6d3 100644 --- a/daemon/src/sip/sipaccount.cpp +++ b/daemon/src/sip/sipaccount.cpp @@ -81,36 +81,10 @@ constexpr const char * const SIPAccount::ACCOUNT_TYPE; #if HAVE_TLS -const CipherArray SIPAccount::TLSv1_DEFAULT_CIPHER_LIST = { - PJ_TLS_RSA_WITH_AES_256_CBC_SHA256, - PJ_TLS_RSA_WITH_AES_256_CBC_SHA, - PJ_TLS_RSA_WITH_AES_128_CBC_SHA256, - PJ_TLS_RSA_WITH_AES_128_CBC_SHA, - PJ_TLS_RSA_WITH_RC4_128_SHA, - PJ_TLS_RSA_WITH_RC4_128_MD5 -}; - -const CipherArray SIPAccount::SSLv3_DEFAULT_CIPHER_LIST = { - PJ_TLS_RSA_WITH_AES_256_CBC_SHA256, - PJ_TLS_RSA_WITH_AES_256_CBC_SHA, - PJ_TLS_RSA_WITH_AES_128_CBC_SHA256, - PJ_TLS_RSA_WITH_AES_128_CBC_SHA, - PJ_TLS_RSA_WITH_RC4_128_SHA, - PJ_TLS_RSA_WITH_RC4_128_MD5 -}; - -const CipherArray SIPAccount::SSLv23_DEFAULT_CIPHER_LIST = { - PJ_TLS_RSA_WITH_AES_256_CBC_SHA256, - PJ_TLS_RSA_WITH_AES_256_CBC_SHA, - PJ_TLS_RSA_WITH_AES_128_CBC_SHA256, - PJ_TLS_RSA_WITH_AES_128_CBC_SHA, - PJ_TLS_RSA_WITH_RC4_128_SHA, - PJ_TLS_RSA_WITH_RC4_128_MD5, - PJ_SSL_CK_DES_192_EDE3_CBC_WITH_MD5, - PJ_SSL_CK_RC4_128_WITH_MD5, - PJ_SSL_CK_IDEA_128_CBC_WITH_MD5, - PJ_SSL_CK_RC2_128_CBC_WITH_MD5, -}; +// Empty cypher list will use default cypher list for the transport type on GnuTLS +const CipherArray SIPAccount::TLSv1_DEFAULT_CIPHER_LIST = {}; +const CipherArray SIPAccount::SSLv3_DEFAULT_CIPHER_LIST = {}; +const CipherArray SIPAccount::SSLv23_DEFAULT_CIPHER_LIST = {}; #endif -- GitLab