Force TSL v1.0 and allow cipher suite configuration

Author: acv

src/conf.c

@@ -100,6 +100,7 @@ typedef enum {
 	oProxyPort,
 	oSSLPeerVerification,
 	oSSLCertPath,
+    oSSLAllowedCipherList,
 } OpCodes;
 
 /** @internal
@@ -142,6 +143,7 @@ static const struct {
 	{ "proxyport",			oProxyPort },
 	{ "sslpeerverification",		oSSLPeerVerification },
 	{ "sslcertpath",			oSSLCertPath },
+    { "sslallowedcipherlist",   oSSLAllowedCipherList },
 	{ NULL,				oBadOption },
 };
 
@@ -193,6 +195,7 @@ config_init(void)
 	config.proxy_port = 0;
 	config.ssl_certs = safe_strdup(DEFAULT_AUTHSERVSSLCERTPATH);
 	config.ssl_verify = DEFAULT_AUTHSERVSSLPEERVER;
+    config.ssl_cipher_list = NULL;
 }
 
 /**
@@ -738,13 +741,6 @@ config_read(const char *filename)
 				case oHTTPDPassword:
 					config.httpdpassword = safe_strdup(p1);
 					break;
-				case oBadOption:
-					debug(LOG_ERR, "Bad option on line %d "
-							"in %s.", linenum,
-							filename);
-					debug(LOG_ERR, "Exiting...");
-					exit(-1);
-					break;
 				case oCheckInterval:
 					sscanf(p1, "%d", &config.checkinterval);
 					break;
@@ -778,6 +774,21 @@ config_read(const char *filename)
 					debug(LOG_WARNING, "SSLPeerVerification is set but no SSL compiled in. Ignoring!");
 					#endif
                     break;
+                case oSSLAllowedCipherList:
+                    config.ssl_cipher_list = safe_strdup(p1);
+                    #ifndef USE_CYASSL
+                    debug(LOG_WARNING, "SSLAllowedCipherList is set but no SSL compiled in. Ignoring!");
+                    #endif
+                    break;
+				case oBadOption:
+                    /* FALL THROUGH */
+                default:
+					debug(LOG_ERR, "Bad option on line %d "
+							"in %s.", linenum,
+							filename);
+					debug(LOG_ERR, "Exiting...");
+					exit(-1);
+					break;
 				}
 			}
 		}

src/conf.h

@@ -171,6 +171,7 @@ typedef struct {
 		verification */
 	int ssl_verify;		/**< @brief boolean, whether to enable
 		auth server certificate verification */
+    char *ssl_cipher_list;  /**< @brief List of SSL ciphers allowed. Optional. */
     t_firewall_ruleset	*rulesets;	/**< @brief firewall rules */
     t_trusted_mac *trustedmaclist; /**< @brief list of trusted macs */
 } s_config;

src/simple_http.c

@@ -144,6 +144,7 @@ static pthread_mutex_t cyassl_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
 static CYASSL_CTX *
 get_cyassl_ctx(void)
 {
+    int err;
     CYASSL_CTX *ret;
 	s_config *config = config_get_config();
 
@@ -152,16 +153,26 @@ get_cyassl_ctx(void)
     if (NULL == cyassl_ctx) {
         CyaSSL_Init();
         /* Create the CYASSL_CTX */
-        /* Allow SSLv3 up to TLSv1.2 */
-        if ( (cyassl_ctx = CyaSSL_CTX_new(CyaSSLv23_client_method())) == NULL){
+        /* Allow TLSv1.0 up to TLSv1.2 */
+        if ( (cyassl_ctx = CyaSSL_CTX_new(CyaTLSv1_client_method())) == NULL){
             debug(LOG_ERR, "Could not create CYASSL context.");
             return NULL;
         }
 
+        if (config->ssl_cipher_list) {
+            debug(LOG_INFO, "Setting SSL cipher list to [%s]", config->ssl_cipher_list);
+            err = CyaSSL_CTX_set_cipher_list(cyassl_ctx, config->ssl_cipher_list);
+            if (SSL_SUCCESS != err) {
+                debug(LOG_ERR, "Could not load SSL cipher list (error %d)", err);
+                return NULL;
+            }
+        }
+
         if (config->ssl_verify) {
             /* Use trusted certs */
             /* Note: CyaSSL requires that the certificates are named by their hash values */
-            int err = CyaSSL_CTX_load_verify_locations(cyassl_ctx, NULL, config->ssl_certs);
+            debug(LOG_INFO, "Loading SSL certificates from %s", config->ssl_certs);
+            err = CyaSSL_CTX_load_verify_locations(cyassl_ctx, NULL, config->ssl_certs);
             if (err != SSL_SUCCESS) {
                 debug(LOG_ERR, "Could not load SSL certificates (error %d)", err);
                 if (err == ASN_UNKNOWN_OID_E) {
@@ -170,9 +181,8 @@ get_cyassl_ctx(void)
                     debug(LOG_ERR, "Make sure that SSLCertPath points to the correct path in the config file");
                     debug(LOG_ERR, "Or disable certificate loading with 'SSLPeerVerification No'.");
                 }
-                return NULL;;
+                return NULL;
             }
-            debug(LOG_INFO, "Loading SSL certificates from %s", config->ssl_certs);
         } else {
             CyaSSL_CTX_set_verify(cyassl_ctx, SSL_VERIFY_NONE, 0);
             debug(LOG_INFO, "Disabling SSL certificate verification!");

wifidog.conf

@@ -185,7 +185,6 @@ ClientTimeout 5
 #
 # SSLPeerVerification Yes
 
-
 # Parameter: SSLCertPath
 # Default: /etc/ssl/certs/
 # Optional
@@ -204,6 +203,20 @@ ClientTimeout 5
 #
 # SSLCertPath /etc/ssl/certs/ 
 
+# Parameter: SSLAllowedCipherList
+# Default: all ciphers supported
+# Optional
+#
+# Which cipher suite to allow. Note that CyaSSL will ignore cipher
+# suites that use algorithms that aren't compiled in or cipher
+# suites *WITH ERRORS IN THEIR NAMES*.
+#
+# Please see CyaSSL documentation for allowed values, format is a
+# string where the ciphers are separated by colons (:) with no
+# spaces. Ciphers are ordered from most desirable to least desirable.
+#
+# SSLAllowedCipherList ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES128-GCM-SHA256:ECDH-RSA-AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:AES128-SHA:AES256-SHA
+
 # Parameter: TrustedMACList
 # Default: none
 # Optional