diff --git a/README.turnserver b/README.turnserver index df56d02..b2829eb 100644 --- a/README.turnserver +++ b/README.turnserver @@ -204,11 +204,14 @@ Flags: --dh1066 Use 1066 bits predefined DH TLS key. Default size of the key is 2066. ---no-tlsv1 Do not allow TLSv1/DTLSv1 protocol. +--no-tlsv1 Set TLSv1_1/DTLSv1.2 as a minimum supported protocol version. + With openssl-1.0.2 and below, do not allow TLSv1.2/DTLSv1.2 protocols. ---no-tlsv1_1 Do not allow TLSv1.1 protocol. +--no-tlsv1_1 Set TLSv1_2/DTLSv1.2 as a minimum supported protocol version. + With openssl-1.0.2 and below, do not allow TLSv1.1 protocol. ---no-tlsv1_2 Do not allow TLSv1.2/DTLSv1.2 protocol. +--no-tlsv1_2 Set TLSv1_3/DTLSv1.2 as a minimum supported protocol version. + With openssl-1.0.2 and below, do not allow TLSv1.2/DTLSv1.2 protocols. --no-udp Do not start UDP client listeners. diff --git a/examples/run_tests.sh b/examples/run_tests.sh index 30e6b6b..8468279 100755 --- a/examples/run_tests.sh +++ b/examples/run_tests.sh @@ -1,7 +1,7 @@ #!/bin/bash echo 'Running turnserver' -../bin/turnserver --use-auth-secret --static-auth-secret=secret --realm=north.gov --allow-loopback-peers --no-cli > /dev/null & +../bin/turnserver --use-auth-secret --static-auth-secret=secret --realm=north.gov --allow-loopback-peers --no-cli --cert ../examples/ca/turn_server_cert.pem --pkey ../examples/ca/turn_server_pkey.pem > /dev/null & echo 'Running peer client' ../bin/turnutils_peer -L 127.0.0.1 -L ::1 -L 0.0.0.0 > /dev/null & @@ -16,6 +16,15 @@ else exit $? fi +echo 'Running turn client TLS' +../bin/turnutils_uclient -t -S -e 127.0.0.1 -X -g -u user -W secret 127.0.0.1 | grep "start_mclient: tot_send_bytes ~ 1000, tot_recv_bytes ~ 1000" > /dev/null +if [ $? -eq 0 ]; then + echo OK +else + echo FAIL + exit $? +fi + echo 'Running turn client UDP' ../bin/turnutils_uclient -e 127.0.0.1 -X -g -u user -W secret 127.0.0.1 | grep "start_mclient: tot_send_bytes ~ 1000, tot_recv_bytes ~ 1000" > /dev/null if [ $? -eq 0 ]; then diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index fa34ac1..5131e73 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -83,13 +83,7 @@ char HTTP_ALPN[128] = "http/1.1"; #define DEFAULT_GENERAL_RELAY_SERVERS_NUMBER (1) turn_params_t turn_params = { -NULL, NULL, -#if TLSv1_1_SUPPORTED NULL, -#if TLSv1_2_SUPPORTED - NULL, -#endif -#endif #if DTLS_SUPPORTED NULL, #endif @@ -603,9 +597,12 @@ static char Usage[] = "Usage: turnserver [options]\n" " --dh1066 Use 1066 bits predefined DH TLS key. Default size of the predefined key is 2066.\n" " --dh-file Use custom DH TLS key, stored in PEM format in the file.\n" " Flags --dh566 and --dh1066 are ignored when the DH key is taken from a file.\n" -" --no-tlsv1 Do not allow TLSv1/DTLSv1 protocol.\n" -" --no-tlsv1_1 Do not allow TLSv1.1 protocol.\n" -" --no-tlsv1_2 Do not allow TLSv1.2/DTLSv1.2 protocol.\n" +" --no-tlsv1 Set TLSv1_1/DTLSv1.2 as a minimum supported protocol version.\n" +" With openssl-1.0.2 and below, do not allow TLSv1/DTLSv1 protocols.\n" +" --no-tlsv1_1 Set TLSv1_2/DTLSv1.2 as a minimum supported protocol version.\n" +" With openssl-1.0.2 and below, do not allow TLSv1.1 protocol.\n" +" --no-tlsv1_2 Set TLSv1_3/DTLSv1.2 as a minimum supported protocol version.\n" +" With openssl-1.0.2 and below, do not allow TLSv1.2/DTLSv1.2 protocols.\n" " --no-udp Do not start UDP client listeners.\n" " --no-tcp Do not start TCP client listeners.\n" " --no-tls Do not start TLS client listeners.\n" @@ -3152,23 +3149,10 @@ static void set_ctx(SSL_CTX** out, const char *protocol, const SSL_METHOD* metho op |= SSL_OP_NO_SSLv2; #endif -#if defined(SSL_OP_NO_SSLv2) +#if defined(SSL_OP_NO_SSLv3) op |= SSL_OP_NO_SSLv3; #endif - if(turn_params.no_tlsv1) - op |= SSL_OP_NO_TLSv1; - -#if defined(SSL_OP_NO_TLSv1_1) - if(turn_params.no_tlsv1_1) - op |= SSL_OP_NO_TLSv1_1; -#endif - -#if defined(SSL_OP_NO_TLSv1_2) - if(turn_params.no_tlsv1_2) - op |= SSL_OP_NO_TLSv1_2; -#endif - #if defined(SSL_OP_NO_DTLSv1) && DTLS_SUPPORTED if(turn_params.no_tlsv1) op |= SSL_OP_NO_DTLSv1; @@ -3240,20 +3224,35 @@ static void openssl_load_certificates(void) { pthread_mutex_lock(&turn_params.tls_mutex); if(!turn_params.no_tls) { - set_ctx(&turn_params.tls_ctx_ssl23,"SSL23",SSLv23_server_method()); /*compatibility mode */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L + set_ctx(&turn_params.tls_ctx,"TLS", TLSv1_2_server_method()); /*openssl-1.0.2 version specific API */ if(!turn_params.no_tlsv1) { - set_ctx(&turn_params.tls_ctx_v1_0,"TLS1.0",TLSv1_server_method()); + SSL_CTX_set_options(turn_params.tls_ctx, SSL_OP_NO_TLSv1); } #if TLSv1_1_SUPPORTED if(!turn_params.no_tlsv1_1) { - set_ctx(&turn_params.tls_ctx_v1_1,"TLS1.1",TLSv1_1_server_method()); + SSL_CTX_set_options(turn_params.tls_ctx, SSL_OP_NO_TLSv1_1); } #if TLSv1_2_SUPPORTED if(!turn_params.no_tlsv1_2) { - set_ctx(&turn_params.tls_ctx_v1_2,"TLS1.2",TLSv1_2_server_method()); + SSL_CTX_set_options(turn_params.tls_ctx, SSL_OP_NO_TLSv1_2); } #endif #endif +#else // OPENSSL_VERSION_NUMBER < 0x10100000L + set_ctx(&turn_params.tls_ctx,"TLS", TLS_server_method()); + if(!turn_params.no_tlsv1) { + SSL_CTX_set_min_proto_version(turn_params.tls_ctx, TLS1_1_VERSION); + } + if(!turn_params.no_tlsv1_1) { + SSL_CTX_set_min_proto_version(turn_params.tls_ctx, TLS1_2_VERSION); + } +#if TLSv1_3_SUPPORTED + if(!turn_params.no_tlsv1_2) { + SSL_CTX_set_min_proto_version(turn_params.tls_ctx, TLS1_3_VERSION); + } +#endif +#endif // OPENSSL_VERSION_NUMBER < 0x10100000L TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "TLS cipher suite: %s\n",turn_params.cipher_list); } diff --git a/src/apps/relay/mainrelay.h b/src/apps/relay/mainrelay.h index 9c8a28c..2368f53 100644 --- a/src/apps/relay/mainrelay.h +++ b/src/apps/relay/mainrelay.h @@ -176,16 +176,7 @@ typedef struct _turn_params_ { //////////////// OpenSSL group ////////////////////// - SSL_CTX *tls_ctx_ssl23; - - SSL_CTX *tls_ctx_v1_0; - -#if TLSv1_1_SUPPORTED - SSL_CTX *tls_ctx_v1_1; -#if TLSv1_2_SUPPORTED - SSL_CTX *tls_ctx_v1_2; -#endif -#endif + SSL_CTX *tls_ctx; #if DTLS_SUPPORTED SSL_CTX *dtls_ctx; diff --git a/src/apps/relay/netengine.c b/src/apps/relay/netengine.c index 8c600a0..c464d5c 100644 --- a/src/apps/relay/netengine.c +++ b/src/apps/relay/netengine.c @@ -333,14 +333,7 @@ static void update_ssl_ctx(evutil_socket_t sock, short events, update_ssl_ctx_cb /* No mutex with "e" as these are only used in the same event loop */ pthread_mutex_lock(&turn_params.tls_mutex); - replace_one_ssl_ctx(&e->tls_ctx_ssl23, params->tls_ctx_ssl23); - replace_one_ssl_ctx(&e->tls_ctx_v1_0, params->tls_ctx_v1_0); -#if TLSv1_1_SUPPORTED - replace_one_ssl_ctx(&e->tls_ctx_v1_1, params->tls_ctx_v1_1); -#if TLSv1_2_SUPPORTED - replace_one_ssl_ctx(&e->tls_ctx_v1_2, params->tls_ctx_v1_2); -#endif -#endif + replace_one_ssl_ctx(&e->tls_ctx, params->tls_ctx); #if DTLS_SUPPORTED replace_one_ssl_ctx(&e->dtls_ctx, params->dtls_ctx); #endif diff --git a/src/apps/relay/ns_ioalib_engine_impl.c b/src/apps/relay/ns_ioalib_engine_impl.c index b2cbcec..89a40e3 100644 --- a/src/apps/relay/ns_ioalib_engine_impl.c +++ b/src/apps/relay/ns_ioalib_engine_impl.c @@ -2425,34 +2425,11 @@ static int socket_input_worker(ioa_socket_handle s) if(s->bev) { TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "!!!%s on socket: 0x%lx, st=%d, sat=%d: bev already exist\n", __FUNCTION__,(long)s, s->st, s->sat); } - switch(tls_type) { -#if TLSv1_2_SUPPORTED - case TURN_TLS_v1_2: - if(s->e->tls_ctx_v1_2) { - set_socket_ssl(s,SSL_new(s->e->tls_ctx_v1_2)); - } - break; -#endif -#if TLSv1_1_SUPPORTED - case TURN_TLS_v1_1: - if(s->e->tls_ctx_v1_1) { - set_socket_ssl(s,SSL_new(s->e->tls_ctx_v1_1)); - } - break; -#endif - case TURN_TLS_v1_0: - if(s->e->tls_ctx_v1_0) { - set_socket_ssl(s,SSL_new(s->e->tls_ctx_v1_0)); - } - break; - default: - if(s->e->tls_ctx_ssl23) { - set_socket_ssl(s,SSL_new(s->e->tls_ctx_ssl23)); - } else { - s->tobeclosed = 1; - return 0; - } - }; + + if(s->e->tls_ctx) { + set_socket_ssl(s,SSL_new(s->e->tls_ctx)); + } + if(s->ssl) { s->bev = bufferevent_openssl_socket_new(s->e->event_base, s->fd, @@ -2491,34 +2468,9 @@ static int socket_input_worker(ioa_socket_handle s) if(s->bev) { TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "!!!%s on socket: 0x%lx, st=%d, sat=%d: bev already exist\n", __FUNCTION__,(long)s, s->st, s->sat); } - switch(tls_type) { -#if TLSv1_2_SUPPORTED - case TURN_TLS_v1_2: - if(s->e->tls_ctx_v1_2) { - set_socket_ssl(s,SSL_new(s->e->tls_ctx_v1_2)); - } - break; -#endif -#if TLSv1_1_SUPPORTED - case TURN_TLS_v1_1: - if(s->e->tls_ctx_v1_1) { - set_socket_ssl(s,SSL_new(s->e->tls_ctx_v1_1)); - } - break; -#endif - case TURN_TLS_v1_0: - if(s->e->tls_ctx_v1_0) { - set_socket_ssl(s,SSL_new(s->e->tls_ctx_v1_0)); - } - break; - default: - if(s->e->tls_ctx_ssl23) { - set_socket_ssl(s,SSL_new(s->e->tls_ctx_ssl23)); - } else { - s->tobeclosed = 1; - return 0; - } - }; + if(s->e->tls_ctx) { + set_socket_ssl(s,SSL_new(s->e->tls_ctx)); + } if(s->ssl) { s->bev = bufferevent_openssl_socket_new(s->e->event_base, s->fd, @@ -3520,7 +3472,7 @@ int register_callback_on_ioa_socket(ioa_engine_handle e, ioa_socket_handle s, in #if TLS_SUPPORTED if(!(s->ssl)) { //??? how we can get to this point ??? - set_socket_ssl(s,SSL_new(e->tls_ctx_ssl23)); + set_socket_ssl(s,SSL_new(e->tls_ctx)); s->bev = bufferevent_openssl_socket_new(s->e->event_base, s->fd, s->ssl, diff --git a/src/apps/relay/ns_ioalib_impl.h b/src/apps/relay/ns_ioalib_impl.h index 69e748c..f239397 100644 --- a/src/apps/relay/ns_ioalib_impl.h +++ b/src/apps/relay/ns_ioalib_impl.h @@ -141,14 +141,7 @@ struct _ioa_engine turnipports* tp; rtcp_map *map_rtcp; stun_buffer_list bufs; - SSL_CTX *tls_ctx_ssl23; - SSL_CTX *tls_ctx_v1_0; -#if TLSv1_1_SUPPORTED - SSL_CTX *tls_ctx_v1_1; -#if TLSv1_2_SUPPORTED - SSL_CTX *tls_ctx_v1_2; -#endif -#endif + SSL_CTX *tls_ctx; #if DTLS_SUPPORTED SSL_CTX *dtls_ctx; #endif