From 89a5600be1b08dd6dd4e2579949637f099e3a239 Mon Sep 17 00:00:00 2001 From: Pavel Punsky Date: Thu, 19 Dec 2024 17:10:49 -0800 Subject: [PATCH] Drop TLS version support detection (#1617) With requiring openssl version at least 1.1.1 all versions of TLS (up to and including 1.3) and DTLS 1.2 are supported With that, no detection or ability to disable a version will be provided --- src/apps/common/apputils.h | 42 +++----------------------------------- src/apps/relay/mainrelay.c | 17 ++------------- src/apps/relay/mainrelay.h | 4 +--- 3 files changed, 6 insertions(+), 57 deletions(-) diff --git a/src/apps/common/apputils.h b/src/apps/common/apputils.h index 8800366..84a310a 100644 --- a/src/apps/common/apputils.h +++ b/src/apps/common/apputils.h @@ -58,68 +58,32 @@ extern int IS_TURN_SERVER; /* TLS */ #if defined(TURN_NO_TLS) - #define TLS_SUPPORTED 0 -#define TLSv1_1_SUPPORTED 0 -#define TLSv1_2_SUPPORTED 0 - #else - #define TLS_SUPPORTED 1 - -#if defined(SSL_OP_NO_TLSv1_1) -#define TLSv1_1_SUPPORTED 1 -#else -#define TLSv1_1_SUPPORTED 0 -#endif - -#if defined(SSL_OP_NO_TLSv1_2) -#define TLSv1_2_SUPPORTED 1 -#else -#define TLSv1_2_SUPPORTED 0 -#endif - -#if defined(SSL_OP_NO_TLSv1_3) -#define TLSv1_3_SUPPORTED 1 -#else -#define TLSv1_3_SUPPORTED 0 -#endif - #endif #if defined(TURN_NO_DTLS) - #define DTLS_SUPPORTED 0 -#define DTLSv1_2_SUPPORTED 0 - #else - #define DTLS_SUPPORTED 1 - -#if defined(SSL_OP_NO_DTLSv1_2) -#define DTLSv1_2_SUPPORTED 1 -#else -#define DTLSv1_2_SUPPORTED 0 -#endif - #endif #define SSL_SESSION_ECDH_AUTO_SUPPORTED 1 /////////// SSL ////////////////////////// +// clang-format off enum _TURN_TLS_TYPE { TURN_TLS_NO = 0, TURN_TLS_SSL23, TURN_TLS_v1_0, -#if TLSv1_1_SUPPORTED TURN_TLS_v1_1, -#if TLSv1_2_SUPPORTED TURN_TLS_v1_2, -#endif -#endif + TURN_TLS_v1_3, TURN_TLS_TOTAL }; +// clang-format on typedef enum _TURN_TLS_TYPE TURN_TLS_TYPE; diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index 09a8c74..f318fe0 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -2809,22 +2809,14 @@ static void print_features(unsigned long mfn) { #if !TLS_SUPPORTED TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "TLS is not supported\n"); -#elif TLSv1_3_SUPPORTED +#else TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "TLS 1.3 supported\n"); -#elif TLSv1_2_SUPPORTED - TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "TLS 1.2 supported\n"); -#elif TLSv1_1_SUPPORTED - TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "TLS 1.1 supported\n"); -#elif TLSv1_SUPPORTED - TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "TLS 1.0 supported\n"); #endif #if !DTLS_SUPPORTED TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "DTLS is not supported\n"); -#elif DTLSv1_2_SUPPORTED +#else TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "DTLS 1.2 supported\n"); -#elif DTLS_SUPPORTED - TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "DTLS supported\n"); #endif TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "TURN/STUN ALPN supported\n"); @@ -3567,10 +3559,7 @@ static void set_ctx(SSL_CTX **out, const char *protocol, const SSL_METHOD *metho SSL_CTX_set_cipher_list(ctx, turn_params.cipher_list); SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); - -#if TLSv1_3_SUPPORTED SSL_CTX_set_ciphersuites(ctx, turn_params.cipher_list); -#endif if (!SSL_CTX_use_certificate_chain_file(ctx, turn_params.cert_file)) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: ERROR: no certificate found\n", protocol); @@ -3805,11 +3794,9 @@ static void openssl_load_certificates(void) { if (turn_params.no_tlsv1_1) { SSL_CTX_set_min_proto_version(turn_params.tls_ctx, TLS1_2_VERSION); } -#if TLSv1_3_SUPPORTED if (turn_params.no_tlsv1_2) { SSL_CTX_set_min_proto_version(turn_params.tls_ctx, TLS1_3_VERSION); } -#endif TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "TLS cipher suite: %s\n", turn_params.cipher_list); } diff --git a/src/apps/relay/mainrelay.h b/src/apps/relay/mainrelay.h index e43da39..5fb4aca 100644 --- a/src/apps/relay/mainrelay.h +++ b/src/apps/relay/mainrelay.h @@ -103,12 +103,10 @@ extern "C" { #if OPENSSL_VERSION_NUMBER >= 0x30000000L #define DEFAULT_CIPHER_LIST OSSL_default_cipher_list() -#if TLSv1_3_SUPPORTED #define DEFAULT_CIPHERSUITES OSSL_default_ciphersuites() -#endif #else #define DEFAULT_CIPHER_LIST "DEFAULT" -#if TLSv1_3_SUPPORTED && defined(TLS_DEFAULT_CIPHERSUITES) +#if defined(TLS_DEFAULT_CIPHERSUITES) #define DEFAULT_CIPHERSUITES TLS_DEFAULT_CIPHERSUITES #endif #endif