diff --git a/README.turnserver b/README.turnserver index c8a8dc6..581f422 100644 --- a/README.turnserver +++ b/README.turnserver @@ -484,7 +484,8 @@ Options with values: --pkey-pwd If the private key file is encrypted, then this password to be used. --cipher-list Allowed OpenSSL cipher list for TLS/DTLS connections. - Default value is "DEFAULT". + Default value is "DEFAULT" for TLS/DTLS versions up to TLSv1.2/DTLSv1.2, + and the library default ciphersuites for TLSv1.3. --CA-file CA file in OpenSSL format. Forces TURN server to verify the client SSL certificates. diff --git a/man/man1/turnserver.1 b/man/man1/turnserver.1 index 9d2059b..9932068 100644 --- a/man/man1/turnserver.1 +++ b/man/man1/turnserver.1 @@ -710,7 +710,8 @@ If the private key file is encrypted, then this password to be used. .B \fB\-\-cipher\-list\fP Allowed OpenSSL cipher list for TLS/DTLS connections. -Default value is "DEFAULT". +Default value is "DEFAULT" for TLS/DTLS versions up to TLSv1.2/DTLSv1.2, +and the library default ciphersuites for TLSv1.3. .TP .B \fB\-\-CA\-file\fP diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index ef5da09..4f9f310 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -1105,8 +1105,10 @@ static char Usage[] = " If both --no-tls and --no-dtls options\n" " --pkey-pwd If the private key file is encrypted, then this password to be " "used.\n" - " --cipher-list <\"cipher-string\"> Allowed OpenSSL cipher list for TLS/DTLS connections.\n" - " Default value is \"DEFAULT\".\n" + " --cipher-list Allowed OpenSSL cipher list for TLS/DTLS connections.\n" + " Default value is \"DEFAULT\" for TLS/DTLS versions up to " + "TLSv1.2/DTLSv1.2,\n" + " and the library default ciphersuites for TLSv1.3.\n" " --CA-file CA file in OpenSSL format.\n" " Forces TURN server to verify the client SSL certificates.\n" " By default, no CA is set and no client certificate check is " @@ -1123,14 +1125,14 @@ static char Usage[] = " --dh-file Use custom DH TLS key, stored in PEM format in the file.\n" " Flags --dh566 and --dh1066 are ignored when the DH key is taken from a " "file.\n" - " --no-tlsv1 Set TLSv1_1/DTLSv1.2 as a minimum supported protocol version.\n" - " With openssl-1.0.2 and below, do not allow " + " --no-tlsv1 Set TLSv1.1/DTLSv1.2 as a minimum supported protocol version.\n" + " With openssl-1.0.2 and below, do not allow " "TLSv1/DTLSv1 protocols.\n" - " --no-tlsv1_1 Set TLSv1_2/DTLSv1.2 as a minimum supported protocol version.\n" - " With openssl-1.0.2 and below, do not allow TLSv1.1 " + " --no-tlsv1_1 Set TLSv1.2/DTLSv1.2 as a minimum supported protocol version.\n" + " With openssl-1.0.2 and below, do not allow TLSv1.1 " "protocol.\n" - " --no-tlsv1_2 Set TLSv1_3/DTLSv1.2 as a minimum supported protocol version.\n" - " With openssl-1.0.2 and below, do not allow " + " --no-tlsv1_2 Set TLSv1.3/DTLSv1.2 as a minimum supported protocol version.\n" + " With openssl-1.0.2 and below, do not allow " "TLSv1.2/DTLSv1.2 protocols.\n" " --no-udp Do not start UDP client listeners.\n" " --no-tcp Do not start TCP client listeners.\n" @@ -1227,7 +1229,7 @@ static char Usage[] = "back to this default.\n" " The standard RFC explicitly define actually that this default must be " "IPv4,\n" - " so use other option values with care!\n" + " so use other option values with care!\n" " --no-cli Turn OFF the CLI support. By default it is always ON.\n" " --cli-ip= Local system IP address to be used for CLI server endpoint. " "Default value\n" @@ -3524,12 +3526,21 @@ static void set_ctx(SSL_CTX **out, const char *protocol, const SSL_METHOD *metho SSL_CTX_set_default_passwd_cb(ctx, pem_password_func); - if (!(turn_params.cipher_list[0])) + if (!(turn_params.cipher_list[0])) { strncpy(turn_params.cipher_list, DEFAULT_CIPHER_LIST, TURN_LONG_STRING_SIZE); +#if TLSv1_3_SUPPORTED + strncat(turn_params.cipher_list, ":", TURN_LONG_STRING_SIZE - strlen(turn_params.cipher_list)); + strncat(turn_params.cipher_list, DEFAULT_CIPHERSUITES, TURN_LONG_STRING_SIZE - strlen(turn_params.cipher_list)); +#endif + } SSL_CTX_set_cipher_list(ctx, turn_params.cipher_list); SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); +#if TLSv1_3_SUPPORTED + SSL_CTX_set_ciphersuites(ctx, turn_params.cipher_list); +#endif + if (!SSL_CTX_use_certificate_chain_file(ctx, turn_params.cert_file)) { TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: ERROR: no certificate found\n", protocol); err = 1; diff --git a/src/apps/relay/mainrelay.h b/src/apps/relay/mainrelay.h index c6bc003..b150959 100644 --- a/src/apps/relay/mainrelay.h +++ b/src/apps/relay/mainrelay.h @@ -102,8 +102,17 @@ extern "C" { #define DEFAULT_CONFIG_FILE "turnserver.conf" +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#define DEFAULT_CIPHER_LIST OSSL_default_cipher_list() +#if TLSv1_3_SUPPORTED +#define DEFAULT_CIPHERSUITES OSSL_default_ciphersuites() +#endif +#else #define DEFAULT_CIPHER_LIST "DEFAULT" -/* "ALL:eNULL:aNULL:NULL" */ +#if TLSv1_3_SUPPORTED +#define DEFAULT_CIPHERSUITES TLS_DEFAULT_CIPHERSUITES +#endif +#endif #define DEFAULT_EC_CURVE_NAME "prime256v1"