master/coturn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add configuration option for TLS 1.3 ciphersuites (#1118)

Browse Source 
There are two different API's in OpenSSL for configuring TLS ciphers,
one for TLS 1.2 and below, and another for TLS 1.3. coturn only calls
the TLS 1.2 API when handling the `--cipher-list` configuration option,
which means that it's not possible to use non-default ciphersuites with
TLS 1.3 connections.

This PR calls appropriate OpenSSL API to allow TLS 1.3 ciphersuites to be configured.
This commit is contained in:
Molly Miller 2022-12-17 00:53:36 +01:00 committed by GitHub
parent 39d293c34d
commit 902cb99849
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 35 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.turnserver
View File

@ -484,7 +484,8 @@ Options with values:
--pkey-pwd If the private key file is encrypted, then this password to be used. --pkey-pwd If the private key file is encrypted, then this password to be used.
--cipher-list Allowed OpenSSL cipher list for TLS/DTLS connections. --cipher-list Allowed OpenSSL cipher list for TLS/DTLS connections.
Default value is "DEFAULT". Default value is "DEFAULT" for TLS/DTLS versions up to TLSv1.2/DTLSv1.2,
and the library default ciphersuites for TLSv1.3.
--CA-file CA file in OpenSSL format. --CA-file CA file in OpenSSL format.
Forces TURN server to verify the client SSL certificates. Forces TURN server to verify the client SSL certificates.

3
man/man1/turnserver.1
View File

@ -710,7 +710,8 @@ If the private key file is encrypted, then this password to be used.
.B .B
\fB\-\-cipher\-list\fP \fB\-\-cipher\-list\fP
Allowed OpenSSL cipher list for TLS/DTLS connections. Allowed OpenSSL cipher list for TLS/DTLS connections.
Default value is "DEFAULT". Default value is "DEFAULT" for TLS/DTLS versions up to TLSv1.2/DTLSv1.2,
and the library default ciphersuites for TLSv1.3.
.TP .TP
.B .B
\fB\-\-CA\-file\fP \fB\-\-CA\-file\fP

31
src/apps/relay/mainrelay.c
View File

@ -1105,8 +1105,10 @@ static char Usage[] =
" If both --no-tls and --no-dtls options\n" " If both --no-tls and --no-dtls options\n"
" --pkey-pwd <password> If the private key file is encrypted, then this password to be " " --pkey-pwd <password> If the private key file is encrypted, then this password to be "
"used.\n" "used.\n"
" --cipher-list <\"cipher-string\"> Allowed OpenSSL cipher list for TLS/DTLS connections.\n" " --cipher-list <cipher-string> Allowed OpenSSL cipher list for TLS/DTLS connections.\n"
" Default value is \"DEFAULT\".\n" " Default value is \"DEFAULT\" for TLS/DTLS versions up to "
"TLSv1.2/DTLSv1.2,\n"
" and the library default ciphersuites for TLSv1.3.\n"
" --CA-file <filename> CA file in OpenSSL format.\n" " --CA-file <filename> CA file in OpenSSL format.\n"
" Forces TURN server to verify the client SSL certificates.\n" " Forces TURN server to verify the client SSL certificates.\n"
" By default, no CA is set and no client certificate check is " " By default, no CA is set and no client certificate check is "
@ -1123,14 +1125,14 @@ static char Usage[] =
" --dh-file <dh-file-name> Use custom DH TLS key, stored in PEM format in the file.\n" " --dh-file <dh-file-name> Use custom DH TLS key, stored in PEM format in the file.\n"
" Flags --dh566 and --dh1066 are ignored when the DH key is taken from a " " Flags --dh566 and --dh1066 are ignored when the DH key is taken from a "
"file.\n" "file.\n"
" --no-tlsv1 Set TLSv1_1/DTLSv1.2 as a minimum supported protocol version.\n" " --no-tlsv1 Set TLSv1.1/DTLSv1.2 as a minimum supported protocol version.\n"
" With openssl-1.0.2 and below, do not allow " " With openssl-1.0.2 and below, do not allow "
"TLSv1/DTLSv1 protocols.\n" "TLSv1/DTLSv1 protocols.\n"
" --no-tlsv1_1 Set TLSv1_2/DTLSv1.2 as a minimum supported protocol version.\n" " --no-tlsv1_1 Set TLSv1.2/DTLSv1.2 as a minimum supported protocol version.\n"
" With openssl-1.0.2 and below, do not allow TLSv1.1 " " With openssl-1.0.2 and below, do not allow TLSv1.1 "
"protocol.\n" "protocol.\n"
" --no-tlsv1_2 Set TLSv1_3/DTLSv1.2 as a minimum supported protocol version.\n" " --no-tlsv1_2 Set TLSv1.3/DTLSv1.2 as a minimum supported protocol version.\n"
" With openssl-1.0.2 and below, do not allow " " With openssl-1.0.2 and below, do not allow "
"TLSv1.2/DTLSv1.2 protocols.\n" "TLSv1.2/DTLSv1.2 protocols.\n"
" --no-udp Do not start UDP client listeners.\n" " --no-udp Do not start UDP client listeners.\n"
" --no-tcp Do not start TCP client listeners.\n" " --no-tcp Do not start TCP client listeners.\n"
@ -1227,7 +1229,7 @@ static char Usage[] =
"back to this default.\n" "back to this default.\n"
" The standard RFC explicitly define actually that this default must be " " The standard RFC explicitly define actually that this default must be "
"IPv4,\n" "IPv4,\n"
" so use other option values with care!\n" " so use other option values with care!\n"
" --no-cli Turn OFF the CLI support. By default it is always ON.\n" " --no-cli Turn OFF the CLI support. By default it is always ON.\n"
" --cli-ip=<IP> Local system IP address to be used for CLI server endpoint. " " --cli-ip=<IP> Local system IP address to be used for CLI server endpoint. "
"Default value\n" "Default value\n"
@ -3524,12 +3526,21 @@ static void set_ctx(SSL_CTX **out, const char *protocol, const SSL_METHOD *metho
SSL_CTX_set_default_passwd_cb(ctx, pem_password_func); SSL_CTX_set_default_passwd_cb(ctx, pem_password_func);
if (!(turn_params.cipher_list[0])) if (!(turn_params.cipher_list[0])) {
strncpy(turn_params.cipher_list, DEFAULT_CIPHER_LIST, TURN_LONG_STRING_SIZE); strncpy(turn_params.cipher_list, DEFAULT_CIPHER_LIST, TURN_LONG_STRING_SIZE);
#if TLSv1_3_SUPPORTED
strncat(turn_params.cipher_list, ":", TURN_LONG_STRING_SIZE - strlen(turn_params.cipher_list));
strncat(turn_params.cipher_list, DEFAULT_CIPHERSUITES, TURN_LONG_STRING_SIZE - strlen(turn_params.cipher_list));
#endif
}
SSL_CTX_set_cipher_list(ctx, turn_params.cipher_list); SSL_CTX_set_cipher_list(ctx, turn_params.cipher_list);
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
#if TLSv1_3_SUPPORTED
SSL_CTX_set_ciphersuites(ctx, turn_params.cipher_list);
#endif
if (!SSL_CTX_use_certificate_chain_file(ctx, turn_params.cert_file)) { if (!SSL_CTX_use_certificate_chain_file(ctx, turn_params.cert_file)) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: ERROR: no certificate found\n", protocol); TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: ERROR: no certificate found\n", protocol);
err = 1; err = 1;

11
src/apps/relay/mainrelay.h
View File

@ -102,8 +102,17 @@ extern "C" {
#define DEFAULT_CONFIG_FILE "turnserver.conf" #define DEFAULT_CONFIG_FILE "turnserver.conf"
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
#define DEFAULT_CIPHER_LIST OSSL_default_cipher_list()
#if TLSv1_3_SUPPORTED
#define DEFAULT_CIPHERSUITES OSSL_default_ciphersuites()
#endif
#else
#define DEFAULT_CIPHER_LIST "DEFAULT" #define DEFAULT_CIPHER_LIST "DEFAULT"
/* "ALL:eNULL:aNULL:NULL" */ #if TLSv1_3_SUPPORTED
#define DEFAULT_CIPHERSUITES TLS_DEFAULT_CIPHERSUITES
#endif
#endif
#define DEFAULT_EC_CURVE_NAME "prime256v1" #define DEFAULT_EC_CURVE_NAME "prime256v1"