Add configuration option for TLS 1.3 ciphersuites #1118
Conversation
sysvinit
force-pushed
the
wireapp/tls1.3-ciphersuites
branch
from
0a4ac90
to
775f866
Compare
|
Thank you @sysvinit ! I do not like the idea of having additional configuration option of TLS 1.3 - there is a lot of duplication with no value It can be configured by the same string: according to openssl - same cipher list/suits can be passed to both APIs and the values that are unknown will be ignored. So when having TLS 1.3 available and enabled - also call See https://www.openssl.org/docs/manmaster/man3/OSSL_default_ciphersuites.html#NOTES Also better use |
Understandable, I can remove the separate option and call both API's with the same cipher string.
These functions were introduced in OpenSSL 3.0 and do not exist in OpenSSL 1.1 -- in particular, Debian stable ships with 1.1, which is what one of coturn's container images uses. We therefore can't just switch over to these new functions, as this would break compiling with older OpenSSL versions. Either we can continue using the deprecated defines, or test the version of OpenSSL in the preprocessor to select either the defines or the functions as appropriate. |
OpenSSL has separate API's for cipher configuration for TLSv1.2 (and below) and TLSv1.3. Previously, only the former API was called, which left no way to configure TLSv1.3 ciphersuites. The OpenSSL documentation says that the configuration strings for the 1.2 and 1.3 API's are compatible (and passing 1.2 ciphers to the 1.3 API will be ignored, and vice versa), so this commit extends the processing of the `--cipher-list` option to additionally configure TLS 1.3 ciphersuites where available.
sysvinit
force-pushed
the
wireapp/tls1.3-ciphersuites
branch
from
775f866
to
98f36d3
Compare
sysvinit
force-pushed
the
wireapp/tls1.3-ciphersuites
branch
from
3abbf51
to
b9558b6
Compare
src/apps/relay/mainrelay.c
Outdated
| strncpy(turn_params.cipher_list, DEFAULT_CIPHER_LIST, TURN_LONG_STRING_SIZE); | ||
| #if TLSv1_3_SUPPORTED | ||
| strncat(turn_params.cipher_list, ":", TURN_LONG_STRING_SIZE - 1); |
There was a problem hiding this comment.
Buffer overflow: max size allowed to be appended at this point is TURN_LONG_STRING_SIZE - strlen(turn_params.cipher_list)
src/apps/relay/mainrelay.c
Outdated
| strncpy(turn_params.cipher_list, DEFAULT_CIPHER_LIST, TURN_LONG_STRING_SIZE); | ||
| #if TLSv1_3_SUPPORTED | ||
| strncat(turn_params.cipher_list, ":", TURN_LONG_STRING_SIZE - 1); | ||
| strncat(turn_params.cipher_list, DEFAULT_CIPHERSUITES, TURN_LONG_STRING_SIZE - 1); |
|
@sysvinit I took the liberty to change the PR description slightly to reflect the change done (following the update you made). |
There are two different API's in OpenSSL for configuring TLS ciphers, one for TLS 1.2 and below, and another for TLS 1.3. coturn only calls the TLS 1.2 API when handling the
--cipher-listconfiguration option, which means that it's not possible to use non-default ciphersuites with TLS 1.3 connections.This PR introduces a new
--ciphersuitesoption, which calls the appropriate OpenSSL API to allow TLS 1.3 ciphersuites to be configured.