Skip to content
Permalink
Browse files

Murmur: add 'sslCiphers' option to allow server admins full control o…

…f Murmur's advertised TLS cipher suites.

This commit adds the 'sslCiphers' option to Murmur.

The 'sslCiphers' option is used to configure the list of advertised
TLS cipher suites. The option lives on Meta, so it is a server-wide
configuration, and cannot be configured on a per-virtual-server basis.

The 'sslCiphers' option uses the OpenSSL's cipher list format to
describe the cipher suite selection. For more information on this
format, see:

https://www.openssl.org/docs/apps/ciahers.html#CIPHER-LIST-FORMAT
  • Loading branch information...
mkrautz committed May 21, 2015
1 parent 49f57d3 commit a3f93f780142a0a016f9e355aab5fe71b4435be1
Showing with 38 additions and 8 deletions.
  1. +18 −0 scripts/murmur.ini
  2. +19 −8 src/murmur/Meta.cpp
  3. +1 −0 src/murmur/Meta.h
@@ -160,6 +160,24 @@ users=100
#sslCert=
#sslKey=

# The sslCiphers option chooses the cipher suites to make available for use
# in SSL/TLS. This option is server-wide, and cannot be set on a
# per-virtual-server basis.
#
# This option is specified using OpenSSL cipher list notation (see
# https://www.openssl.org/docs/apps/ciphers.html#CIPHER-LIST-FORMAT).
#
# It is recommended that you try your cipher string using 'openssl ciphers <string>'
# before setting it here, to get a feel for which cipher suites you will get.
#
# After setting this option, it is recommend that you inspect your Murmur log
# to ensure that Murmur is using the cipher suites that you expected it to.
#
# Note: Changing this option may impact the backwards compatibility of your
# Murmur server, and can remove the ability for older Mumble clients to be able
# to connect to it.
#sslCiphers=EECDH+AESGCM:AES256-SHA:AES128-SHA

# If Murmur is started as root, which user should it switch to?
# This option is ignored if Murmur isn't started with root privileges.
#uname=
@@ -38,6 +38,7 @@
#include "Server.h"
#include "OSInfo.h"
#include "Version.h"
#include "SSL.h"

MetaParams Meta::mp;

@@ -90,6 +91,8 @@ MetaParams::MetaParams() {
qrUserName = QRegExp(QLatin1String("[-=\\w\\[\\]\\{\\}\\(\\)\\@\\|\\.]+"));
qrChannelName = QRegExp(QLatin1String("[ \\-=\\w\\#\\[\\]\\{\\}\\(\\)\\@\\|]+"));

qsCiphers = MumbleSSL::defaultOpenSSLCipherString();

qsSettings = NULL;
}

@@ -358,6 +361,8 @@ void MetaParams::read(QString fname) {
bSendVersion = typeCheckedFromSettings("sendversion", bSendVersion);
bAllowPing = typeCheckedFromSettings("allowping", bAllowPing);

qsCiphers = typeCheckedFromSettings("sslCiphers", qsCiphers);

QString qsSSLCert = qsSettings->value("sslCert").toString();
QString qsSSLKey = qsSettings->value("sslKey").toString();
QString qsSSLCA = qsSettings->value("sslCA").toString();
@@ -440,15 +445,20 @@ void MetaParams::read(QString fname) {
qFatal("Qt without SSL Support");
}

QList<QSslCipher> pref;
foreach(QSslCipher c, QSslSocket::defaultCiphers()) {
if (c.usedBits() < 128)
continue;
pref << c;
{
QList<QSslCipher> ciphers = MumbleSSL::ciphersFromOpenSSLCipherString(qsCiphers);
if (ciphers.isEmpty()) {
qFatal("Invalid sslCiphers option. Either the cipher string is invalid or none of the ciphers are available: \"%s\"", qPrintable(qsCiphers));
}

QSslSocket::setDefaultCiphers(ciphers);

QStringList pref;
foreach (QSslCipher c, ciphers) {
pref << c.name();
}
qWarning("Meta: TLS cipher preference is \"%s\"", qPrintable(pref.join(QLatin1String(":"))));
}
if (pref.isEmpty())
qFatal("No SSL ciphers of at least 128 bit found");
QSslSocket::setDefaultCiphers(pref);

qWarning("OpenSSL: %s", SSLeay_version(SSLEAY_VERSION));

@@ -488,6 +498,7 @@ void MetaParams::read(QString fname) {
qmConfig.insert(QLatin1String("suggestpushtotalk"), qvSuggestPushToTalk.isNull() ? QString() : qvSuggestPushToTalk.toString());
qmConfig.insert(QLatin1String("opusthreshold"), QString::number(iOpusThreshold));
qmConfig.insert(QLatin1String("channelnestinglimit"), QString::number(iChannelNestingLimit));
qmConfig.insert(QLatin1String("sslCiphers"), qsCiphers);
}

Meta::Meta() {
@@ -115,6 +115,7 @@ class MetaParams {
QSslCertificate qscCert;
QSslKey qskKey;
QByteArray qbaPassPhrase;
QString qsCiphers;

QMap<QString, QString> qmConfig;

0 comments on commit a3f93f7

Please sign in to comment.
You can’t perform that action at this time.