From dd3bd9dcdd3c395c5eedd2be8d910f731ecb6f8b Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Fri, 14 Feb 2014 21:34:02 +0100 Subject: [PATCH] Do not enforce safe negotiation on the main TLS channel. This is only set when in CISCO compatibility mode, as CISCO clients come from the past. --- src/tlslib.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/src/tlslib.c b/src/tlslib.c index 44ba1e3b..a80ad938 100644 --- a/src/tlslib.c +++ b/src/tlslib.c @@ -545,11 +545,17 @@ struct key_cb_data * cdata; return 0; } +/* Allow clients to rehandshake even if they don't support safe + * renegotiation */ +#define ADDITIONAL_FLAGS ":%UNSAFE_RENEGOTIATION" + /* reload key files etc. */ void tls_global_init_certs(main_server_st* s) { int ret; const char* perr; +char *tmp; +unsigned len; if (s->config->tls_debug) { gnutls_global_set_log_function(tls_log_func); @@ -608,11 +614,27 @@ const char* perr; verify_certificate_cb); } - ret = gnutls_priority_init(&s->creds.cprio, s->config->priorities, &perr); + if (s->config->cisco_client_compat) { + len = strlen(s->config->priorities); + tmp = malloc(len+sizeof(ADDITIONAL_FLAGS)); + if (tmp == NULL) { + mslog(s, NULL, LOG_ERR, "memory error"); + exit(1); + } + + memcpy(tmp, s->config->priorities, len); + memcpy(&tmp[len], ADDITIONAL_FLAGS, sizeof(ADDITIONAL_FLAGS)); /* includes terminating zero */ + } else { + tmp = strdup(s->config->priorities); + } + + ret = gnutls_priority_init(&s->creds.cprio, tmp, &perr); if (ret == GNUTLS_E_PARSING_ERROR) mslog(s, NULL, LOG_ERR, "error in TLS priority string: %s", perr); GNUTLS_FATAL_ERR(ret); + free(tmp); + if (s->config->ocsp_response != NULL) { ret = gnutls_certificate_set_ocsp_status_request_file(s->creds.xcred, s->config->ocsp_response, 0);