[Astlinux-commits] SF.net SVN: astlinux:[6769] branches/1.0/package/asterisk

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Revision: 6769
          http://sourceforge.net/p/astlinux/code/6769
Author:   abelbeck
Date:     2014-10-16 15:48:26 +0000 (Thu, 16 Oct 2014)
Log Message:
-----------
asterisk, add jabber/xmpp patches to use TLS instead of SSLv3, security fix POODLE (CVE-2014-3566)

Added Paths:
-----------
    branches/1.0/package/asterisk/asterisk-1.8-jabber-tls.patch
    branches/1.0/package/asterisk/asterisk-11-jabber-xmpp-tls.patch

Added: branches/1.0/package/asterisk/asterisk-1.8-jabber-tls.patch
===================================================================

--- branches/1.0/package/asterisk/asterisk-1.8-jabber-tls.patch	                        (rev 0)
+++ branches/1.0/package/asterisk/asterisk-1.8-jabber-tls.patch	2014-10-16 15:48:26 UTC (rev 6769)
@@ -0,0 +1,21 @@
+--- asterisk-1.8.31.0/res/res_jabber.c.orig	2014-10-16 08:45:07.000000000 -0500
++++ asterisk-1.8.31.0/res/res_jabber.c	2014-10-16 08:51:36.000000000 -0500
+@@ -1240,14 +1240,17 @@
+ {
+ 	int ret;
+ 	int sock;
++	long ssl_opts;
+ 
+ 	ast_debug(1, "Starting TLS handshake\n");
+ 
+ 	/* Choose an SSL/TLS protocol version, create SSL_CTX */
+-	client->ssl_method = SSLv3_method();
++	client->ssl_method = SSLv23_method();
+ 	if (!(client->ssl_context = SSL_CTX_new((SSL_METHOD *) client->ssl_method))) {
+ 		return IKS_NET_TLSFAIL;
+ 	}
++	ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
++	SSL_CTX_set_options(client->ssl_context, ssl_opts);
+ 
+ 	/* Create new SSL session */
+ 	if (!(client->ssl_session = SSL_new(client->ssl_context))) {

Added: branches/1.0/package/asterisk/asterisk-11-jabber-xmpp-tls.patch
===================================================================
--- branches/1.0/package/asterisk/asterisk-11-jabber-xmpp-tls.patch	                        (rev 0)
+++ branches/1.0/package/asterisk/asterisk-11-jabber-xmpp-tls.patch	2014-10-16 15:48:26 UTC (rev 6769)
@@ -0,0 +1,45 @@
+--- asterisk-11.13.0/res/res_jabber.c.orig	2014-10-16 10:05:57.000000000 -0500
++++ asterisk-11.13.0/res/res_jabber.c	2014-10-16 10:04:51.000000000 -0500
+@@ -1282,14 +1282,17 @@
+ static int aji_tls_handshake(struct aji_client *client)
+ {
+ 	int sock;
++	long ssl_opts;
+ 
+ 	ast_debug(1, "Starting TLS handshake\n");
+ 
+ 	/* Choose an SSL/TLS protocol version, create SSL_CTX */
+-	client->ssl_method = SSLv3_method();
++	client->ssl_method = SSLv23_method();
+ 	if (!(client->ssl_context = SSL_CTX_new((SSL_METHOD *) client->ssl_method))) {
+ 		return IKS_NET_TLSFAIL;
+ 	}
++	ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
++	SSL_CTX_set_options(client->ssl_context, ssl_opts);
+ 
+ 	/* Create new SSL session */
+ 	if (!(client->ssl_session = SSL_new(client->ssl_context))) {
+--- asterisk-11.13.0/res/res_xmpp.c.orig	2014-10-16 10:13:57.000000000 -0500
++++ asterisk-11.13.0/res/res_xmpp.c	2014-10-16 10:16:49.000000000 -0500
+@@ -2501,6 +2501,7 @@
+ {
+ #ifdef HAVE_OPENSSL
+ 	int sock;
++	long ssl_opts;
+ #endif
+ 
+ 	if (!strcmp(iks_name(node), "success")) {
+@@ -2519,10 +2520,12 @@
+ 	ast_log(LOG_ERROR, "Somehow we managed to try to start TLS negotiation on client '%s' without OpenSSL support, disconnecting\n", client->name);
+ 	return -1;
+ #else
+-	client->ssl_method = SSLv3_method();
++	client->ssl_method = SSLv23_method();
+ 	if (!(client->ssl_context = SSL_CTX_new((SSL_METHOD *) client->ssl_method))) {
+ 		goto failure;
+ 	}
++	ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
++	SSL_CTX_set_options(client->ssl_context, ssl_opts);
+ 
+ 	if (!(client->ssl_session = SSL_new(client->ssl_context))) {
+ 		goto failure;

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.



