Merge "asterisk.c: When astcanary dies on linux, reset priority on all threads."
[asterisk/asterisk.git] / main / http.c
index 26e218b..da564da 100644 (file)
 
 #include "asterisk.h"
 
-ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
+ASTERISK_REGISTER_FILE()
 
 #include <time.h>
 #include <sys/time.h>
 #include <sys/stat.h>
-#include <sys/signal.h>
+#include <signal.h>
 #include <fcntl.h>
 
 #include "asterisk/paths.h"    /* use ast_config_AST_DATA_DIR */
@@ -671,6 +671,8 @@ int ast_http_uri_link(struct ast_http_uri *urih)
 
        AST_RWLIST_WRLOCK(&uris);
 
+       urih->prefix = prefix;
+
        if ( AST_RWLIST_EMPTY(&uris) || strlen(AST_RWLIST_FIRST(&uris)->uri) <= len ) {
                AST_RWLIST_INSERT_HEAD(&uris, urih, entry);
                AST_RWLIST_UNLOCK(&uris);
@@ -2102,10 +2104,13 @@ static int __ast_http_load(int reload)
        }
        http_tls_cfg.pvtfile = ast_strdup("");
 
+       /* Apply modern intermediate settings according to the Mozilla OpSec team as of July 30th, 2015 but disable TLSv1 */
+       ast_set_flag(&http_tls_cfg.flags, AST_SSL_DISABLE_TLSV1 | AST_SSL_SERVER_CIPHER_ORDER);
+
        if (http_tls_cfg.cipher) {
                ast_free(http_tls_cfg.cipher);
        }
-       http_tls_cfg.cipher = ast_strdup("");
+       http_tls_cfg.cipher = ast_strdup("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA");
 
        AST_RWLIST_WRLOCK(&uri_redirects);
        while ((redirect = AST_RWLIST_REMOVE_HEAD(&uri_redirects, entry))) {
@@ -2131,8 +2136,6 @@ static int __ast_http_load(int reload)
                        && strcasecmp(v->name, "tlsdontverifyserver")
                        && strcasecmp(v->name, "tlsclientmethod")
                        && strcasecmp(v->name, "sslclientmethod")
-                       && strcasecmp(v->name, "tlscipher")
-                       && strcasecmp(v->name, "sslcipher")
                        && !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
                        continue;
                }
@@ -2219,7 +2222,7 @@ static int __ast_http_load(int reload)
                 * the non-TLS bindaddress here.
                 */
                if (ast_sockaddr_isnull(&https_desc.local_address) && http_desc.accept_fd != -1) {
-                       ast_sockaddr_copy(&https_desc.local_address, &https_desc.local_address);
+                       ast_sockaddr_copy(&https_desc.local_address, &http_desc.local_address);
                        /* Of course, we can't use the same port though.
                         * Since no bind address was specified, we just use the
                         * default TLS port