Merge "asterisk.c: When astcanary dies on linux, reset priority on all threads."
[asterisk/asterisk.git] / main / http.c
index ef3b4b2..da564da 100644 (file)
 
 #include "asterisk.h"
 
-ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
+ASTERISK_REGISTER_FILE()
 
 #include <time.h>
 #include <sys/time.h>
 #include <sys/stat.h>
-#include <sys/signal.h>
+#include <signal.h>
 #include <fcntl.h>
 
 #include "asterisk/paths.h"    /* use ast_config_AST_DATA_DIR */
@@ -376,7 +376,7 @@ static int httpstatus_callback(struct ast_tcptls_session_instance *ser,
        }
 
        ast_str_append(&out, 0,
-               "<title>Asterisk HTTP Status</title>\r\n"
+               "<html><title>Asterisk HTTP Status</title>\r\n"
                "<body bgcolor=\"#ffffff\">\r\n"
                "<table bgcolor=\"#f1f1f1\" align=\"center\"><tr><td bgcolor=\"#e0e0ff\" colspan=\"2\" width=\"500\">\r\n"
                "<h2>&nbsp;&nbsp;Asterisk&trade; HTTP Status</h2></td></tr>\r\n");
@@ -403,7 +403,7 @@ static int httpstatus_callback(struct ast_tcptls_session_instance *ser,
        }
        ast_variables_destroy(cookies);
 
-       ast_str_append(&out, 0, "</table><center><font size=\"-1\"><i>Asterisk and Digium are registered trademarks of Digium, Inc.</i></font></center></body>\r\n");
+       ast_str_append(&out, 0, "</table><center><font size=\"-1\"><i>Asterisk and Digium are registered trademarks of Digium, Inc.</i></font></center></body></html>\r\n");
        ast_http_send(ser, method, 200, NULL, NULL, out, 0, 0);
        return 0;
 }
@@ -671,6 +671,8 @@ int ast_http_uri_link(struct ast_http_uri *urih)
 
        AST_RWLIST_WRLOCK(&uris);
 
+       urih->prefix = prefix;
+
        if ( AST_RWLIST_EMPTY(&uris) || strlen(AST_RWLIST_FIRST(&uris)->uri) <= len ) {
                AST_RWLIST_INSERT_HEAD(&uris, urih, entry);
                AST_RWLIST_UNLOCK(&uris);
@@ -1873,6 +1875,11 @@ static int httpd_process_request(struct ast_tcptls_session_instance *ser)
                return -1;
        }
 
+       if (ast_shutdown_final()) {
+               ast_http_error(ser, 503, "Service Unavailable", "Shutdown in progress");
+               return -1;
+       }
+
        /* process "Request Headers" lines */
        if (http_request_headers_get(ser, &headers)) {
                return -1;
@@ -2097,10 +2104,13 @@ static int __ast_http_load(int reload)
        }
        http_tls_cfg.pvtfile = ast_strdup("");
 
+       /* Apply modern intermediate settings according to the Mozilla OpSec team as of July 30th, 2015 but disable TLSv1 */
+       ast_set_flag(&http_tls_cfg.flags, AST_SSL_DISABLE_TLSV1 | AST_SSL_SERVER_CIPHER_ORDER);
+
        if (http_tls_cfg.cipher) {
                ast_free(http_tls_cfg.cipher);
        }
-       http_tls_cfg.cipher = ast_strdup("");
+       http_tls_cfg.cipher = ast_strdup("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA");
 
        AST_RWLIST_WRLOCK(&uri_redirects);
        while ((redirect = AST_RWLIST_REMOVE_HEAD(&uri_redirects, entry))) {
@@ -2126,8 +2136,6 @@ static int __ast_http_load(int reload)
                        && strcasecmp(v->name, "tlsdontverifyserver")
                        && strcasecmp(v->name, "tlsclientmethod")
                        && strcasecmp(v->name, "sslclientmethod")
-                       && strcasecmp(v->name, "tlscipher")
-                       && strcasecmp(v->name, "sslcipher")
                        && !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
                        continue;
                }
@@ -2214,7 +2222,7 @@ static int __ast_http_load(int reload)
                 * the non-TLS bindaddress here.
                 */
                if (ast_sockaddr_isnull(&https_desc.local_address) && http_desc.accept_fd != -1) {
-                       ast_sockaddr_copy(&https_desc.local_address, &https_desc.local_address);
+                       ast_sockaddr_copy(&https_desc.local_address, &http_desc.local_address);
                        /* Of course, we can't use the same port though.
                         * Since no bind address was specified, we just use the
                         * default TLS port
@@ -2333,7 +2341,7 @@ int ast_http_init(void)
        ast_http_uri_link(&statusuri);
        ast_http_uri_link(&staticuri);
        ast_cli_register_multiple(cli_http, ARRAY_LEN(cli_http));
-       ast_register_atexit(http_shutdown);
+       ast_register_cleanup(http_shutdown);
 
        return __ast_http_load(0);
 }