Adding support for cipher suite selection in websockets transport (#2135

)
meetecho · May 5, 2020 · 52efcc4 · 52efcc4
1 parent ab0f9c3
commit 52efcc4
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/conf/janus.transport.websockets.jcfg.sample b/conf/janus.transport.websockets.jcfg.sample
@@ -38,8 +38,12 @@ admin: {
 }
 
 # Certificate and key to use for any secure WebSocket server, if enabled (and passphrase if needed).
+# You can also disable insecure protocols and ciphers by configuring the
+# 'ciphers' property accordingly (no limitation by default).
+# Examples of recommended cipher strings at https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html
 certificates: {
 	#cert_pem = "/path/to/cert.pem"
 	#cert_key = "/path/to/key.pem"
 	#cert_pwd = "secretpassphrase"
+	#ciphers = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256"
 }
diff --git a/transports/janus_websockets.c b/transports/janus_websockets.c
@@ -625,13 +625,17 @@ int janus_websockets_init(janus_transport_callbacks *callback, const char *confi
 				char *server_pem = (char *)item->value;
 				char *server_key = (char *)item->value;
 				char *password = NULL;
+				char *ciphers = NULL;
 				item = janus_config_get(config, config_certs, janus_config_type_item, "cert_key");
 				if(item && item->value)
 					server_key = (char *)item->value;
 				item = janus_config_get(config, config_certs, janus_config_type_item, "cert_pwd");
 				if(item && item->value)
 					password = (char *)item->value;
 				JANUS_LOG(LOG_VERB, "Using certificates:\n\t%s\n\t%s\n", server_pem, server_key);
+				item = janus_config_get(config, config_certs, janus_config_type_item, "ciphers");
+				if(item && item->value)
+					ciphers = (char *)item->value;
 				/* Prepare secure context */
 				struct lws_context_creation_info info;
 				memset(&info, 0, sizeof info);
@@ -642,6 +646,7 @@ int janus_websockets_init(janus_transport_callbacks *callback, const char *confi
 				info.ssl_cert_filepath = server_pem;
 				info.ssl_private_key_filepath = server_key;
 				info.ssl_private_key_password = password;
+				info.ssl_cipher_list = ciphers;
 				info.gid = -1;
 				info.uid = -1;
 #if LWS_LIBRARY_VERSION_MAJOR >= 2
@@ -737,13 +742,17 @@ int janus_websockets_init(janus_transport_callbacks *callback, const char *confi
 				char *server_pem = (char *)item->value;
 				char *server_key = (char *)item->value;
 				char *password = NULL;
+				char *ciphers = NULL;
 				item = janus_config_get(config, config_certs, janus_config_type_item, "cert_key");
 				if(item && item->value)
 					server_key = (char *)item->value;
 				item = janus_config_get(config, config_certs, janus_config_type_item, "cert_pwd");
 				if(item && item->value)
 					password = (char *)item->value;
 				JANUS_LOG(LOG_VERB, "Using certificates:\n\t%s\n\t%s\n", server_pem, server_key);
+				item = janus_config_get(config, config_certs, janus_config_type_item, "ciphers");
+				if(item && item->value)
+					ciphers = (char *)item->value;
 				/* Prepare secure context */
 				struct lws_context_creation_info info;
 				memset(&info, 0, sizeof info);
@@ -754,6 +763,7 @@ int janus_websockets_init(janus_transport_callbacks *callback, const char *confi
 				info.ssl_cert_filepath = server_pem;
 				info.ssl_private_key_filepath = server_key;
 				info.ssl_private_key_password = password;
+				info.ssl_cipher_list = ciphers;
 				info.gid = -1;
 				info.uid = -1;
 #if LWS_LIBRARY_VERSION_MAJOR >= 2