From 52efcc4e47ea09acccf6a6fa46548a7803d82dfe Mon Sep 17 00:00:00 2001 From: agclark81 Date: Tue, 5 May 2020 10:21:06 -0400 Subject: [PATCH] Adding support for cipher suite selection in websockets transport (#2135) --- conf/janus.transport.websockets.jcfg.sample | 4 ++++ transports/janus_websockets.c | 10 ++++++++++ 2 files changed, 14 insertions(+) diff --git a/conf/janus.transport.websockets.jcfg.sample b/conf/janus.transport.websockets.jcfg.sample index 6498dcf8d6..a861f2f138 100644 --- a/conf/janus.transport.websockets.jcfg.sample +++ b/conf/janus.transport.websockets.jcfg.sample @@ -38,8 +38,12 @@ admin: { } # Certificate and key to use for any secure WebSocket server, if enabled (and passphrase if needed). +# You can also disable insecure protocols and ciphers by configuring the +# 'ciphers' property accordingly (no limitation by default). +# Examples of recommended cipher strings at https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html certificates: { #cert_pem = "/path/to/cert.pem" #cert_key = "/path/to/key.pem" #cert_pwd = "secretpassphrase" + #ciphers = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256" } diff --git a/transports/janus_websockets.c b/transports/janus_websockets.c index ebee7e747d..e16681399d 100644 --- a/transports/janus_websockets.c +++ b/transports/janus_websockets.c @@ -625,6 +625,7 @@ int janus_websockets_init(janus_transport_callbacks *callback, const char *confi char *server_pem = (char *)item->value; char *server_key = (char *)item->value; char *password = NULL; + char *ciphers = NULL; item = janus_config_get(config, config_certs, janus_config_type_item, "cert_key"); if(item && item->value) server_key = (char *)item->value; @@ -632,6 +633,9 @@ int janus_websockets_init(janus_transport_callbacks *callback, const char *confi if(item && item->value) password = (char *)item->value; JANUS_LOG(LOG_VERB, "Using certificates:\n\t%s\n\t%s\n", server_pem, server_key); + item = janus_config_get(config, config_certs, janus_config_type_item, "ciphers"); + if(item && item->value) + ciphers = (char *)item->value; /* Prepare secure context */ struct lws_context_creation_info info; memset(&info, 0, sizeof info); @@ -642,6 +646,7 @@ int janus_websockets_init(janus_transport_callbacks *callback, const char *confi info.ssl_cert_filepath = server_pem; info.ssl_private_key_filepath = server_key; info.ssl_private_key_password = password; + info.ssl_cipher_list = ciphers; info.gid = -1; info.uid = -1; #if LWS_LIBRARY_VERSION_MAJOR >= 2 @@ -737,6 +742,7 @@ int janus_websockets_init(janus_transport_callbacks *callback, const char *confi char *server_pem = (char *)item->value; char *server_key = (char *)item->value; char *password = NULL; + char *ciphers = NULL; item = janus_config_get(config, config_certs, janus_config_type_item, "cert_key"); if(item && item->value) server_key = (char *)item->value; @@ -744,6 +750,9 @@ int janus_websockets_init(janus_transport_callbacks *callback, const char *confi if(item && item->value) password = (char *)item->value; JANUS_LOG(LOG_VERB, "Using certificates:\n\t%s\n\t%s\n", server_pem, server_key); + item = janus_config_get(config, config_certs, janus_config_type_item, "ciphers"); + if(item && item->value) + ciphers = (char *)item->value; /* Prepare secure context */ struct lws_context_creation_info info; memset(&info, 0, sizeof info); @@ -754,6 +763,7 @@ int janus_websockets_init(janus_transport_callbacks *callback, const char *confi info.ssl_cert_filepath = server_pem; info.ssl_private_key_filepath = server_key; info.ssl_private_key_password = password; + info.ssl_cipher_list = ciphers; info.gid = -1; info.uid = -1; #if LWS_LIBRARY_VERSION_MAJOR >= 2