diff -ru ../neon-0.31.1.orig/src/ne_openssl.c ./src/ne_openssl.c --- ../neon-0.31.1.orig/src/ne_openssl.c +++ ./src/ne_openssl.c @@ -586,6 +586,11 @@ ne_free(ctx); return NULL; } + /* AVM - use Perfect Forward Secrecy - generate a new pubkey for any connection */ + /* (maybe server parameters only) */ + long ssloptions = SSL_OP_SINGLE_DH_USE; + ssloptions |= SSL_OP_SINGLE_ECDH_USE; + SSL_CTX_set_options(ctx->ctx, ssloptions); return ctx; } @@ -601,6 +606,11 @@ } else { /* Disable it: set the flag. */ opts |= SSL_OP_NO_SSLv2; + opts |= SSL_OP_NO_SSLv3; + //opts |= SSL_OP_NO_TLSv1; // allowed + //opts |= SSL_OP_NO_TLSv1_2; // allowed + //opts |= SSL_OP_NO_TLSv1_1; // allowed + NE_DEBUG(NE_DBG_SSL, "ne_ssl_context_set_flag *** AVM *** allow only TLS v1.x / Cipher Suites olny support TLS 1.x.\n"); } break; } diff -ru ../neon-0.31.1.orig/src/ne_socket.c ./src/ne_socket.c --- ../neon-0.31.1.orig/src/ne_socket.c +++ ./src/ne_socket.c @@ -107,6 +107,14 @@ #include #endif +#include // AVM +#include // AVM + + +// AVM +#define ONLINEFILEIPV6 "/var/tmp/webdav.onlineipv6" + + #define NE_INET_ADDR_DEFINED /* A slightly ugly hack: change the ne_inet_addr definition to be the * real address type used. The API only exposes ne_inet_addr as a @@ -178,6 +186,11 @@ /* Socket read timeout */ #define SOCKET_READ_TIMEOUT 120 +#define SOCKET_CON_TIMEOUT 30 // AVM + +/* AVM: TLS cipher list */ +#define NEW_CIPHERS "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA" +#define NEW_CIPHERS1_3 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" /* Critical I/O functions on a socket: useful abstraction for easily * handling SSL I/O alongside raw socket I/O. */ @@ -217,7 +230,7 @@ * and is hence always <= RDBUFSIZ. */ char *bufpos; size_t bufavail; -#define RDBUFSIZ 4096 +#define RDBUFSIZ 32768 /* AVM 4096*/ char buffer[RDBUFSIZ]; /* Error string. */ char error[192]; @@ -923,6 +936,8 @@ } #ifdef AF_INET6 + NE_DEBUG(NE_DBG_AVM, "%s: with IPv6 support compiled: hostname %s => getaddrinfo ",__FUNCTION__, hostname ); + if (hostname[0] == '[' && ((pnt = strchr(hostname, ']')) != NULL)) { char *hn = ne_strdup(hostname + 1); hn[pnt - hostname - 1] = '\0'; @@ -930,24 +945,36 @@ hints.ai_flags |= AI_NUMERICHOST; #endif hints.ai_family = AF_INET6; + NE_DEBUG(NE_DBG_AVM, "%s: AF_INET6 v6 address hints.ai_family = AF_INET6", __FUNCTION__ ); addr->errnum = getaddrinfo(hn, NULL, &hints, &addr->result); ne_free(hn); } else #endif /* AF_INET6 */ { #ifdef USE_GAI_ADDRCONFIG /* added in the RFC3493 API */ + NE_DEBUG(NE_DBG_AVM, "%s: USE_GAI_ADDRCONFIG hostname %s => getaddrinfo ", __FUNCTION__, hostname ); hints.ai_flags |= AI_ADDRCONFIG; hints.ai_family = AF_UNSPEC; addr->errnum = getaddrinfo(hostname, NULL, &hints, &addr->result); #else hints.ai_family = ipv6_disabled ? AF_INET : AF_UNSPEC; - addr->errnum = getaddrinfo(hostname, NULL, &hints, &addr->result); + + // AVM - only use IPv6 wenn it is online / connected + if (access(ONLINEFILEIPV6, X_OK) != 0) { + hints.ai_family = AF_INET; // use IPv4 + NE_DEBUG(NE_DBG_AVM, "%s: hints.ai_family = AF_INET",__FUNCTION__); + } else { + hints.ai_family = AF_INET6; // use IPv6 + NE_DEBUG(NE_DBG_AVM, "%s: hints.ai_family = AF_INET6",__FUNCTION__ ); + } + + addr->errnum = getaddrinfo(hostname, NULL, &hints, &addr->result); #endif } #else /* Use gethostbyname() */ in_addr_t laddr; struct hostent *hp; - + NE_DEBUG(NE_DBG_AVM, "%s: hostname %s => gethostbyname ",__FUNCTION__, hostname ); laddr = inet_addr(hostname); if (laddr == INADDR_NONE) { hp = gethostbyname(hostname); @@ -1248,7 +1275,7 @@ ret = NE_SOCK_ERROR; } } else if (ret == 0) { /* poll timed out */ - set_error(sock, _("Connection timed out")); + set_error(sock, _("Connection timed out (timed_connect)")); ret = NE_SOCK_TIMEOUT; } else /* poll failed */ { set_strerror(sock, errno); @@ -1319,7 +1346,7 @@ { ne_socket *sock = ne_calloc(sizeof *sock); sock->rdtimeout = SOCKET_READ_TIMEOUT; - sock->cotimeout = 0; + sock->cotimeout = SOCKET_CON_TIMEOUT; // AVM sock->bufpos = sock->buffer; sock->ops = &iofns_raw; sock->fd = -1; @@ -1475,8 +1502,18 @@ #endif ret = connect_socket(sock, fd, addr, htons(port)); - if (ret == 0) + if (ret == 0){ sock->fd = fd; +#ifdef SIOCSET_TC_INDEX + //AVM + unsigned long tc_index = 20; + if (ioctl(sock->fd, SIOCSET_TC_INDEX, &tc_index) != 0) { + NE_DEBUG(NE_DBG_AVM, "SIOCSET_TC_INDEX failed"); + } +#else +#error SIOCSET_TC_INDEX not defined in sockios.h, maybe using wrong header file. +#endif + } else ne_close(fd); @@ -1765,6 +1802,27 @@ SSL_set_fd(ssl, sock->fd); sock->ops = &iofns_ssl; + // AVM: set new TLS cipher list, Cloudsafe donĀ“t like some of the old defaults + if (SSL_set_cipher_list(ssl, NEW_CIPHERS)) { + NE_DEBUG(NE_DBG_AVM, "SSL_set_cipher_list ok "); + } else { + NE_DEBUG(NE_DBG_AVM, "SSL_set_cipher_list failed "); + } + +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (SSL_set_ciphersuites(ssl, NEW_CIPHERS1_3)) { + NE_DEBUG(NE_DBG_AVM, "SSL_set_ciphersuites ok "); + } else { + NE_DEBUG(NE_DBG_AVM, "SSL_set_ciphersuites failed "); + } + + if (SSL_set1_groups_list(ssl, "X25519:X448:P-256:P-384")) { + NE_DEBUG(NE_DBG_AVM, "SSL_set1_gourps_list ok "); + } else { + NE_DEBUG(NE_DBG_AVM, "SSL_set1_gourps_list failed "); + } +#endif + #ifdef SSL_set_tlsext_host_name if (ctx->hostname) { /* Try to enable SNI, but ignore failure (should only fail for