diff -ru ../neon-0.31.1.orig/src/ne_openssl.c ./src/ne_openssl.c
--- ../neon-0.31.1.orig/src/ne_openssl.c
+++ ./src/ne_openssl.c
@@ -586,6 +586,11 @@
ne_free(ctx);
return NULL;
}
+ /* AVM - use Perfect Forward Secrecy - generate a new pubkey for any connection */
+ /* (maybe server parameters only) */
+ long ssloptions = SSL_OP_SINGLE_DH_USE;
+ ssloptions |= SSL_OP_SINGLE_ECDH_USE;
+ SSL_CTX_set_options(ctx->ctx, ssloptions);
return ctx;
}
@@ -601,6 +606,11 @@
} else {
/* Disable it: set the flag. */
opts |= SSL_OP_NO_SSLv2;
+ opts |= SSL_OP_NO_SSLv3;
+ //opts |= SSL_OP_NO_TLSv1; // allowed
+ //opts |= SSL_OP_NO_TLSv1_2; // allowed
+ //opts |= SSL_OP_NO_TLSv1_1; // allowed
+ NE_DEBUG(NE_DBG_SSL, "ne_ssl_context_set_flag *** AVM *** allow only TLS v1.x / Cipher Suites olny support TLS 1.x.\n");
}
break;
}
diff -ru ../neon-0.31.1.orig/src/ne_socket.c ./src/ne_socket.c
--- ../neon-0.31.1.orig/src/ne_socket.c
+++ ./src/ne_socket.c
@@ -107,6 +107,14 @@
#include <gnutls/gnutls.h>
#endif
+#include <sys/ioctl.h> // AVM
+#include <linux/sockios.h> // AVM
+
+
+// AVM
+#define ONLINEFILEIPV6 "/var/tmp/webdav.onlineipv6"
+
+
#define NE_INET_ADDR_DEFINED
/* A slightly ugly hack: change the ne_inet_addr definition to be the
* real address type used. The API only exposes ne_inet_addr as a
@@ -178,6 +186,11 @@
/* Socket read timeout */
#define SOCKET_READ_TIMEOUT 120
+#define SOCKET_CON_TIMEOUT 30 // AVM
+
+/* AVM: TLS cipher list */
+#define NEW_CIPHERS "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA"
+#define NEW_CIPHERS1_3 "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
/* Critical I/O functions on a socket: useful abstraction for easily
* handling SSL I/O alongside raw socket I/O. */
@@ -217,7 +230,7 @@
* and is hence always <= RDBUFSIZ. */
char *bufpos;
size_t bufavail;
-#define RDBUFSIZ 4096
+#define RDBUFSIZ 32768 /* AVM 4096*/
char buffer[RDBUFSIZ];
/* Error string. */
char error[192];
@@ -923,6 +936,8 @@
}
#ifdef AF_INET6
+ NE_DEBUG(NE_DBG_AVM, "%s: with IPv6 support compiled: hostname %s => getaddrinfo ",__FUNCTION__, hostname );
+
if (hostname[0] == '[' && ((pnt = strchr(hostname, ']')) != NULL)) {
char *hn = ne_strdup(hostname + 1);
hn[pnt - hostname - 1] = '\0';
@@ -930,24 +945,36 @@
hints.ai_flags |= AI_NUMERICHOST;
#endif
hints.ai_family = AF_INET6;
+ NE_DEBUG(NE_DBG_AVM, "%s: AF_INET6 v6 address hints.ai_family = AF_INET6", __FUNCTION__ );
addr->errnum = getaddrinfo(hn, NULL, &hints, &addr->result);
ne_free(hn);
} else
#endif /* AF_INET6 */
{
#ifdef USE_GAI_ADDRCONFIG /* added in the RFC3493 API */
+ NE_DEBUG(NE_DBG_AVM, "%s: USE_GAI_ADDRCONFIG hostname %s => getaddrinfo ", __FUNCTION__, hostname );
hints.ai_flags |= AI_ADDRCONFIG;
hints.ai_family = AF_UNSPEC;
addr->errnum = getaddrinfo(hostname, NULL, &hints, &addr->result);
#else
hints.ai_family = ipv6_disabled ? AF_INET : AF_UNSPEC;
- addr->errnum = getaddrinfo(hostname, NULL, &hints, &addr->result);
+
+ // AVM - only use IPv6 wenn it is online / connected
+ if (access(ONLINEFILEIPV6, X_OK) != 0) {
+ hints.ai_family = AF_INET; // use IPv4
+ NE_DEBUG(NE_DBG_AVM, "%s: hints.ai_family = AF_INET",__FUNCTION__);
+ } else {
+ hints.ai_family = AF_INET6; // use IPv6
+ NE_DEBUG(NE_DBG_AVM, "%s: hints.ai_family = AF_INET6",__FUNCTION__ );
+ }
+
+ addr->errnum = getaddrinfo(hostname, NULL, &hints, &addr->result);
#endif
}
#else /* Use gethostbyname() */
in_addr_t laddr;
struct hostent *hp;
-
+ NE_DEBUG(NE_DBG_AVM, "%s: hostname %s => gethostbyname ",__FUNCTION__, hostname );
laddr = inet_addr(hostname);
if (laddr == INADDR_NONE) {
hp = gethostbyname(hostname);
@@ -1248,7 +1275,7 @@
ret = NE_SOCK_ERROR;
}
} else if (ret == 0) { /* poll timed out */
- set_error(sock, _("Connection timed out"));
+ set_error(sock, _("Connection timed out (timed_connect)"));
ret = NE_SOCK_TIMEOUT;
} else /* poll failed */ {
set_strerror(sock, errno);
@@ -1319,7 +1346,7 @@
{
ne_socket *sock = ne_calloc(sizeof *sock);
sock->rdtimeout = SOCKET_READ_TIMEOUT;
- sock->cotimeout = 0;
+ sock->cotimeout = SOCKET_CON_TIMEOUT; // AVM
sock->bufpos = sock->buffer;
sock->ops = &iofns_raw;
sock->fd = -1;
@@ -1475,8 +1502,18 @@
#endif
ret = connect_socket(sock, fd, addr, htons(port));
- if (ret == 0)
+ if (ret == 0){
sock->fd = fd;
+#ifdef SIOCSET_TC_INDEX
+ //AVM
+ unsigned long tc_index = 20;
+ if (ioctl(sock->fd, SIOCSET_TC_INDEX, &tc_index) != 0) {
+ NE_DEBUG(NE_DBG_AVM, "SIOCSET_TC_INDEX failed");
+ }
+#else
+#error SIOCSET_TC_INDEX not defined in sockios.h, maybe using wrong header file.
+#endif
+ }
else
ne_close(fd);
@@ -1765,6 +1802,27 @@
SSL_set_fd(ssl, sock->fd);
sock->ops = &iofns_ssl;
+ // AVM: set new TLS cipher list, Cloudsafe donĀ“t like some of the old defaults
+ if (SSL_set_cipher_list(ssl, NEW_CIPHERS)) {
+ NE_DEBUG(NE_DBG_AVM, "SSL_set_cipher_list ok ");
+ } else {
+ NE_DEBUG(NE_DBG_AVM, "SSL_set_cipher_list failed ");
+ }
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ if (SSL_set_ciphersuites(ssl, NEW_CIPHERS1_3)) {
+ NE_DEBUG(NE_DBG_AVM, "SSL_set_ciphersuites ok ");
+ } else {
+ NE_DEBUG(NE_DBG_AVM, "SSL_set_ciphersuites failed ");
+ }
+
+ if (SSL_set1_groups_list(ssl, "X25519:X448:P-256:P-384")) {
+ NE_DEBUG(NE_DBG_AVM, "SSL_set1_gourps_list ok ");
+ } else {
+ NE_DEBUG(NE_DBG_AVM, "SSL_set1_gourps_list failed ");
+ }
+#endif
+
#ifdef SSL_set_tlsext_host_name
if (ctx->hostname) {
/* Try to enable SNI, but ignore failure (should only fail for