Add arguments for managing tls ciphers & netmon

This adds 2 arguments:
    /tls-ciphers                List of permitted openssl ciphers - see ciphers(1)
    /tls-ciphers-netmon         Use tls ciphers that netmon can parse

With KB2919355, client/server negotiate the use of
TLS cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
which works fine except that netmon can't parse it.
By adding commandline /tls-ciphers-netmon, we restrict
the available ciphers to a list that netmon can
deal with.  Also adds /tls-ciphers, which
accepts a string arg, for further customization.
This commit is contained in:
Daniel Bungert 2014-07-17 06:59:06 -06:00
parent c4c8a3fca7
commit 625f7c3c22
4 changed files with 20 additions and 1 deletions

View File

@ -127,6 +127,8 @@ COMMAND_LINE_ARGUMENT_A args[] =
{ "sec-tls", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueTrue, NULL, -1, NULL, "tls protocol security" },
{ "sec-nla", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueTrue, NULL, -1, NULL, "nla protocol security" },
{ "sec-ext", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueFalse, NULL, -1, NULL, "nla extended protocol security" },
{ "tls-ciphers", COMMAND_LINE_VALUE_REQUIRED, NULL, NULL, NULL, -1, NULL, "List of permitted openssl ciphers - see ciphers(1)" },
{ "tls-ciphers-netmon", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL, "Use tls ciphers that netmon can parse" },
{ "cert-name", COMMAND_LINE_VALUE_REQUIRED, "<name>", NULL, NULL, -1, NULL, "certificate name" },
{ "cert-ignore", COMMAND_LINE_VALUE_FLAG, NULL, NULL, NULL, -1, NULL, "ignore certificate" },
{ "pcb", COMMAND_LINE_VALUE_REQUIRED, "<blob>", NULL, NULL, -1, NULL, "Preconnection Blob" },
@ -1753,6 +1755,14 @@ int freerdp_client_settings_parse_command_line_arguments(rdpSettings* settings,
{
settings->ExtSecurity = arg->Value ? TRUE : FALSE;
}
CommandLineSwitchCase(arg, "tls-ciphers")
{
settings->PermittedTLSCiphers = _strdup(arg->Value);
}
CommandLineSwitchCase(arg, "tls-ciphers-netmon")
{
settings->PermittedTLSCiphers = arg->Value ? _strdup("ALL:!ECDH") : NULL;
}
CommandLineSwitchCase(arg, "cert-name")
{
settings->CertificateName = _strdup(arg->Value);

View File

@ -974,7 +974,8 @@ struct rdp_settings
ALIGN64 char* AuthenticationServiceClass; /* 1098 */
ALIGN64 BOOL DisableCredentialsDelegation; /* 1099 */
ALIGN64 BOOL AuthenticationLevel; /* 1100 */
UINT64 padding1152[1152 - 1101]; /* 1101 */
ALIGN64 char* PermittedTLSCiphers; /* 1101 */
UINT64 padding1152[1152 - 1102]; /* 1102 */
/* Connection Cookie */
ALIGN64 BOOL MstscCookieMode; /* 1152 */

View File

@ -825,6 +825,7 @@ void freerdp_settings_free(rdpSettings* settings)
free(settings->MonitorDefArray);
free(settings->ClientAddress);
free(settings->ClientDir);
free(settings->PermittedTLSCiphers);
free(settings->CertificateFile);
free(settings->PrivateKeyFile);
free(settings->ConnectionFile);

View File

@ -591,6 +591,13 @@ BOOL tls_prepare(rdpTls* tls, BIO *underlying, const SSL_METHOD *method, int opt
SSL_CTX_set_options(tls->ctx, options);
SSL_CTX_set_read_ahead(tls->ctx, 1);
if (tls->settings->PermittedTLSCiphers) {
if(!SSL_CTX_set_cipher_list(tls->ctx, tls->settings->PermittedTLSCiphers)) {
fprintf(stderr, "SSL_CTX_set_cipher_list %s failed\n", tls->settings->PermittedTLSCiphers);
return FALSE;
}
}
tls->bio = BIO_new_rdp_tls(tls->ctx, clientMode);
if (BIO_get_ssl(tls->bio, &tls->ssl) < 0)