add a new flag to enforce tls1.2

This commit is contained in:
Siva Gudivada 2022-06-22 17:17:43 -07:00 committed by akallabeth
parent bc8b4ade1c
commit 7ce4d8b196
4 changed files with 22 additions and 2 deletions

View File

@ -2895,6 +2895,10 @@ int freerdp_client_settings_parse_command_line_arguments(rdpSettings* settings,
settings->TlsSecLevel = (UINT32)val;
}
CommandLineSwitchCase(arg, "enforce-tlsv1_2")
{
settings->EnforceTLSv1_2 = enable;
}
CommandLineSwitchCase(arg, "cert")
{
int rc = 0;

View File

@ -369,6 +369,8 @@ static const COMMAND_LINE_ARGUMENT_A global_cmd_args[] = {
"Allowed TLS ciphers" },
{ "tls-seclevel", COMMAND_LINE_VALUE_REQUIRED, "<level>", "1", NULL, -1, NULL,
"TLS security level - defaults to 1" },
{ "enforce-tlsv1_2", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueFalse, NULL, -1, NULL,
"Use TLS1.2 for connection." },
{ "toggle-fullscreen", COMMAND_LINE_VALUE_BOOL, NULL, BoolValueTrue, NULL, -1, NULL,
"Alt+Ctrl+Enter to toggle fullscreen" },
{ "tune", COMMAND_LINE_VALUE_REQUIRED, "<setting:value>,<setting:value>", "", NULL, -1, NULL,

View File

@ -635,6 +635,7 @@ typedef struct
#define FreeRDP_NtlmSamFile (1103)
#define FreeRDP_FIPSMode (1104)
#define FreeRDP_TlsSecLevel (1105)
#define FreeRDP_EnforceTLSv1_2 (1107)
#define FreeRDP_SspiModule (1106)
#define FreeRDP_MstscCookieMode (1152)
#define FreeRDP_CookieMaxLength (1153)
@ -1123,7 +1124,8 @@ struct rdp_settings
ALIGN64 BOOL FIPSMode; /* 1104 */
ALIGN64 UINT32 TlsSecLevel; /* 1105 */
ALIGN64 char* SspiModule; /* 1106 */
UINT64 padding1152[1152 - 1107]; /* 1107 */
ALIGN64 BOOL EnforceTLSv1_2; /* 1107 */
UINT64 padding1152[1152 - 1108]; /* 1108 */
/* Connection Cookie */
ALIGN64 BOOL MstscCookieMode; /* 1152 */

View File

@ -862,7 +862,7 @@ int tls_connect(rdpTls* tls, BIO* underlying)
if (!tls_prepare(tls, underlying, SSLv23_client_method(), options, TRUE))
#else
if (!tls_prepare(tls, underlying, TLS_client_method(), options, TRUE))
if (!tls_prep(tls, underlying, options, TRUE))
#endif
return 0;
@ -872,6 +872,18 @@ int tls_connect(rdpTls* tls, BIO* underlying)
return tls_do_handshake(tls, TRUE);
}
BOOL tls_prep(rdpTls* tls, BIO* underlying, int options, BOOL clientMode)
{
if (tls->settings->EnforceTLSv1_2)
{
return tls_prepare(tls, underlying, TLSv1_2_client_method(), options, TRUE);
}
else
{
return tls_prepare(tls, underlying, TLS_client_method(), options, TRUE);
}
}
#if defined(MICROSOFT_IOS_SNI_BUG) && !defined(OPENSSL_NO_TLSEXT) && \
!defined(LIBRESSL_VERSION_NUMBER)
static void tls_openssl_tlsext_debug_callback(SSL* s, int client_server, int type,