diff --git a/daemon/dtls.c b/daemon/dtls.c index 5806ae8b3..cd046ea11 100644 --- a/daemon/dtls.c +++ b/daemon/dtls.c @@ -197,7 +197,7 @@ static int cert_init(void) { if (!BN_set_word(exponent, 0x10001)) goto err; - if (!RSA_generate_key_ex(rsa, 1024, exponent, NULL)) + if (!RSA_generate_key_ex(rsa, rtpe_config.dtls_rsa_key_size, exponent, NULL)) goto err; if (!EVP_PKEY_assign_RSA(pkey, rsa)) @@ -247,7 +247,7 @@ static int cert_init(void) { /* sign it */ - if (!X509_sign(x509, pkey, EVP_sha1())) + if (!X509_sign(x509, pkey, rtpe_config.dtls_signature == 1 ? EVP_sha1() : EVP_sha256())) goto err; /* digest */ @@ -513,7 +513,7 @@ int dtls_connection_init(struct dtls_connection *d, struct packet_stream *ps, in SSL_CTX_set_verify(d->ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); SSL_CTX_set_verify_depth(d->ssl_ctx, 4); - SSL_CTX_set_cipher_list(d->ssl_ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"); + SSL_CTX_set_cipher_list(d->ssl_ctx, rtpe_config.dtls_ciphers); if (SSL_CTX_set_tlsext_use_srtp(d->ssl_ctx, ciphers_str)) goto error; diff --git a/daemon/main.c b/daemon/main.c index 60d4156db..018ab2de4 100644 --- a/daemon/main.c +++ b/daemon/main.c @@ -71,6 +71,9 @@ struct rtpengine_config rtpe_config = { .rec_method = "pcap", .rec_format = "raw", .media_num_threads = -1, + .dtls_rsa_key_size = 2048, + .dtls_ciphers = "DEFAULT:!NULL:!aNULL:!SHA256:!SHA384:!aECDH:!AESGCM+AES256:!aPSK", + .dtls_signature = 256, }; @@ -310,6 +313,7 @@ static void options(int *argc, char ***argv) { double max_cpu = 0; char *dtmf_udp_ep = NULL; char *endpoint_learning = NULL; + char *dtls_sig = NULL; GOptionEntry e[] = { { "table", 't', 0, G_OPTION_ARG_INT, &rtpe_config.kernel_table, "Kernel table to use", "INT" }, @@ -380,6 +384,9 @@ static void options(int *argc, char ***argv) { { "jitter-buffer",0, 0, G_OPTION_ARG_INT, &rtpe_config.jb_length, "Size of jitter buffer", "INT" }, { "jb-clock-drift",0,0, G_OPTION_ARG_NONE, &rtpe_config.jb_clock_drift,"Compensate for source clock drift",NULL }, { "debug-srtp",0,0, G_OPTION_ARG_NONE, &rtpe_config.debug_srtp,"Log raw encryption details for SRTP", NULL }, + { "dtls-rsa-key-size",0, 0, G_OPTION_ARG_INT,&rtpe_config.dtls_rsa_key_size,"Size of RSA key for DTLS", "INT" }, + { "dtls-ciphers",0, 0, G_OPTION_ARG_STRING, &rtpe_config.dtls_ciphers,"List of ciphers for DTLS", "STRING" }, + { "dtls-signature",0, 0,G_OPTION_ARG_STRING, &dtls_sig, "Signature algorithm for DTLS", "SHA-256|SHA-1" }, { NULL, } }; @@ -570,6 +577,22 @@ static void options(int *argc, char ***argv) { } rtpe_config.endpoint_learning = el_config; + if (dtls_sig) { + if (!strcasecmp(dtls_sig, "sha-1")) + rtpe_config.dtls_signature = 1; + else if (!strcasecmp(dtls_sig, "sha1")) + rtpe_config.dtls_signature = 1; + else if (!strcasecmp(dtls_sig, "sha-256")) + rtpe_config.dtls_signature = 256; + else if (!strcasecmp(dtls_sig, "sha256")) + rtpe_config.dtls_signature = 256; + else + die("Invalid --dtls-signature option ('%s')", dtls_sig); + } + + if (rtpe_config.dtls_rsa_key_size < 0) + die("Invalid --dtls-rsa-key-size (%i)", rtpe_config.dtls_rsa_key_size); + if (rtpe_config.jb_length < 0) die("Invalid negative jitter buffer size"); } diff --git a/include/main.h b/include/main.h index 4f3e9598a..3790f8082 100644 --- a/include/main.h +++ b/include/main.h @@ -96,6 +96,9 @@ struct rtpengine_config { int jb_length; int jb_clock_drift; int debug_srtp; + int dtls_rsa_key_size; + char *dtls_ciphers; + int dtls_signature; };