Forbid tls 1 and 1.1 connection for nethifier (#300)

* TLS < 1.2 enabled by default, but could be disabled - added nethcti-server -> tlsSecureOptions prop - false by default. If set to "true: secure options are enabled and TLS < 1.2 isn't allowed Co-authored-by: Giacomo Sanchietti <giacomo.sanchietti@nethesis.it> --------- Co-authored-by: Giacomo Sanchietti <giacomo.sanchietti@nethesis.it>
nethesis · Nov 28, 2023 · 59b2e67 · 59b2e67
1 parent 68229c6
commit 59b2e67
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 3 deletions.
diff --git a/root/etc/e-smith/db/configuration/defaults/nethcti-server/tlsSecureOptions b/root/etc/e-smith/db/configuration/defaults/nethcti-server/tlsSecureOptions
@@ -0,0 +1 @@
+false
diff --git a/root/etc/e-smith/templates/etc/nethcti/services.json/10base b/root/etc/e-smith/templates/etc/nethcti/services.json/10base
@@ -1,6 +1,7 @@
 {
   my $ports_str = ${'nethcti-server'}{TCPPorts};
   our @ports = split(',', $ports_str);
+  our $tlsSecureOptions = ${'nethcti-server'}{tlsSecureOptions} || "false";
   return "";
 }
 \{
@@ -11,7 +12,8 @@
   "tls": \{
     "port": "{$ports[1] || 8183}",
     "key": "/etc/asterisk/keys/NethServer.key",
-    "cert": "/etc/asterisk/keys/NethServer.crt"
+    "cert": "/etc/asterisk/keys/NethServer.crt",
+    "secureOptions": "{$tlsSecureOptions}"
   \},
   "websocket": \{
     "http_port": "{${'nethcti-server'}{WsPort} || 8181}"

diff --git a/root/usr/lib/node/nethcti-server/plugins/com_nethcti_tcp/com_nethcti_tcp.js b/root/usr/lib/node/nethcti-server/plugins/com_nethcti_tcp/com_nethcti_tcp.js
@@ -398,6 +398,14 @@ var tcpPort;
  */
  var tlsCert;
 
+/**
+ * Don't allow TLS v 1.0 and 1.1. It is customized by the configuration file.
+ * @property tlsSecureOptions
+ * @type integer
+ * @private
+ */
+  var tlsSecureOptions;
+
 /**
  * The protocol used by the cti server. It is used by the windows popup notification
  * to open the NethCTI application using the configured protocol. It is customized
@@ -1192,6 +1200,12 @@ function config(path) {
       } else {
         logger.log.error(IDLOG, path + ': no tls "cert" has been specified');
       }
+      // set tls secure options
+      if (json.tls.secureOptions && json.tls.secureOptions === 'true') {
+        tlsSecureOptions = require('constants').SSL_OP_NO_TLSv1 | require('constants').SSL_OP_NO_TLSv1_1;
+      } else {
+        tlsSecureOptions = null;
+      }
     } else {
       logger.log.error(IDLOG, path + ': no tls parameters have been specified');
     }
@@ -1323,7 +1337,8 @@ function start() {
     // tls server
     tlsServer = tls.createServer({
         key: fs.readFileSync(tlsKey),
-        cert: fs.readFileSync(tlsCert)
+        cert: fs.readFileSync(tlsCert),
+        secureOptions: tlsSecureOptions,
       }
     );
 
@@ -1835,4 +1850,4 @@ exports.setCompAuthorization = setCompAuthorization;
 exports.getNumConnectedClients = getNumConnectedClients;
 exports.sendPhoneRequest = sendPhoneRequest;
 exports.setNethifierLog = setNethifierLog;
-exports.isUserConnected = isUserConnected;
+exports.isUserConnected = isUserConnected;