Merge pull request #217 from lewellyn/patch-1

Default to TLS connections only
author: Daiyuu Nobori <da.git@softether.co.jp> 2016-11-27 11:25:15 +0300
committer: GitHub <noreply@github.com> 2016-11-27 11:25:15 +0300
commit: cc8fff4d81b039ec9b37442cf54d2262146676b3 (patch)
tree: 73d24c0232fc0cf2fd2b2dba0a37d0cc9ec22d86
parent: 5cae447c79119509bdf2ccdd64bee839bf2d3013 (diff)
parent: 15876de6fbce47f920d5349f492c08f4eadeff5b (diff)
1 files changed, 14 insertions, 1 deletions
diff --git a/src/Cedar/Server.c b/src/Cedar/Server.c
index dcac885b..561697b2 100644
--- a/src/Cedar/Server.c
+++ b/src/Cedar/Server.c
@@ -2577,6 +2577,9 @@ void SiLoadInitialConfiguration(SERVER *s)
 		return;
 	}
 
+	// Default to TLS only; mitigates CVE-2016-0800
+	s->Cedar->AcceptOnlyTls = true;
+
 	// Auto saving interval related
 	s->AutoSaveConfigSpan = SERVER_FILE_SAVE_INTERVAL_DEFAULT;
 	s->BackupConfigOnlyWhenModified = true;
@@ -2762,6 +2765,9 @@ void SiInitConfiguration(SERVER *s)
 	s->AutoSaveConfigSpan = SERVER_FILE_SAVE_INTERVAL_DEFAULT;
 	s->BackupConfigOnlyWhenModified = true;
 
+	// Default to TLS only; mitigates CVE-2016-0800
+	s->Cedar->AcceptOnlyTls = true;
+
 	// IPsec server
 	if (s->Cedar->Bridge == false)
 	{
@@ -6156,7 +6162,14 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f)
 		SetGlobalServerFlag(GSF_DISABLE_SESSION_RECONNECT, CfgGetBool(f, "DisableSessionReconnect"));
 
 		// AcceptOnlyTls
-		c->AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls");
+		if (CfgIsItem(f, "AcceptOnlyTls"))
+		{
+			c->AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls");
+		}
+		else
+		{
+			c->AcceptOnlyTls = true;
+		}
 	}
 	Unlock(c->lock);
author	Daiyuu Nobori <da.git@softether.co.jp>	2016-11-27 11:25:15 +0300
committer	GitHub <noreply@github.com>	2016-11-27 11:25:15 +0300
commit	cc8fff4d81b039ec9b37442cf54d2262146676b3 (patch)
tree	73d24c0232fc0cf2fd2b2dba0a37d0cc9ec22d86
parent	5cae447c79119509bdf2ccdd64bee839bf2d3013 (diff)
parent	15876de6fbce47f920d5349f492c08f4eadeff5b (diff)