diff options
author | Daiyuu Nobori <da.git@softether.co.jp> | 2016-11-27 11:25:15 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-11-27 11:25:15 +0300 |
commit | cc8fff4d81b039ec9b37442cf54d2262146676b3 (patch) | |
tree | 73d24c0232fc0cf2fd2b2dba0a37d0cc9ec22d86 | |
parent | 5cae447c79119509bdf2ccdd64bee839bf2d3013 (diff) | |
parent | 15876de6fbce47f920d5349f492c08f4eadeff5b (diff) |
Merge pull request #217 from lewellyn/patch-1
Default to TLS connections only
-rw-r--r-- | src/Cedar/Server.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/src/Cedar/Server.c b/src/Cedar/Server.c index dcac885b..561697b2 100644 --- a/src/Cedar/Server.c +++ b/src/Cedar/Server.c @@ -2577,6 +2577,9 @@ void SiLoadInitialConfiguration(SERVER *s) return;
}
+ // Default to TLS only; mitigates CVE-2016-0800
+ s->Cedar->AcceptOnlyTls = true;
+
// Auto saving interval related
s->AutoSaveConfigSpan = SERVER_FILE_SAVE_INTERVAL_DEFAULT;
s->BackupConfigOnlyWhenModified = true;
@@ -2762,6 +2765,9 @@ void SiInitConfiguration(SERVER *s) s->AutoSaveConfigSpan = SERVER_FILE_SAVE_INTERVAL_DEFAULT;
s->BackupConfigOnlyWhenModified = true;
+ // Default to TLS only; mitigates CVE-2016-0800
+ s->Cedar->AcceptOnlyTls = true;
+
// IPsec server
if (s->Cedar->Bridge == false)
{
@@ -6156,7 +6162,14 @@ void SiLoadServerCfg(SERVER *s, FOLDER *f) SetGlobalServerFlag(GSF_DISABLE_SESSION_RECONNECT, CfgGetBool(f, "DisableSessionReconnect"));
// AcceptOnlyTls
- c->AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls");
+ if (CfgIsItem(f, "AcceptOnlyTls"))
+ {
+ c->AcceptOnlyTls = CfgGetBool(f, "AcceptOnlyTls");
+ }
+ else
+ {
+ c->AcceptOnlyTls = true;
+ }
}
Unlock(c->lock);
|