default params for dh implemented
FossilOrigin-Name: a57ff3b0c45f4ddd9bec59ab4ce047ca1dd7729d78f12f4ad56950add5104f5b
This commit is contained in:
7u83@mail.ru
parent
0900d058ea
commit
a39514e836
|
|
@ -2,6 +2,7 @@ capwap/ac-descriptor/hardware/version:Bstr16: "ACTube 1.0"
|
|||
capwap/ac-descriptor/hardware/vendor:Bastr16: 12346
|
||||
capwap/ssl-cert:Str: "/usr/local/etc/ssl/tube.ssl"
|
||||
capwap/ssl-key:Str: "/usr/local/etc/key"
|
||||
capwap/ssl-dhbits:Word: 2048
|
||||
|
||||
ac-descriptor/stations:Word:05
|
||||
ac-descriptor/station-limit:Word:6
|
||||
|
|
@ -15,7 +16,8 @@ ac-descriptor/hardware/vendor:Dword:1234567
|
|||
ac-descriptor/hardware/version:Bstr16:"1.7.3"
|
||||
ac-name:Bstr16:"TubesAC"
|
||||
|
||||
capwap-control-ip-address/address.0:IPAddress:192.168.0.131
|
||||
capwap-control-ip-address/address.0:IPAddress:192.168.0.14
|
||||
#capwap-control-ip-address/address.0:IPAddress:192.168.0.131
|
||||
#capwap-control-ip-address/address.1:IPAddress:2a00:c1a0:48c6:4a00:9965:1b6e:aca3:1398
|
||||
capwap-control-ip-address/wtps.0:Word:0
|
||||
#capwap-control-ip-address/wtps.1:Word:11
|
||||
|
|
@ -23,7 +25,7 @@ capwap-control-ip-address/wtps.0:Word:0
|
|||
|
||||
capwap/ssl-keyfile:Str:"../../ssl/certs/ac-cisco.key"
|
||||
capwap/ssl-certfile:Str:"../../ssl/certs/ac-cisco.pem"
|
||||
capwap/ssl-cipher:Str:+DHE-RSA:+AES-256-CBC:+AES-128-CBC:+SHA1
|
||||
capwap/ssl-cipher:Str:+RSA:+AES-256-CBC:+AES-128-CBC:+SHA1
|
||||
#capwap/ssl-psk:Str:"HalloWelt"
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -177,6 +177,7 @@ struct conn {
|
|||
|
||||
char *dtls_psk;
|
||||
int dtls_psk_len;
|
||||
int dtls_dhbits;
|
||||
|
||||
struct cw_Mod *cmod, *bmod;
|
||||
|
||||
|
|
|
|||
|
|
@ -39,5 +39,8 @@ int cw_setup_dtls(struct conn * conn, mavl_t cfg, const char *prefix, char * de
|
|||
security |= CAPWAP_FLAG_AC_SECURITY_X;
|
||||
}
|
||||
|
||||
sprintf(key,"%s/%s",prefix,"ssl-dhbits");
|
||||
conn->dtls_dhbits = cw_ktv_get_word(cfg,key,1024);
|
||||
|
||||
return security;
|
||||
}
|
||||
|
|
@ -172,17 +172,7 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
|
|||
*/ bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);
|
||||
/*#endif*/
|
||||
|
||||
/* Generate Diffie-Hellman parameters - for use with DHE
|
||||
* kx algorithms. When short bit length is used, it might
|
||||
* be wise to regenerate parameters often.
|
||||
*/
|
||||
gnutls_dh_params_init(&d->dh_params);
|
||||
|
||||
cw_dbg(DBG_DTLS,"Generating DH params, %d",bits);
|
||||
gnutls_dh_params_generate2(d->dh_params, bits);
|
||||
cw_dbg(DBG_DTLS,"DH params generated, %d",bits);
|
||||
|
||||
gnutls_certificate_set_dh_params(d->x509_cred, d->dh_params);
|
||||
|
||||
|
||||
|
||||
|
|
@ -215,7 +205,6 @@ struct dtls_gnutls_data *dtls_gnutls_data_create(struct conn *conn,int config)
|
|||
}
|
||||
|
||||
|
||||
|
||||
rc = gnutls_credentials_set(d->session, GNUTLS_CRD_CERTIFICATE, d->x509_cred);
|
||||
if (rc < 0) {
|
||||
cw_log(LOG_ERR, "DTLS - Can't set credentials: %s", gnutls_strerror(rc));
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ const char * dtls_gnutls_get_cipher(struct conn * conn, char * dst);
|
|||
struct dtls_ssl_cert dtls_gnutls_get_peers_cert(struct conn * conn,unsigned int n);
|
||||
extern int dtls_gnutls_shutdown(struct conn *conn);
|
||||
|
||||
#define CAPWAP_CIPHER "+RSA:+AES-128-CBC:+SHA1:"
|
||||
#define CAPWAP_CIPHER "+DHE-RSA:+RSA:+AES-256-CBC:+AES-128-CBC:+SHA1"
|
||||
|
||||
|
||||
/* functions used only by capwap libray */
|
||||
|
|
|
|||
|
|
@ -43,10 +43,14 @@ int dtls_gnutls_accept(struct conn *conn)
|
|||
uint8_t buffer[2048];
|
||||
int tlen, rc;
|
||||
time_t c_timer;
|
||||
int bits;
|
||||
|
||||
gnutls_datum_t cookie_key;
|
||||
gnutls_dtls_prestate_st prestate;
|
||||
|
||||
|
||||
|
||||
|
||||
gnutls_key_generate(&cookie_key, GNUTLS_COOKIE_KEY_SIZE);
|
||||
cw_dbg(DBG_DTLS, "Session cookie for %s generated: %s",
|
||||
sock_addr2str(&conn->addr,sock_buf),
|
||||
|
|
@ -106,6 +110,24 @@ int dtls_gnutls_accept(struct conn *conn)
|
|||
if (!d)
|
||||
return 0;
|
||||
|
||||
|
||||
/* Generate Diffie-Hellman parameters - for use with DHE
|
||||
* kx algorithms. When short bit length is used, it might
|
||||
* be wise to regenerate parameters often.
|
||||
*/
|
||||
/*bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_LEGACY);*/
|
||||
bits = conn->dtls_dhbits;
|
||||
|
||||
gnutls_dh_params_init(&d->dh_params);
|
||||
|
||||
cw_dbg(DBG_DTLS,"Generating DH params, %d",bits);
|
||||
gnutls_dh_params_generate2(d->dh_params, bits);
|
||||
cw_dbg(DBG_DTLS,"DH params generated, %d",bits);
|
||||
|
||||
gnutls_certificate_set_dh_params(d->x509_cred, d->dh_params);
|
||||
|
||||
|
||||
|
||||
gnutls_certificate_server_set_request(d->session,GNUTLS_CERT_REQUEST);
|
||||
gnutls_dtls_prestate_set(d->session, &prestate);
|
||||
|
||||
|
|
|
|||
|
|
@ -4,8 +4,8 @@
|
|||
|
||||
capwap/ssl-certfile:Str:"../../ssl/certs/wtp.crt"
|
||||
capwap/ssl-keyfile:Str:"../../ssl/certs/wtp.key"
|
||||
#capwap/ssl-cipher:Str: +RSA:+AES-128-CBC:+SHA1
|
||||
#capwap/ssl-cipher:Str: +DHE-RSA:+RSA:+AES-256-CBC:+AES-128-CBC:+SHA1
|
||||
capwap/ssl-cipher:Str: +DHE-RSA:+AES-256-CBC:+AES-128-CBC:+SHA1
|
||||
#capwap/ssl-psk:Str:"HalloWelt"
|
||||
|
||||
cisco/ssl-certfile:Str:"../../ssl/certs/wtp.crt"
|
||||
|
|
|
|||
Loading…
Reference in New Issue