You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by cl...@apache.org on 2014/10/28 20:47:41 UTC

svn commit: r1634961 - /qpid/trunk/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp

Author: cliffjansen
Date: Tue Oct 28 19:47:41 2014
New Revision: 1634961

URL: http://svn.apache.org/r1634961
Log:
QPID-6187: Disable SSL v3 for Windows SChannel

Modified:
    qpid/trunk/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp

Modified: qpid/trunk/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp?rev=1634961&r1=1634960&r2=1634961&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp Tue Oct 28 19:47:41 2014
@@ -458,7 +458,22 @@ void SslAsynchIO::idle(qpid::sys::Asynch
     }
 }
 
-  /**************************************************/
+/**************************************************/
+
+namespace {
+
+bool unsafeNegotiatedTlsVersion(CtxtHandle &ctxtHandle) {
+    // See if SChannel ultimately negotiated <= SSL3, perhaps due to
+    // global registry settings.
+    SecPkgContext_ConnectionInfo info;
+    ::QueryContextAttributes(&ctxtHandle, SECPKG_ATTR_CONNECTION_INFO, &info);
+    // Ascending bit patterns denote newer SSL/TLS protocol versions
+    return (info.dwProtocol < SP_PROT_TLS1_SERVER) ? true : false;
+}
+
+} // namespace
+
+/**************************************************/
 
 ClientSslAsynchIO::ClientSslAsynchIO(const std::string& brokerHost,
                                      const qpid::sys::Socket& s,
@@ -589,6 +604,13 @@ void ClientSslAsynchIO::negotiateStep(Bu
     }
     // Nothing to send back to the server...
     aio->queueReadBuffer(sendbuff);
+
+    if (status == SEC_E_OK && unsafeNegotiatedTlsVersion(ctxtHandle)) {
+        // Refuse a connection that negotiates to less than TLS 1.0.
+        QPID_LOG(notice, "client SSL negotiation to unsafe protocol version.");
+        status = SEC_E_UNSUPPORTED_FUNCTION;
+    }
+
     // SEC_I_CONTEXT_EXPIRED means session stop complete; SEC_E_OK can be
     // either session stop or negotiation done (session up).
     if (status == SEC_E_OK || status == SEC_I_CONTEXT_EXPIRED)
@@ -691,6 +713,12 @@ void ServerSslAsynchIO::negotiateStep(Bu
         // Nothing to send back to the server...
         aio->queueReadBuffer(sendbuff);
 
+    if (status == SEC_E_OK && unsafeNegotiatedTlsVersion(ctxtHandle)) {
+        // Refuse a connection that negotiates to less than TLS 1.0.
+        QPID_LOG(notice, "server SSL negotiation to unsafe protocol version.");
+        status = SEC_E_UNSUPPORTED_FUNCTION;
+    }
+
     // SEC_I_CONTEXT_EXPIRED means session stop complete; SEC_E_OK can be
     // either session stop or negotiation done (session up).
     if (status == SEC_E_OK || status == SEC_I_CONTEXT_EXPIRED) {



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org