You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by cl...@apache.org on 2014/10/28 20:47:41 UTC
svn commit: r1634961 -
/qpid/trunk/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp
Author: cliffjansen
Date: Tue Oct 28 19:47:41 2014
New Revision: 1634961
URL: http://svn.apache.org/r1634961
Log:
QPID-6187: Disable SSL v3 for Windows SChannel
Modified:
qpid/trunk/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp
Modified: qpid/trunk/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp?rev=1634961&r1=1634960&r2=1634961&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp Tue Oct 28 19:47:41 2014
@@ -458,7 +458,22 @@ void SslAsynchIO::idle(qpid::sys::Asynch
}
}
- /**************************************************/
+/**************************************************/
+
+namespace {
+
+bool unsafeNegotiatedTlsVersion(CtxtHandle &ctxtHandle) {
+ // See if SChannel ultimately negotiated <= SSL3, perhaps due to
+ // global registry settings.
+ SecPkgContext_ConnectionInfo info;
+ ::QueryContextAttributes(&ctxtHandle, SECPKG_ATTR_CONNECTION_INFO, &info);
+ // Ascending bit patterns denote newer SSL/TLS protocol versions
+ return (info.dwProtocol < SP_PROT_TLS1_SERVER) ? true : false;
+}
+
+} // namespace
+
+/**************************************************/
ClientSslAsynchIO::ClientSslAsynchIO(const std::string& brokerHost,
const qpid::sys::Socket& s,
@@ -589,6 +604,13 @@ void ClientSslAsynchIO::negotiateStep(Bu
}
// Nothing to send back to the server...
aio->queueReadBuffer(sendbuff);
+
+ if (status == SEC_E_OK && unsafeNegotiatedTlsVersion(ctxtHandle)) {
+ // Refuse a connection that negotiates to less than TLS 1.0.
+ QPID_LOG(notice, "client SSL negotiation to unsafe protocol version.");
+ status = SEC_E_UNSUPPORTED_FUNCTION;
+ }
+
// SEC_I_CONTEXT_EXPIRED means session stop complete; SEC_E_OK can be
// either session stop or negotiation done (session up).
if (status == SEC_E_OK || status == SEC_I_CONTEXT_EXPIRED)
@@ -691,6 +713,12 @@ void ServerSslAsynchIO::negotiateStep(Bu
// Nothing to send back to the server...
aio->queueReadBuffer(sendbuff);
+ if (status == SEC_E_OK && unsafeNegotiatedTlsVersion(ctxtHandle)) {
+ // Refuse a connection that negotiates to less than TLS 1.0.
+ QPID_LOG(notice, "server SSL negotiation to unsafe protocol version.");
+ status = SEC_E_UNSUPPORTED_FUNCTION;
+ }
+
// SEC_I_CONTEXT_EXPIRED means session stop complete; SEC_E_OK can be
// either session stop or negotiation done (session up).
if (status == SEC_E_OK || status == SEC_I_CONTEXT_EXPIRED) {
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org