You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ro...@apache.org on 2019/04/11 17:07:09 UTC
[qpid-proton] 03/15: PROTON-1989: [c] Support TLSv1.3 with openssl
1.1.1
This is an automated email from the ASF dual-hosted git repository.
robbie pushed a commit to branch 0.27.x
in repository https://gitbox.apache.org/repos/asf/qpid-proton.git
commit 790738e469350eab5dea1ddbd9907c583d06261f
Author: Andrew Stitcher <as...@apache.org>
AuthorDate: Fri Feb 22 16:20:07 2019 -0500
PROTON-1989: [c] Support TLSv1.3 with openssl 1.1.1
(cherry picked from commit 7db4c2c0b720c567d808ae71e49abeb734f5a6a2)
---
c/include/proton/ssl.h | 2 +-
c/src/ssl/openssl.c | 16 +++++++++++++---
c/tests/ssl_test.cpp | 12 ++++++++++++
3 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/c/include/proton/ssl.h b/c/include/proton/ssl.h
index 81a17a2..8258e16 100644
--- a/c/include/proton/ssl.h
+++ b/c/include/proton/ssl.h
@@ -232,7 +232,7 @@ PN_EXTERN int pn_ssl_domain_set_peer_authentication(pn_ssl_domain_t *domain,
* @param[in] domain the ssl domain to configure.
* @param[in] protocols string representing the protocol list.
* This list is a space separated string of the allowed TLS protocols,
- * The current possibilities are TLSv1 TLSv1.1 TLSv1.2. None of the earlier SSL
+ * The current possibilities are TLSv1 TLSv1.1 TLSv1.2 TLSv1.3. None of the earlier SSL
* protocols are allowed for security reason.
*
* @note If this API not called then all the TLS protocols are allowed. The API only acts to
diff --git a/c/src/ssl/openssl.c b/c/src/ssl/openssl.c
index c2b5869..c791b73 100644
--- a/c/src/ssl/openssl.c
+++ b/c/src/ssl/openssl.c
@@ -624,10 +624,20 @@ int pn_ssl_domain_set_protocols(pn_ssl_domain_t *domain, const char *protocols)
{
{"TLSv1", SSL_OP_NO_TLSv1},
{"TLSv1.1", SSL_OP_NO_TLSv1_1},
- {"TLSv1.2", SSL_OP_NO_TLSv1_2}
+ {"TLSv1.2", SSL_OP_NO_TLSv1_2},
+#ifdef SSL_OP_NO_TLSv1_3
+ {"TLSv1.3", SSL_OP_NO_TLSv1_3},
+#endif
};
static const char seps[] = " ,;";
- static const long all_prots = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
+ static const long all_prots =
+ SSL_OP_NO_TLSv1
+ | SSL_OP_NO_TLSv1_1
+ | SSL_OP_NO_TLSv1_2
+#ifdef SSL_OP_NO_TLSv1_3
+ | SSL_OP_NO_TLSv1_3
+#endif
+ ;
// Start with all protocols turned off
long options = all_prots;
@@ -643,7 +653,7 @@ int pn_ssl_domain_set_protocols(pn_ssl_domain_t *domain, const char *protocols)
}
if (tsize==0) break; // No more tokens
- // Linear search the posibilities for the option to set
+ // Linear search the possibilities for the option to set
for (size_t i = 0; i<sizeof(protocol_options)/sizeof(*protocol_options); ++i) {
if (strncmp(token, protocol_options[i].name, tsize)==0) {
options &= ~protocol_options[i].option;
diff --git a/c/tests/ssl_test.cpp b/c/tests/ssl_test.cpp
index bd1e228..122ad4c 100644
--- a/c/tests/ssl_test.cpp
+++ b/c/tests/ssl_test.cpp
@@ -41,12 +41,24 @@ TEST_CASE("ssl_protocols") {
CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1.1") == 0);
CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1.2") == 0);
+ // Check whether TLS 1.3 is supported
+ bool tls1_3 = (pn_ssl_domain_set_protocols(sd, "TLSv1.3") == 0);
+
// Multiple protocols
CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1 TLSv1.1 TLSv1.2") == 0);
CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1 TLSv1.1") == 0);
CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1.1 TLSv1.2") == 0);
CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1 TLSv1.2") == 0);
+ // Can only do these if we have tls 1.3
+ if (tls1_3) {
+ CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3") == 0);
+ CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1.2 TLSv1.3") == 0);
+ } else {
+ CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3") == PN_ARG_ERR);
+ CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1.2 TLSv1.3") == PN_ARG_ERR);
+ }
+
// Illegal separators
CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1/TLSv1.1 TLSv1.2") == PN_ARG_ERR);
CHECK(pn_ssl_domain_set_protocols(sd, "TLSv1-TLSv1.1 TLSv1.2") == PN_ARG_ERR);
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org