You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by kg...@apache.org on 2014/10/15 22:46:43 UTC

svn commit: r1632175 - /qpid/proton/trunk/proton-c/src/ssl/openssl.c

Author: kgiusti
Date: Wed Oct 15 20:46:42 2014
New Revision: 1632175

URL: http://svn.apache.org/r1632175
Log:
PROTON-716: reject connections using SSLv3 - it is insecure

Modified:
    qpid/proton/trunk/proton-c/src/ssl/openssl.c

Modified: qpid/proton/trunk/proton-c/src/ssl/openssl.c
URL: http://svn.apache.org/viewvc/qpid/proton/trunk/proton-c/src/ssl/openssl.c?rev=1632175&r1=1632174&r2=1632175&view=diff
==============================================================================
--- qpid/proton/trunk/proton-c/src/ssl/openssl.c (original)
+++ qpid/proton/trunk/proton-c/src/ssl/openssl.c Wed Oct 15 20:46:42 2014
@@ -451,9 +451,13 @@ pn_ssl_domain_t *pn_ssl_domain( pn_ssl_m
 
   domain->ref_count = 1;
   domain->mode = mode;
+
+  // enable all supported protocol versions, then explicitly disable the
+  // known vulnerable ones.  This should allow us to use the latest version
+  // of the TLS standard that the installed library supports.
   switch(mode) {
   case PN_SSL_MODE_CLIENT:
-    domain->ctx = SSL_CTX_new(TLSv1_client_method());
+    domain->ctx = SSL_CTX_new(SSLv23_client_method()); // and TLSv1+
     if (!domain->ctx) {
       _log_ssl_error( "Unable to initialize OpenSSL context.\n");
       free(domain);
@@ -462,20 +466,21 @@ pn_ssl_domain_t *pn_ssl_domain( pn_ssl_m
     break;
 
   case PN_SSL_MODE_SERVER:
-    domain->ctx = SSL_CTX_new(SSLv23_server_method());
+    domain->ctx = SSL_CTX_new(SSLv23_server_method()); // and TLSv1+
     if (!domain->ctx) {
       _log_ssl_error("Unable to initialize OpenSSL context.\n");
       free(domain);
       return NULL;
     }
-    SSL_CTX_set_options(domain->ctx, SSL_OP_NO_SSLv2);  // v2 is insecure
     break;
 
   default:
-    _log_error("Invalid valid for pn_ssl_mode_t: %d\n", mode);
+    _log_error("Invalid value for pn_ssl_mode_t: %d\n", mode);
     free(domain);
     return NULL;
   }
+  const long reject_insecure = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+  SSL_CTX_set_options(domain->ctx, reject_insecure);
 
   // by default, allow anonymous ciphers so certificates are not required 'out of the box'
   if (!SSL_CTX_set_cipher_list( domain->ctx, CIPHERS_ANONYMOUS )) {



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org