You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by kg...@apache.org on 2014/10/15 22:46:43 UTC
svn commit: r1632175 - /qpid/proton/trunk/proton-c/src/ssl/openssl.c
Author: kgiusti
Date: Wed Oct 15 20:46:42 2014
New Revision: 1632175
URL: http://svn.apache.org/r1632175
Log:
PROTON-716: reject connections using SSLv3 - it is insecure
Modified:
qpid/proton/trunk/proton-c/src/ssl/openssl.c
Modified: qpid/proton/trunk/proton-c/src/ssl/openssl.c
URL: http://svn.apache.org/viewvc/qpid/proton/trunk/proton-c/src/ssl/openssl.c?rev=1632175&r1=1632174&r2=1632175&view=diff
==============================================================================
--- qpid/proton/trunk/proton-c/src/ssl/openssl.c (original)
+++ qpid/proton/trunk/proton-c/src/ssl/openssl.c Wed Oct 15 20:46:42 2014
@@ -451,9 +451,13 @@ pn_ssl_domain_t *pn_ssl_domain( pn_ssl_m
domain->ref_count = 1;
domain->mode = mode;
+
+ // enable all supported protocol versions, then explicitly disable the
+ // known vulnerable ones. This should allow us to use the latest version
+ // of the TLS standard that the installed library supports.
switch(mode) {
case PN_SSL_MODE_CLIENT:
- domain->ctx = SSL_CTX_new(TLSv1_client_method());
+ domain->ctx = SSL_CTX_new(SSLv23_client_method()); // and TLSv1+
if (!domain->ctx) {
_log_ssl_error( "Unable to initialize OpenSSL context.\n");
free(domain);
@@ -462,20 +466,21 @@ pn_ssl_domain_t *pn_ssl_domain( pn_ssl_m
break;
case PN_SSL_MODE_SERVER:
- domain->ctx = SSL_CTX_new(SSLv23_server_method());
+ domain->ctx = SSL_CTX_new(SSLv23_server_method()); // and TLSv1+
if (!domain->ctx) {
_log_ssl_error("Unable to initialize OpenSSL context.\n");
free(domain);
return NULL;
}
- SSL_CTX_set_options(domain->ctx, SSL_OP_NO_SSLv2); // v2 is insecure
break;
default:
- _log_error("Invalid valid for pn_ssl_mode_t: %d\n", mode);
+ _log_error("Invalid value for pn_ssl_mode_t: %d\n", mode);
free(domain);
return NULL;
}
+ const long reject_insecure = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+ SSL_CTX_set_options(domain->ctx, reject_insecure);
// by default, allow anonymous ciphers so certificates are not required 'out of the box'
if (!SSL_CTX_set_cipher_list( domain->ctx, CIPHERS_ANONYMOUS )) {
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org