You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@qpid.apache.org by kg...@apache.org on 2014/10/20 15:07:15 UTC

svn commit: r1633146 - /qpid/trunk/qpid/cpp/src/qpid/sys/ssl/util.cpp

Author: kgiusti
Date: Mon Oct 20 13:07:15 2014
New Revision: 1633146

URL: http://svn.apache.org/r1633146
Log:
QPID-6160: disable SSLv3 in CPP broker and client

Modified:
    qpid/trunk/qpid/cpp/src/qpid/sys/ssl/util.cpp

Modified: qpid/trunk/qpid/cpp/src/qpid/sys/ssl/util.cpp
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/sys/ssl/util.cpp?rev=1633146&r1=1633145&r2=1633146&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/sys/ssl/util.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/sys/ssl/util.cpp Mon Oct 20 13:07:15 2014
@@ -107,6 +107,16 @@ void initNSS(const SslOptions& options, 
         //use defaults for all args, TODO: may want to make this configurable
         SSL_ConfigServerSessionIDCache(0, 0, 0, 0);
     }
+
+    // disable SSLv2 and SSLv3 versions of the protocol - they are
+    // no longer considered secure
+    SSLVersionRange vrange;
+    const uint16_t tlsv1 = 0x0301;  // Protocol version for TLSv1.0
+    NSS_CHECK(SSL_VersionRangeGetDefault(ssl_variant_stream, &vrange));
+    if (vrange.min < tlsv1) {
+        vrange.min = tlsv1;
+        NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &vrange));
+    }
 }
 
 void shutdownNSS()



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org