You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by as...@apache.org on 2019/03/14 20:05:34 UTC
[qpid-proton] 05/06: PROTON-2014: [c] Ensure SSL mutual
authentication
This is an automated email from the ASF dual-hosted git repository.
astitcher pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/qpid-proton.git
commit 97c7733f07712665f3d08091c82c393e4c3adbf7
Author: Andrew Stitcher <as...@apache.org>
AuthorDate: Thu Mar 7 15:51:11 2019 -0500
PROTON-2014: [c] Ensure SSL mutual authentication
---
c/src/ssl/openssl.c | 8 ++++++++
c/src/ssl/schannel.c | 5 +++++
2 files changed, 13 insertions(+)
diff --git a/c/src/ssl/openssl.c b/c/src/ssl/openssl.c
index 89cc1aa..63d7562 100644
--- a/c/src/ssl/openssl.c
+++ b/c/src/ssl/openssl.c
@@ -756,6 +756,14 @@ int pn_ssl_domain_set_peer_authentication(pn_ssl_domain_t *domain,
#if (OPENSSL_VERSION_NUMBER < 0x00905100L)
SSL_CTX_set_verify_depth(domain->ctx, 1);
#endif
+
+ // A bit of a hack - If we asked for peer verification then disallow anonymous ciphers
+ // A much more robust thing would be to ensure that we actually have a peer certificate
+ // when we've finished the SSL handshake
+ if (!domain->ciphers && !SSL_CTX_set_cipher_list( domain->ctx, CIPHERS_AUTHENTICATE )) {
+ ssl_log_error("Failed to set cipher list to %s", CIPHERS_AUTHENTICATE);
+ return -1;
+ }
break;
case PN_SSL_ANONYMOUS_PEER: // hippie free love mode... :)
diff --git a/c/src/ssl/schannel.c b/c/src/ssl/schannel.c
index 15e7d8a..bebaf56 100644
--- a/c/src/ssl/schannel.c
+++ b/c/src/ssl/schannel.c
@@ -1354,6 +1354,11 @@ static void server_handshake(pn_transport_t* transport)
ssl_log(transport, "server handshake successful %d max record size", max);
break;
+ case SEC_E_ALGORITHM_MISMATCH:
+ ssl_log(transport, "server handshake failed: no common algorithm");
+ ssl_failed(transport, "server handshake failed: no common algorithm");
+ break;
+
case SEC_I_CONTEXT_EXPIRED:
// ended before we got going
default:
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org