qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From g...@apache.org
Subject [19/50] [abbrv] qpid-proton git commit: PROTON-716: reject connections using SSLv3 - it is insecure
Date Fri, 14 Nov 2014 11:03:28 GMT
PROTON-716: reject connections using SSLv3 - it is insecure

git-svn-id: https://svn.apache.org/repos/asf/qpid/proton/trunk@1632175 13f79535-47bb-0310-9956-ffa450edef68


Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/8f334e59
Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/8f334e59
Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/8f334e59

Branch: refs/heads/examples
Commit: 8f334e59670fe71c39f38d62d86fbc649cc1ede4
Parents: eb45c9d
Author: Ken Giusti <kgiusti@apache.org>
Authored: Wed Oct 15 20:46:42 2014 +0000
Committer: Ken Giusti <kgiusti@apache.org>
Committed: Wed Oct 15 20:46:42 2014 +0000

----------------------------------------------------------------------
 proton-c/src/ssl/openssl.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/8f334e59/proton-c/src/ssl/openssl.c
----------------------------------------------------------------------
diff --git a/proton-c/src/ssl/openssl.c b/proton-c/src/ssl/openssl.c
index 9f6e134..7c71eef 100644
--- a/proton-c/src/ssl/openssl.c
+++ b/proton-c/src/ssl/openssl.c
@@ -451,9 +451,13 @@ pn_ssl_domain_t *pn_ssl_domain( pn_ssl_mode_t mode )
 
   domain->ref_count = 1;
   domain->mode = mode;
+
+  // enable all supported protocol versions, then explicitly disable the
+  // known vulnerable ones.  This should allow us to use the latest version
+  // of the TLS standard that the installed library supports.
   switch(mode) {
   case PN_SSL_MODE_CLIENT:
-    domain->ctx = SSL_CTX_new(TLSv1_client_method());
+    domain->ctx = SSL_CTX_new(SSLv23_client_method()); // and TLSv1+
     if (!domain->ctx) {
       _log_ssl_error( "Unable to initialize OpenSSL context.\n");
       free(domain);
@@ -462,20 +466,21 @@ pn_ssl_domain_t *pn_ssl_domain( pn_ssl_mode_t mode )
     break;
 
   case PN_SSL_MODE_SERVER:
-    domain->ctx = SSL_CTX_new(SSLv23_server_method());
+    domain->ctx = SSL_CTX_new(SSLv23_server_method()); // and TLSv1+
     if (!domain->ctx) {
       _log_ssl_error("Unable to initialize OpenSSL context.\n");
       free(domain);
       return NULL;
     }
-    SSL_CTX_set_options(domain->ctx, SSL_OP_NO_SSLv2);  // v2 is insecure
     break;
 
   default:
-    _log_error("Invalid valid for pn_ssl_mode_t: %d\n", mode);
+    _log_error("Invalid value for pn_ssl_mode_t: %d\n", mode);
     free(domain);
     return NULL;
   }
+  const long reject_insecure = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+  SSL_CTX_set_options(domain->ctx, reject_insecure);
 
   // by default, allow anonymous ciphers so certificates are not required 'out of the box'
   if (!SSL_CTX_set_cipher_list( domain->ctx, CIPHERS_ANONYMOUS )) {


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message