qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From astitc...@apache.org
Subject [4/5] qpid-proton git commit: PROTON-1326: restore anonymous cyphers by lowering OpenSSL v1.1 security level just for the PN_SSL_ANONYMOUS_PEER verification mode
Date Thu, 03 Aug 2017 16:56:46 GMT
PROTON-1326: restore anonymous cyphers by lowering OpenSSL v1.1 security level just for the
PN_SSL_ANONYMOUS_PEER verification mode


Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/8c54c625
Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/8c54c625
Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/8c54c625

Branch: refs/heads/master
Commit: 8c54c62516671375de4068158ccaa0bc1dba0a4a
Parents: 62fee10
Author: Cliff Jansen <cjansen@redhat.com>
Authored: Wed Aug 2 16:34:39 2017 -0700
Committer: Andrew Stitcher <astitcher@apache.org>
Committed: Thu Aug 3 12:47:44 2017 -0400

----------------------------------------------------------------------
 proton-c/src/ssl/openssl.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/8c54c625/proton-c/src/ssl/openssl.c
----------------------------------------------------------------------
diff --git a/proton-c/src/ssl/openssl.c b/proton-c/src/ssl/openssl.c
index 8cb4e7b..f37cf49 100644
--- a/proton-c/src/ssl/openssl.c
+++ b/proton-c/src/ssl/openssl.c
@@ -72,6 +72,9 @@ struct pn_ssl_domain_t {
   char *trusted_CAs;
 
   int   ref_count;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+  int default_seclevel;
+#endif
   pn_ssl_mode_t mode;
   pn_ssl_verify_mode_t verify_mode;
 
@@ -524,6 +527,9 @@ pn_ssl_domain_t *pn_ssl_domain( pn_ssl_mode_t mode )
   // Mitigate the CRIME vulnerability
   SSL_CTX_set_options(domain->ctx, SSL_OP_NO_COMPRESSION);
 #endif
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+    domain->default_seclevel = SSL_CTX_get_security_level(domain->ctx);
+#endif
 
   // by default, allow anonymous ciphers so certificates are not required 'out of the box'
   if (!SSL_CTX_set_cipher_list( domain->ctx, CIPHERS_ANONYMOUS )) {
@@ -647,6 +653,10 @@ int pn_ssl_domain_set_peer_authentication(pn_ssl_domain_t *domain,
   case PN_SSL_VERIFY_PEER:
   case PN_SSL_VERIFY_PEER_NAME:
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+    SSL_CTX_set_security_level(domain->ctx, domain->default_seclevel);
+#endif
+
     if (!domain->has_ca_db) {
       pn_transport_logf(NULL, "Error: cannot verify peer without a trusted CA configured.\n"
                  "       Use pn_ssl_domain_set_trusted_ca_db()");
@@ -685,6 +695,10 @@ int pn_ssl_domain_set_peer_authentication(pn_ssl_domain_t *domain,
     break;
 
   case PN_SSL_ANONYMOUS_PEER:   // hippie free love mode... :)
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+    // Must use lowest OpenSSL security level to enable anonymous ciphers.
+    SSL_CTX_set_security_level(domain->ctx, 0);
+#endif
     SSL_CTX_set_verify( domain->ctx, SSL_VERIFY_NONE, NULL );
     break;
 


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message