qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From astitc...@apache.org
Subject qpid-proton git commit: PROTON-1582: Allow applications to set the permitted SSL ciphers
Date Fri, 29 Sep 2017 12:26:21 GMT
Repository: qpid-proton
Updated Branches:
  refs/heads/master 5105b6418 -> b03f8aad1


PROTON-1582: Allow applications to set the permitted SSL ciphers


Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/b03f8aad
Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/b03f8aad
Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/b03f8aad

Branch: refs/heads/master
Commit: b03f8aad13034f6aa3f81bbc11ac57ca5b55756f
Parents: 5105b64
Author: Andrew Stitcher <astitcher@apache.org>
Authored: Thu Sep 28 16:26:57 2017 -0400
Committer: Andrew Stitcher <astitcher@apache.org>
Committed: Fri Sep 29 08:23:39 2017 -0400

----------------------------------------------------------------------
 proton-c/include/proton/ssl.h | 12 ++++++++++++
 proton-c/src/ssl/openssl.c    | 16 +++++++++++++++-
 proton-c/src/ssl/schannel.c   |  5 +++++
 proton-c/src/ssl/ssl_stub.c   |  5 +++++
 4 files changed, 37 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/b03f8aad/proton-c/include/proton/ssl.h
----------------------------------------------------------------------
diff --git a/proton-c/include/proton/ssl.h b/proton-c/include/proton/ssl.h
index 4e5ae77..2d6322f 100644
--- a/proton-c/include/proton/ssl.h
+++ b/proton-c/include/proton/ssl.h
@@ -227,6 +227,18 @@ PN_EXTERN int pn_ssl_domain_set_peer_authentication(pn_ssl_domain_t *domain,
                                                     const char *trusted_CAs);
 
 /**
+ * Configure the list of permitted ciphers
+ *
+ * @note The syntax of the permitted list is undefined and will depend on the
+ * underlying SSL implementation.
+ *
+ * @param[in] domain the ssl domain to configure.
+ * @param[in] ciphers string representing the cipher list
+ * @return 0 on success
+ */
+PN_EXTERN int pn_ssl_domain_set_ciphers(pn_ssl_domain_t *domain, const char *ciphers);
+
+/**
  * Permit a server to accept connection requests from non-SSL clients.
  *
  * This configures the server to "sniff" the incoming client data stream, and dynamically

http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/b03f8aad/proton-c/src/ssl/openssl.c
----------------------------------------------------------------------
diff --git a/proton-c/src/ssl/openssl.c b/proton-c/src/ssl/openssl.c
index 3a4e1a3..669f975 100644
--- a/proton-c/src/ssl/openssl.c
+++ b/proton-c/src/ssl/openssl.c
@@ -71,6 +71,8 @@ struct pn_ssl_domain_t {
   // settings used for all connections
   char *trusted_CAs;
 
+  char *ciphers;
+
   int   ref_count;
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
   int default_seclevel;
@@ -561,6 +563,7 @@ void pn_ssl_domain_free( pn_ssl_domain_t *domain )
     if (domain->ctx) SSL_CTX_free(domain->ctx);
     if (domain->keyfile_pw) free(domain->keyfile_pw);
     if (domain->trusted_CAs) free(domain->trusted_CAs);
+    if (domain->ciphers) free(domain->ciphers);
     free(domain);
   }
 }
@@ -600,7 +603,7 @@ int pn_ssl_domain_set_credentials( pn_ssl_domain_t *domain,
   // bug in older versions of OpenSSL: servers may request client cert even if anonymous
   // cipher was negotiated.  TLSv1 will reject such a request.  Hack: once a cert is
   // configured, allow only authenticated ciphers.
-  if (!SSL_CTX_set_cipher_list( domain->ctx, CIPHERS_AUTHENTICATE )) {
+  if (!domain->ciphers && !SSL_CTX_set_cipher_list( domain->ctx, CIPHERS_AUTHENTICATE
)) {
       ssl_log_error("Failed to set cipher list to %s", CIPHERS_AUTHENTICATE);
       return -6;
   }
@@ -608,6 +611,17 @@ int pn_ssl_domain_set_credentials( pn_ssl_domain_t *domain,
   return 0;
 }
 
+int pn_ssl_domain_set_ciphers(pn_ssl_domain_t *domain, const char *ciphers)
+{
+  if (!SSL_CTX_set_cipher_list(domain->ctx, ciphers)) {
+    ssl_log_error("Failed to set cipher list to %s", ciphers);
+    return -6;
+  }
+  if (domain->ciphers) free(domain->ciphers);
+  domain->ciphers = pn_strdup(ciphers);
+  return 0;
+}
+
 
 int pn_ssl_domain_set_trusted_ca_db(pn_ssl_domain_t *domain,
                                     const char *certificate_db)

http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/b03f8aad/proton-c/src/ssl/schannel.c
----------------------------------------------------------------------
diff --git a/proton-c/src/ssl/schannel.c b/proton-c/src/ssl/schannel.c
index 5dae80c..763cae5 100644
--- a/proton-c/src/ssl/schannel.c
+++ b/proton-c/src/ssl/schannel.c
@@ -573,6 +573,11 @@ int pn_ssl_domain_set_peer_authentication(pn_ssl_domain_t *domain,
   return 0;
 }
 
+int pn_ssl_domain_set_ciphers(pn_ssl_domain_t *domain, const char *ciphers)
+{
+  return -1;
+}
+
 const pn_io_layer_t ssl_layer = {
     process_input_ssl,
     process_output_ssl,

http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/b03f8aad/proton-c/src/ssl/ssl_stub.c
----------------------------------------------------------------------
diff --git a/proton-c/src/ssl/ssl_stub.c b/proton-c/src/ssl/ssl_stub.c
index 2d58a5c..8607b88 100644
--- a/proton-c/src/ssl/ssl_stub.c
+++ b/proton-c/src/ssl/ssl_stub.c
@@ -120,6 +120,11 @@ int pn_ssl_domain_allow_unsecured_client(pn_ssl_domain_t *domain)
   return -1;
 }
 
+int pn_ssl_domain_set_ciphers(pn_ssl_domain_t *domain, const char *ciphers)
+{
+  return -1;
+}
+
 bool pn_ssl_allow_unsecured(pn_ssl_t *ssl)
 {
   return true;


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message