diff options
| -rw-r--r-- | config/PropertyNames.xml | 1 | ||||
| -rw-r--r-- | cpp/src/Ice/PropertyNames.cpp | 3 | ||||
| -rw-r--r-- | cpp/src/Ice/PropertyNames.h | 2 | ||||
| -rw-r--r-- | cpp/src/IceSSL/Makefile | 2 | ||||
| -rw-r--r-- | cpp/src/IceSSL/OpenSSLEngine.cpp | 59 | ||||
| -rw-r--r-- | cpp/src/IceSSL/Util.cpp | 159 | ||||
| -rw-r--r-- | cpp/src/IceUtil/Makefile | 2 | ||||
| -rw-r--r-- | cpp/test/IceSSL/configuration/AllTests.cpp | 30 | ||||
| -rw-r--r-- | csharp/src/Ice/PropertyNames.cs | 3 | ||||
| -rw-r--r-- | java/src/Ice/src/main/java/IceInternal/PropertyNames.java | 3 | ||||
| -rw-r--r-- | js/src/Ice/PropertyNames.js | 2 |
11 files changed, 244 insertions, 22 deletions
diff --git a/config/PropertyNames.xml b/config/PropertyNames.xml index 54e448629c8..3fad7023735 100644 --- a/config/PropertyNames.xml +++ b/config/PropertyNames.xml @@ -594,6 +594,7 @@ generated from the section label. <property name="ProtocolVersionMax" /> <property name="ProtocolVersionMin" /> <property name="Random" /> + <property name="SecurityLevel" /> <property name="Trace.Security" /> <property name="TrustOnly" /> <property name="TrustOnly.Client" /> diff --git a/cpp/src/Ice/PropertyNames.cpp b/cpp/src/Ice/PropertyNames.cpp index 69f03cade5f..e4f02285b90 100644 --- a/cpp/src/Ice/PropertyNames.cpp +++ b/cpp/src/Ice/PropertyNames.cpp @@ -6,7 +6,7 @@ // ICE_LICENSE file included in this distribution. // // ********************************************************************** -// Generated by makeprops.py from file ./config/PropertyNames.xml, Thu Apr 7 10:23:17 2016 +// Generated by makeprops.py from file ../config/PropertyNames.xml, Fri Jul 1 19:08:40 2016 // IMPORTANT: Do not edit this file -- any edits made here will be lost! @@ -1032,6 +1032,7 @@ const IceInternal::Property IceSSLPropsData[] = IceInternal::Property("IceSSL.ProtocolVersionMax", false, 0), IceInternal::Property("IceSSL.ProtocolVersionMin", false, 0), IceInternal::Property("IceSSL.Random", false, 0), + IceInternal::Property("IceSSL.SecurityLevel", false, 0), IceInternal::Property("IceSSL.Trace.Security", false, 0), IceInternal::Property("IceSSL.TrustOnly", false, 0), IceInternal::Property("IceSSL.TrustOnly.Client", false, 0), diff --git a/cpp/src/Ice/PropertyNames.h b/cpp/src/Ice/PropertyNames.h index d5712c8e2ab..151097655fc 100644 --- a/cpp/src/Ice/PropertyNames.h +++ b/cpp/src/Ice/PropertyNames.h @@ -6,7 +6,7 @@ // ICE_LICENSE file included in this distribution. // // ********************************************************************** -// Generated by makeprops.py from file ./config/PropertyNames.xml, Thu Apr 7 10:23:17 2016 +// Generated by makeprops.py from file ../config/PropertyNames.xml, Fri Jul 1 19:08:40 2016 // IMPORTANT: Do not edit this file -- any edits made here will be lost! diff --git a/cpp/src/IceSSL/Makefile b/cpp/src/IceSSL/Makefile index 5e551f3e363..ab3b8222167 100644 --- a/cpp/src/IceSSL/Makefile +++ b/cpp/src/IceSSL/Makefile @@ -55,7 +55,7 @@ include $(top_srcdir)/config/Make.rules CPPFLAGS := -I.. $(CPPFLAGS) -DICE_SSL_API_EXPORTS $(OPENSSL_FLAGS) SLICE2CPPFLAGS := --ice --include-dir IceSSL --dll-export ICE_SSL_API $(SLICE2CPPFLAGS) -LINKWITH := $(BZIP2_RPATH_LINK) -lIce -lIceUtil $(SSL_OS_LIBS) $(CXXLIBS) +LINKWITH := $(BZIP2_RPATH_LINK) $(OPENSSL_LIBS) -lIce -lIceUtil $(SSL_OS_LIBS) $(CXXLIBS) ifeq ($(STATICLIBS),yes) $(libdir)/$(LIBNAME): $(OBJS) diff --git a/cpp/src/IceSSL/OpenSSLEngine.cpp b/cpp/src/IceSSL/OpenSSLEngine.cpp index 029cf825ffd..a7232b06f7f 100644 --- a/cpp/src/IceSSL/OpenSSLEngine.cpp +++ b/cpp/src/IceSSL/OpenSSLEngine.cpp @@ -42,7 +42,10 @@ namespace IceUtil::Mutex* staticMutex = 0; int instanceCount = 0; bool initOpenSSL = false; + +#if OPENSSL_VERSION_NUMBER < 0x10100000L IceUtil::Mutex* locks = 0; +#endif class Init { @@ -55,17 +58,22 @@ public: ~Init() { + // + // OpenSSL 1.1.0 introduces a new thread API and removes + // the need to use a custom thread callback. + // +#if OPENSSL_VERSION_NUMBER < 0x10100000L CRYPTO_set_locking_callback(0); CRYPTO_set_id_callback(0); - delete staticMutex; - staticMutex = 0; - if(locks) { delete[] locks; locks = 0; } +#endif + delete staticMutex; + staticMutex = 0; } }; @@ -76,6 +84,11 @@ extern "C" { // +// OpenSSL 1.1.0 introduces a new thread API and removes +// the need to use a custom thread callback. +// +#if OPENSSL_VERSION_NUMBER < 0x10100000L +// // OpenSSL mutex callback. // void @@ -114,6 +127,7 @@ IceSSL_opensslThreadIdCallback() # error "Unknown platform" # endif } +#endif int IceSSL_opensslPasswordCallback(char* buf, int size, int flag, void* userData) @@ -144,7 +158,12 @@ IceSSL_opensslPasswordCallback(char* buf, int size, int flag, void* userData) DH* IceSSL_opensslDHCallback(SSL* ssl, int /*isExport*/, int keyLength) { - OpenSSLEngine* p = reinterpret_cast<OpenSSLEngine*>(SSL_CTX_get_ex_data(ssl->ctx, 0)); +# if OPENSSL_VERSION_NUMBER >= 0x10100000L + SSL_CTX* ctx = SSL_get_SSL_CTX(ssl); +# else + SSL_CTX* ctx = ssl->ctx; +# endif + OpenSSLEngine* p = reinterpret_cast<OpenSSLEngine*>(SSL_CTX_get_ex_data(ctx, 0)); return p->dhParams(keyLength); } # endif @@ -196,6 +215,11 @@ OpenSSLEngine::OpenSSLEngine(const CommunicatorPtr& communicator) : initOpenSSL = properties->getPropertyAsIntWithDefault("IceSSL.InitOpenSSL", 1) > 0; if(initOpenSSL) { + + // + // OpenSSL 1.1.0 remove the need for library initialization and cleanup. + // +#if OPENSSL_VERSION_NUMBER < 0x10100000L // // Create the mutexes and set the callbacks. // @@ -221,13 +245,11 @@ OpenSSLEngine::OpenSSLEngine(const CommunicatorPtr& communicator) : // load private key files generated by OpenSSL 1.x. // OpenSSL_add_all_algorithms(); +#endif // // Initialize the PRNG. // -# ifdef WINDOWS - RAND_screen(); // Uses data from the screen if possible. -# endif char randFile[1024]; if(RAND_file_name(randFile, sizeof(randFile))) // Gets the name of a default seed file. { @@ -301,6 +323,10 @@ OpenSSLEngine::OpenSSLEngine(const CommunicatorPtr& communicator) : OpenSSLEngine::~OpenSSLEngine() { +// +// OpenSSL 1.1.0 remove the need for library initialization and cleanup. +// +#if OPENSSL_VERSION_NUMBER < 0x10100000L // // Clean up OpenSSL resources. // @@ -323,6 +349,7 @@ OpenSSLEngine::~OpenSSLEngine() ERR_free_strings(); EVP_cleanup(); } +#endif } bool @@ -372,6 +399,18 @@ OpenSSLEngine::initialize() "IceSSL: unable to create SSL context:\n" + sslErrors()); } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + int securityLevel = properties->getPropertyAsIntWithDefault(propPrefix + "SecurityLevel", -1); + if(securityLevel != -1) + { + SSL_CTX_set_security_level(_ctx, securityLevel); + if(SSL_CTX_get_security_level(_ctx) != securityLevel) + { + throw PluginInitializationException(__FILE__, __LINE__, + "IceSSL: unable to set SSL security level:\n" + sslErrors()); + } + } +#endif // // Check for a default directory. We look in this directory for // files mentioned in the configuration. @@ -528,6 +567,7 @@ OpenSSLEngine::initialize() "IceSSL: certificate file not found:\n" + file); } file = resolved; + // // First we try to load the certificate using PKCS12 format if that fails // we fallback to PEM format. @@ -945,6 +985,9 @@ OpenSSLEngine::parseProtocols(const StringSeq& protocols) const SSL_METHOD* OpenSSLEngine::getMethod(int /*protocols*/) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + SSL_METHOD* meth = const_cast<SSL_METHOD*>(TLS_method()); +#else // // Despite its name, the SSLv23 method can negotiate SSL3, TLS1.0, TLS1.1, and TLS1.2. // We use the const_cast for backward compatibility with older OpenSSL releases. @@ -959,7 +1002,7 @@ OpenSSLEngine::getMethod(int /*protocols*/) meth = const_cast<SSL_METHOD*>(TLSv1_2_method()); } */ - +#endif return meth; } diff --git a/cpp/src/IceSSL/Util.cpp b/cpp/src/IceSSL/Util.cpp index b55ca494233..a60ee4c1e97 100644 --- a/cpp/src/IceSSL/Util.cpp +++ b/cpp/src/IceSSL/Util.cpp @@ -109,7 +109,8 @@ parseBytes(const string& arg, vector<unsigned char>& buffer) namespace { -# ifndef OPENSSL_NO_DH +# ifndef OPENSSL_NO_DH +# if OPENSSL_VERSION_NUMBER < 0x10100000L // The following arrays are predefined Diffie Hellman group parameters. // These are known strong primes, distributed with the OpenSSL library @@ -223,11 +224,127 @@ unsigned char dh4096_p[] = unsigned char dh4096_g[] = { 0x02 }; +# else +// +// With OpenSSL 1.1.0 is no longer possible to acess the DH p and g +// data members to set the DH params. We still use the same default +// parameters but they were converted to DER format using +// i2d_DHparams and can be restored using d2i_DHparams + +unsigned char dh512[] = +{ + 0x30,0x46,0x02,0x41,0x00,0xF5,0x2A,0xFF,0x3C,0xE1,0xB1,0x29, + 0x40,0x18,0x11,0x8D,0x7C,0x84,0xA7,0x0A,0x72,0xD6,0x86,0xC4, + 0x03,0x19,0xC8,0x07,0x29,0x7A,0xCA,0x95,0x0C,0xD9,0x96,0x9F, + 0xAB,0xD0,0x0A,0x50,0x9B,0x02,0x46,0xD3,0x08,0x3D,0x66,0xA4, + 0x5D,0x41,0x9F,0x9C,0x7C,0xBD,0x89,0x4B,0x22,0x19,0x26,0xBA, + 0xAB,0xA2,0x5E,0xC3,0x55,0xE9,0x2A,0x05,0x5F,0x02,0x01,0x02, +}; + +unsigned char dh1024[] = +{ + 0x30,0x81,0x87,0x02,0x81,0x81,0x00,0xF4,0x88,0xFD,0x58,0x4E, + 0x49,0xDB,0xCD,0x20,0xB4,0x9D,0xE4,0x91,0x07,0x36,0x6B,0x33, + 0x6C,0x38,0x0D,0x45,0x1D,0x0F,0x7C,0x88,0xB3,0x1C,0x7C,0x5B, + 0x2D,0x8E,0xF6,0xF3,0xC9,0x23,0xC0,0x43,0xF0,0xA5,0x5B,0x18, + 0x8D,0x8E,0xBB,0x55,0x8C,0xB8,0x5D,0x38,0xD3,0x34,0xFD,0x7C, + 0x17,0x57,0x43,0xA3,0x1D,0x18,0x6C,0xDE,0x33,0x21,0x2C,0xB5, + 0x2A,0xFF,0x3C,0xE1,0xB1,0x29,0x40,0x18,0x11,0x8D,0x7C,0x84, + 0xA7,0x0A,0x72,0xD6,0x86,0xC4,0x03,0x19,0xC8,0x07,0x29,0x7A, + 0xCA,0x95,0x0C,0xD9,0x96,0x9F,0xAB,0xD0,0x0A,0x50,0x9B,0x02, + 0x46,0xD3,0x08,0x3D,0x66,0xA4,0x5D,0x41,0x9F,0x9C,0x7C,0xBD, + 0x89,0x4B,0x22,0x19,0x26,0xBA,0xAB,0xA2,0x5E,0xC3,0x55,0xE9, + 0x2F,0x78,0xC7,0x02,0x01,0x02, +}; + +unsigned char dh2048[] = +{ + 0x30,0x82,0x01,0x08,0x02,0x82,0x01,0x01,0x00,0xF6,0x42,0x57, + 0xB7,0x08,0x7F,0x08,0x17,0x72,0xA2,0xBA,0xD6,0xA9,0x42,0xF3, + 0x05,0xE8,0xF9,0x53,0x11,0x39,0x4F,0xB6,0xF1,0x6E,0xB9,0x4B, + 0x38,0x20,0xDA,0x01,0xA7,0x56,0xA3,0x14,0xE9,0x8F,0x40,0x55, + 0xF3,0xD0,0x07,0xC6,0xCB,0x43,0xA9,0x94,0xAD,0xF7,0x4C,0x64, + 0x86,0x49,0xF8,0x0C,0x83,0xBD,0x65,0xE9,0x17,0xD4,0xA1,0xD3, + 0x50,0xF8,0xF5,0x59,0x5F,0xDC,0x76,0x52,0x4F,0x3D,0x3D,0x8D, + 0xDB,0xCE,0x99,0xE1,0x57,0x92,0x59,0xCD,0xFD,0xB8,0xAE,0x74, + 0x4F,0xC5,0xFC,0x76,0xBC,0x83,0xC5,0x47,0x30,0x61,0xCE,0x7C, + 0xC9,0x66,0xFF,0x15,0xF9,0xBB,0xFD,0x91,0x5E,0xC7,0x01,0xAA, + 0xD3,0x5B,0x9E,0x8D,0xA0,0xA5,0x72,0x3A,0xD4,0x1A,0xF0,0xBF, + 0x46,0x00,0x58,0x2B,0xE5,0xF4,0x88,0xFD,0x58,0x4E,0x49,0xDB, + 0xCD,0x20,0xB4,0x9D,0xE4,0x91,0x07,0x36,0x6B,0x33,0x6C,0x38, + 0x0D,0x45,0x1D,0x0F,0x7C,0x88,0xB3,0x1C,0x7C,0x5B,0x2D,0x8E, + 0xF6,0xF3,0xC9,0x23,0xC0,0x43,0xF0,0xA5,0x5B,0x18,0x8D,0x8E, + 0xBB,0x55,0x8C,0xB8,0x5D,0x38,0xD3,0x34,0xFD,0x7C,0x17,0x57, + 0x43,0xA3,0x1D,0x18,0x6C,0xDE,0x33,0x21,0x2C,0xB5,0x2A,0xFF, + 0x3C,0xE1,0xB1,0x29,0x40,0x18,0x11,0x8D,0x7C,0x84,0xA7,0x0A, + 0x72,0xD6,0x86,0xC4,0x03,0x19,0xC8,0x07,0x29,0x7A,0xCA,0x95, + 0x0C,0xD9,0x96,0x9F,0xAB,0xD0,0x0A,0x50,0x9B,0x02,0x46,0xD3, + 0x08,0x3D,0x66,0xA4,0x5D,0x41,0x9F,0x9C,0x7C,0xBD,0x89,0x4B, + 0x22,0x19,0x26,0xBA,0xAB,0xA2,0x5E,0xC3,0x55,0xE9,0x32,0x0B, + 0x3B,0x02,0x01,0x02, +}; + +unsigned char dh4096[] = +{ + 0x30,0x82,0x02,0x08,0x02,0x82,0x02,0x01,0x00,0xFA,0x14,0x72, + 0x52,0xC1,0x4D,0xE1,0x5A,0x49,0xD4,0xEF,0x09,0x2D,0xC0,0xA8, + 0xFD,0x55,0xAB,0xD7,0xD9,0x37,0x04,0x28,0x09,0xE2,0xE9,0x3E, + 0x77,0xE2,0xA1,0x7A,0x18,0xDD,0x46,0xA3,0x43,0x37,0x23,0x90, + 0x97,0xF3,0x0E,0xC9,0x03,0x50,0x7D,0x65,0xCF,0x78,0x62,0xA6, + 0x3A,0x62,0x22,0x83,0xA1,0x2F,0xFE,0x79,0xBA,0x35,0xFF,0x59, + 0xD8,0x1D,0x61,0xDD,0x1E,0x21,0x13,0x17,0xFE,0xCD,0x38,0x87, + 0x9E,0xF5,0x4F,0x79,0x10,0x61,0x8D,0xD4,0x22,0xF3,0x5A,0xED, + 0x5D,0xEA,0x21,0xE9,0x33,0x6B,0x48,0x12,0x0A,0x20,0x77,0xD4, + 0x25,0x60,0x61,0xDE,0xF6,0xB4,0x4F,0x1C,0x63,0x40,0x8B,0x3A, + 0x21,0x93,0x8B,0x79,0x53,0x51,0x2C,0xCA,0xB3,0x7B,0x29,0x56, + 0xA8,0xC7,0xF8,0xF4,0x7B,0x08,0x5E,0xA6,0xDC,0xA2,0x45,0x12, + 0x56,0xDD,0x41,0x92,0xF2,0xDD,0x5B,0x8F,0x23,0xF0,0xF3,0xEF, + 0xE4,0x3B,0x0A,0x44,0xDD,0xED,0x96,0x84,0xF1,0xA8,0x32,0x46, + 0xA3,0xDB,0x4A,0xBE,0x3D,0x45,0xBA,0x4E,0xF8,0x03,0xE5,0xDD, + 0x6B,0x59,0x0D,0x84,0x1E,0xCA,0x16,0x5A,0x8C,0xC8,0xDF,0x7C, + 0x54,0x44,0xC4,0x27,0xA7,0x3B,0x2A,0x97,0xCE,0xA3,0x7D,0x26, + 0x9C,0xAD,0xF4,0xC2,0xAC,0x37,0x4B,0xC3,0xAD,0x68,0x84,0x7F, + 0x99,0xA6,0x17,0xEF,0x6B,0x46,0x3A,0x7A,0x36,0x7A,0x11,0x43, + 0x92,0xAD,0xE9,0x9C,0xFB,0x44,0x6C,0x3D,0x82,0x49,0xCC,0x5C, + 0x6A,0x52,0x42,0xF8,0x42,0xFB,0x44,0xF9,0x39,0x73,0xFB,0x60, + 0x79,0x3B,0xC2,0x9E,0x0B,0xDC,0xD4,0xA6,0x67,0xF7,0x66,0x3F, + 0xFC,0x42,0x3B,0x1B,0xDB,0x4F,0x66,0xDC,0xA5,0x8F,0x66,0xF9, + 0xEA,0xC1,0xED,0x31,0xFB,0x48,0xA1,0x82,0x7D,0xF8,0xE0,0xCC, + 0xB1,0xC7,0x03,0xE4,0xF8,0xB3,0xFE,0xB7,0xA3,0x13,0x73,0xA6, + 0x7B,0xC1,0x0E,0x39,0xC7,0x94,0x48,0x26,0x00,0x85,0x79,0xFC, + 0x6F,0x7A,0xAF,0xC5,0x52,0x35,0x75,0xD7,0x75,0xA4,0x40,0xFA, + 0x14,0x74,0x61,0x16,0xF2,0xEB,0x67,0x11,0x6F,0x04,0x43,0x3D, + 0x11,0x14,0x4C,0xA7,0x94,0x2A,0x39,0xA1,0xC9,0x90,0xCF,0x83, + 0xC6,0xFF,0x02,0x8F,0xA3,0x2A,0xAC,0x26,0xDF,0x0B,0x8B,0xBE, + 0x64,0x4A,0xF1,0xA1,0xDC,0xEE,0xBA,0xC8,0x03,0x82,0xF6,0x62, + 0x2C,0x5D,0xB6,0xBB,0x13,0x19,0x6E,0x86,0xC5,0x5B,0x2B,0x5E, + 0x3A,0xF3,0xB3,0x28,0x6B,0x70,0x71,0x3A,0x8E,0xFF,0x5C,0x15, + 0xE6,0x02,0xA4,0xCE,0xED,0x59,0x56,0xCC,0x15,0x51,0x07,0x79, + 0x1A,0x0F,0x25,0x26,0x27,0x30,0xA9,0x15,0xB2,0xC8,0xD4,0x5C, + 0xCC,0x30,0xE8,0x1B,0xD8,0xD5,0x0F,0x19,0xA8,0x80,0xA4,0xC7, + 0x01,0xAA,0x8B,0xBA,0x53,0xBB,0x47,0xC2,0x1F,0x6B,0x54,0xB0, + 0x17,0x60,0xED,0x79,0x21,0x95,0xB6,0x05,0x84,0x37,0xC8,0x03, + 0xA4,0xDD,0xD1,0x06,0x69,0x8F,0x4C,0x39,0xE0,0xC8,0x5D,0x83, + 0x1D,0xBE,0x6A,0x9A,0x99,0xF3,0x9F,0x0B,0x45,0x29,0xD4,0xCB, + 0x29,0x66,0xEE,0x1E,0x7E,0x3D,0xD7,0x13,0x4E,0xDB,0x90,0x90, + 0x58,0xCB,0x5E,0x9B,0xCD,0x2E,0x2B,0x0F,0xA9,0x4E,0x78,0xAC, + 0x05,0x11,0x7F,0xE3,0x9E,0x27,0xD4,0x99,0xE1,0xB9,0xBD,0x78, + 0xE1,0x84,0x41,0xA0,0xDF,0x02,0x01,0x02, +}; +# endif + } // // Convert a predefined parameter set into a DH value. // +# if OPENSSL_VERSION_NUMBER >= 0x10100000L +static DH* +convertDH(const unsigned char* buf, int len) +{ + return d2i_DHparams(0, &buf, len); +} +# else static DH* convertDH(unsigned char* p, int plen, unsigned char* g, int glen) { @@ -247,9 +364,9 @@ convertDH(unsigned char* p, int plen, unsigned char* g, int glen) dh = 0; } } - return dh; } +# endif IceSSL::DHParams::DHParams() : _dh512(0), _dh1024(0), _dh2048(0), _dh4096(0) @@ -311,7 +428,40 @@ IceSSL::DHParams::get(int keyLength) // No match found. Use one of the predefined parameter sets instead. // IceUtil::Mutex::Lock sync(*this); - +# if OPENSSL_VERSION_NUMBER >= 0x10100000L + if(keyLength >= 4096) + { + if(!_dh4096) + { + _dh4096 = convertDH(dh4096, (int) sizeof(dh4096)); + } + return _dh4096; + } + else if(keyLength >= 2048) + { + if(!_dh2048) + { + _dh2048 = convertDH(dh2048, (int) sizeof(dh2048)); + } + return _dh2048; + } + else if(keyLength >= 1024) + { + if(!_dh1024) + { + _dh1024 = convertDH(dh1024, (int) sizeof(dh1024)); + } + return _dh1024; + } + else + { + if(!_dh512) + { + _dh512 = convertDH(dh512, (int) sizeof(dh512)); + } + return _dh512; + } +# else if(keyLength >= 4096) { if(!_dh4096) @@ -344,9 +494,10 @@ IceSSL::DHParams::get(int keyLength) } return _dh512; } +# endif } -# endif +# endif string IceSSL::getSslErrors(bool verbose) diff --git a/cpp/src/IceUtil/Makefile b/cpp/src/IceUtil/Makefile index 934522baa08..b14150f19bf 100644 --- a/cpp/src/IceUtil/Makefile +++ b/cpp/src/IceUtil/Makefile @@ -40,7 +40,7 @@ OBJS = ArgVector.o \ include $(top_srcdir)/config/Make.rules -CPPFLAGS := $(CPPFLAGS) $(ICEUTIL_FLAGS) -DICE_UTIL_API_EXPORTS -I.. +CPPFLAGS := $(CPPFLAGS) $(ICEUTIL_FLAGS) $(OPENSSL_FLAGS) -DICE_UTIL_API_EXPORTS -I.. LINKWITH := $(ICEUTIL_OS_LIBS) ifeq ($(STATICLIBS),yes) diff --git a/cpp/test/IceSSL/configuration/AllTests.cpp b/cpp/test/IceSSL/configuration/AllTests.cpp index d0235809622..458aded1cbb 100644 --- a/cpp/test/IceSSL/configuration/AllTests.cpp +++ b/cpp/test/IceSSL/configuration/AllTests.cpp @@ -476,6 +476,10 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12); initData.properties->setProperty("Ice.InitPlugins", "0"); # ifdef ICE_USE_OPENSSL + // + // With OpenSSL 1.1.0 we need to set SECLEVEL=0 to allow ADH ciphers + // + initData.properties->setProperty("IceSSL.SecurityLevel", "0"); initData.properties->setProperty("IceSSL.Ciphers", "ADH"); # else initData.properties->setProperty("IceSSL.Ciphers", "DH_anon_WITH_AES_256_CBC_SHA"); @@ -489,6 +493,10 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(obj); Test::Properties d = createServerProps(defaultProps, defaultDir, defaultHost, p12); # ifdef ICE_USE_OPENSSL + // + // With OpenSSL 1.1.0 we need to set SECLEVEL=0 to allow ADH ciphers + // + d["IceSSL.SecurityLevel"] = "0"; d["IceSSL.Ciphers"] = "ADH"; # else d["IceSSL.Ciphers"] = "DH_anon_WITH_AES_256_CBC_SHA"; @@ -1197,6 +1205,10 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b InitializationData initData; initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12); # ifdef ICE_USE_OPENSSL + // + // With OpenSSL 1.1.0 we need to set SECLEVEL=0 to allow ADH ciphers + // + initData.properties->setProperty("IceSSL.SecurityLevel", "0"); initData.properties->setProperty("IceSSL.Ciphers", "ADH"); # else initData.properties->setProperty("IceSSL.Ciphers", "(DH_anon*)"); @@ -1212,7 +1224,11 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b test(fact); Test::Properties d = createServerProps(defaultProps, defaultDir, defaultHost, p12); # ifdef ICE_USE_OPENSSL + // + // With OpenSSL 1.1.0 we need to set SECLEVEL=0 to allow ADH ciphers + // string cipherSub = "ADH-"; + d["IceSSL.SecurityLevel"] = "0"; d["IceSSL.Ciphers"] = "ADH"; # else string cipherSub = "DH_anon"; @@ -1800,6 +1816,10 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b InitializationData initData; initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12); # ifdef ICE_USE_OPENSSL + // + // With OpenSSL 1.1.0 we need to set SECLEVEL=0 to allow ADH ciphers + // + initData.properties->setProperty("IceSSL.SecurityLevel", "0"); initData.properties->setProperty("IceSSL.Ciphers", "ADH"); # else initData.properties->setProperty("IceSSL.Ciphers", "(DH_anon*)"); @@ -1809,6 +1829,10 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b test(fact); Test::Properties d = createServerProps(defaultProps, defaultDir, defaultHost, p12, "s_rsa_ca1", "cacert1"); # ifdef ICE_USE_OPENSSL + // + // With OpenSSL 1.1.0 we need to set SECLEVEL=0 to allow ADH ciphers + // + d["IceSSL.SecurityLevel"] = "0"; string cipherSub = "ADH-"; d["IceSSL.Ciphers"] = "RSA:ADH"; # else @@ -2043,13 +2067,14 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b // InitializationData initData; initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12, "c_dsa_ca1", "cacert1"); - initData.properties->setProperty("IceSSL.Ciphers", "DEFAULT:DSS"); + initData.properties->setProperty("IceSSL.Ciphers", "DHE:DSS"); CommunicatorPtr comm = initialize(initData); Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef)); test(fact); Test::Properties d = createServerProps(defaultProps, defaultDir, defaultHost, p12, "s_dsa_ca1", "cacert1"); - d["IceSSL.Ciphers"] = "DEFAULT:DSS"; + d["IceSSL.Ciphers"] = "DHE:DSS"; d["IceSSL.VerifyPeer"] = "1"; + Test::ServerPrx server = fact->createServer(d); try { @@ -2061,7 +2086,6 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b } fact->destroyServer(server); comm->destroy(); - // // Next try a client with an RSA certificate. // diff --git a/csharp/src/Ice/PropertyNames.cs b/csharp/src/Ice/PropertyNames.cs index f784997ea87..8e6ed0163c9 100644 --- a/csharp/src/Ice/PropertyNames.cs +++ b/csharp/src/Ice/PropertyNames.cs @@ -6,7 +6,7 @@ // ICE_LICENSE file included in this distribution. // // ********************************************************************** -// Generated by makeprops.py from file ./config/PropertyNames.xml, Thu Apr 7 10:23:17 2016 +// Generated by makeprops.py from file ../config/PropertyNames.xml, Fri Jul 1 19:08:40 2016 // IMPORTANT: Do not edit this file -- any edits made here will be lost! @@ -1004,6 +1004,7 @@ namespace IceInternal new Property(@"^IceSSL\.ProtocolVersionMax$", false, null), new Property(@"^IceSSL\.ProtocolVersionMin$", false, null), new Property(@"^IceSSL\.Random$", false, null), + new Property(@"^IceSSL\.SecurityLevel$", false, null), new Property(@"^IceSSL\.Trace\.Security$", false, null), new Property(@"^IceSSL\.TrustOnly$", false, null), new Property(@"^IceSSL\.TrustOnly\.Client$", false, null), diff --git a/java/src/Ice/src/main/java/IceInternal/PropertyNames.java b/java/src/Ice/src/main/java/IceInternal/PropertyNames.java index 2cc1df08f15..92fc0f48027 100644 --- a/java/src/Ice/src/main/java/IceInternal/PropertyNames.java +++ b/java/src/Ice/src/main/java/IceInternal/PropertyNames.java @@ -6,7 +6,7 @@ // ICE_LICENSE file included in this distribution. // // ********************************************************************** -// Generated by makeprops.py from file ./config/PropertyNames.xml, Thu Apr 7 10:23:17 2016 +// Generated by makeprops.py from file ../config/PropertyNames.xml, Fri Jul 1 19:08:40 2016 // IMPORTANT: Do not edit this file -- any edits made here will be lost! @@ -1004,6 +1004,7 @@ public final class PropertyNames new Property("IceSSL\\.ProtocolVersionMax", false, null), new Property("IceSSL\\.ProtocolVersionMin", false, null), new Property("IceSSL\\.Random", false, null), + new Property("IceSSL\\.SecurityLevel", false, null), new Property("IceSSL\\.Trace\\.Security", false, null), new Property("IceSSL\\.TrustOnly", false, null), new Property("IceSSL\\.TrustOnly\\.Client", false, null), diff --git a/js/src/Ice/PropertyNames.js b/js/src/Ice/PropertyNames.js index e4512d0624f..29c4cb866b0 100644 --- a/js/src/Ice/PropertyNames.js +++ b/js/src/Ice/PropertyNames.js @@ -6,7 +6,7 @@ // ICE_LICENSE file included in this distribution. // // ********************************************************************** -// Generated by makeprops.py from file ./config/PropertyNames.xml, Thu Apr 7 10:23:17 2016 +// Generated by makeprops.py from file ../config/PropertyNames.xml, Fri Jul 1 19:08:40 2016 // IMPORTANT: Do not edit this file -- any edits made here will be lost! |