diff options
Diffstat (limited to 'cpp/src/IceSSL/OpenSSLEngine.cpp')
| -rw-r--r-- | cpp/src/IceSSL/OpenSSLEngine.cpp | 64 |
1 files changed, 60 insertions, 4 deletions
diff --git a/cpp/src/IceSSL/OpenSSLEngine.cpp b/cpp/src/IceSSL/OpenSSLEngine.cpp index 133d98ee465..e008094afb6 100644 --- a/cpp/src/IceSSL/OpenSSLEngine.cpp +++ b/cpp/src/IceSSL/OpenSSLEngine.cpp @@ -399,9 +399,21 @@ OpenSSL::SSLEngine::initialize() // TLS1.1 and TLS1.2 to avoid security issues with SSLv3 // vector<string> defaultProtocols; +#if defined(TLS1_VERSION) && !defined(OPENSSL_NO_TLS1_METHOD) defaultProtocols.push_back("tls1_0"); +#endif + +#if defined(TLS1_1_VERSION) && !defined(OPENSSL_NO_TLS1_1_METHOD) defaultProtocols.push_back("tls1_1"); +#endif + +#if defined(TLS1_2_VERSION) && !defined(OPENSSL_NO_TLS1_2_METHOD) defaultProtocols.push_back("tls1_2"); +#endif + +#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3_METHOD) + defaultProtocols.push_back("tls1_3"); +#endif const int protocols = parseProtocols(properties->getPropertyAsListWithDefault(propPrefix + "Protocols", defaultProtocols)); @@ -541,8 +553,9 @@ OpenSSL::SSLEngine::initialize() vector<string> files; if(!IceUtilInternal::splitString(certFile, IceUtilInternal::pathsep, files) || files.size() > 2) { - PluginInitializationException ex(__FILE__, __LINE__, - "IceSSL: invalid value for " + propPrefix + "CertFile:\n" + certFile); + throw PluginInitializationException(__FILE__, __LINE__, + "IceSSL: invalid value for " + propPrefix + "CertFile:\n" + + certFile); } numCerts = files.size(); for(vector<string>::iterator p = files.begin(); p != files.end(); ++p) @@ -551,8 +564,8 @@ OpenSSL::SSLEngine::initialize() string resolved; if(!checkPath(file, defaultDir, false, resolved)) { - PluginInitializationException ex(__FILE__, __LINE__, - "IceSSL: certificate file not found:\n" + file); + throw PluginInitializationException(__FILE__, __LINE__, + "IceSSL: certificate file not found:\n" + file); } file = resolved; @@ -963,19 +976,48 @@ OpenSSL::SSLEngine::parseProtocols(const StringSeq& protocols) const string prot = IceUtilInternal::toUpper(*p); if(prot == "SSL3" || prot == "SSLV3") { +#if defined(OPENSSL_NO_SSL3_METHOD) || !defined(SSL3_VERSION) + throw PluginInitializationException(__FILE__, __LINE__, + "IceSSL: OpenSSL was build without SSLv3 support"); +#else v |= SSLv3; +#endif } else if(prot == "TLS" || prot == "TLS1" || prot == "TLSV1" || prot == "TLS1_0" || prot == "TLSV1_0") { +#if defined(OPENSSL_NO_TLS1_METHOD) || !defined(TLS1_VERSION) + throw PluginInitializationException(__FILE__, __LINE__, + "IceSSL: OpenSSL was build without TLS 1.0 support"); +#else v |= TLSv1_0; +#endif } else if(prot == "TLS1_1" || prot == "TLSV1_1") { +#if defined(OPENSSL_NO_TLS1_1_METHOD) || !defined(TLS1_1_VERSION) + throw PluginInitializationException(__FILE__, __LINE__, + "IceSSL: OpenSSL was build without TLS 1.1 support"); +#else v |= TLSv1_1; +#endif } else if(prot == "TLS1_2" || prot == "TLSV1_2") { +#if defined(OPENSSL_NO_TLS1_2_METHOD) || !defined(TLS1_2_VERSION) + throw PluginInitializationException(__FILE__, __LINE__, + "IceSSL: OpenSSL was build without TLS 1.2 support"); +#else v |= TLSv1_2; +#endif + } + else if(prot == "TLS1_3" || prot == "TLSV1_3") + { +#if defined(OPENSSL_NO_TLS1_3_METHOD) || !defined(TLS1_3_VERSION) + throw PluginInitializationException(__FILE__, __LINE__, + "IceSSL: OpenSSL was build without TLS 1.3 support"); +#else + v |= TLSv1_3; +#endif } else { @@ -1014,14 +1056,21 @@ void OpenSSL::SSLEngine::setOptions(int protocols) { long opts = SSL_OP_NO_SSLv2; // SSLv2 is not supported. + +#ifdef SSL_OP_NO_SSLv3 if(!(protocols & SSLv3)) { opts |= SSL_OP_NO_SSLv3; } +#endif + +#ifdef SSL_OP_NO_TLSv1 if(!(protocols & TLSv1_0)) { opts |= SSL_OP_NO_TLSv1; } +#endif + #ifdef SSL_OP_NO_TLSv1_1 if(!(protocols & TLSv1_1)) { @@ -1042,5 +1091,12 @@ OpenSSL::SSLEngine::setOptions(int protocols) opts |= SSL_OP_NO_TLSv1_2; } #endif + +#ifdef SSL_OP_NO_TLSv1_3 + if(!(protocols & TLSv1_3)) + { + opts |= SSL_OP_NO_TLSv1_3; + } +#endif SSL_CTX_set_options(_ctx, opts); } |