diff options
Diffstat (limited to 'cpp/src')
| -rw-r--r-- | cpp/src/IceSSL/OpenSSLEngine.cpp | 24 | ||||
| -rw-r--r-- | cpp/src/IceSSL/SChannelEngine.cpp | 22 | ||||
| -rw-r--r-- | cpp/src/IceSSL/SecureTransportEngine.cpp | 18 |
3 files changed, 40 insertions, 24 deletions
diff --git a/cpp/src/IceSSL/OpenSSLEngine.cpp b/cpp/src/IceSSL/OpenSSLEngine.cpp index c53ddbda7ca..75c58f50cf5 100644 --- a/cpp/src/IceSSL/OpenSSLEngine.cpp +++ b/cpp/src/IceSSL/OpenSSLEngine.cpp @@ -352,9 +352,16 @@ OpenSSLEngine::initialize() PropertiesPtr properties = communicator()->getProperties(); // - // Protocols selects which protocols to enable. + // Protocols selects which protocols to enable, by default we only enable TLS1.0 + // TLS1.1 and TLS1.2 to avoid security issues with SSLv3 // - const int protocols = parseProtocols(properties->getPropertyAsList(propPrefix + "Protocols")); + vector<string> defaultProtocols; + defaultProtocols.push_back("tls1_0"); + defaultProtocols.push_back("tls1_1"); + defaultProtocols.push_back("tls1_2"); + + const int protocols = + parseProtocols(properties->getPropertyAsListWithDefault(propPrefix + "Protocols", defaultProtocols)); // // Create an SSL context if the application hasn't supplied one. @@ -901,27 +908,26 @@ OpenSSLEngine::parseProtocols(const StringSeq& protocols) const for(Ice::StringSeq::const_iterator p = protocols.begin(); p != protocols.end(); ++p) { - string prot = *p; - - if(prot == "ssl3" || prot == "sslv3") + string prot = IceUtilInternal::toUpper(*p); + if(prot == "SSL3" || prot == "SSLV3") { v |= SSLv3; } - else if(prot == "tls" || prot == "tls1" || prot == "tlsv1" || prot == "tls1_0" || prot == "tlsv1_0") + else if(prot == "TLS" || prot == "TLS1" || prot == "TLSV1" || prot == "TLS1_0" || prot == "TLSV1_0") { v |= TLSv1_0; } - else if(prot == "tls1_1" || prot == "tlsv1_1") + else if(prot == "TLS1_1" || prot == "TLSV1_1") { v |= TLSv1_1; } - else if(prot == "tls1_2" || prot == "tlsv1_2") + else if(prot == "TLS1_2" || prot == "TLSV1_2") { v |= TLSv1_2; } else { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unrecognized protocol `" + prot + "'"); + throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unrecognized protocol `" + *p + "'"); } } diff --git a/cpp/src/IceSSL/SChannelEngine.cpp b/cpp/src/IceSSL/SChannelEngine.cpp index 595a85aa220..bef93424650 100644 --- a/cpp/src/IceSSL/SChannelEngine.cpp +++ b/cpp/src/IceSSL/SChannelEngine.cpp @@ -93,31 +93,31 @@ parseProtocols(const StringSeq& protocols) for(Ice::StringSeq::const_iterator p = protocols.begin(); p != protocols.end(); ++p) { - string prot = *p; + string prot = IceUtilInternal::toUpper(*p); - if(prot == "ssl3" || prot == "sslv3") + if(prot == "SSL3" || prot == "SSLV3") { v |= SP_PROT_SSL3_SERVER; v |= SP_PROT_SSL3_CLIENT; } - else if(prot == "tls" || prot == "tls1" || prot == "tlsv1" || prot == "tls1_0" || prot == "tlsv1_0") + else if(prot == "TLS" || prot == "TLS1" || prot == "TLSV1" || prot == "TLS1_0" || prot == "TLSV1_0") { v |= SP_PROT_TLS1_SERVER; v |= SP_PROT_TLS1_CLIENT; } - else if(prot == "tls1_1" || prot == "tlsv1_1") + else if(prot == "TLS1_1" || prot == "TLSV1_1") { v |= SP_PROT_TLS1_1_SERVER; v |= SP_PROT_TLS1_1_CLIENT; } - else if(prot == "tls1_2" || prot == "tlsv1_2") + else if(prot == "TLS1_2" || prot == "TLSV1_2") { v |= SP_PROT_TLS1_2_SERVER; v |= SP_PROT_TLS1_2_CLIENT; } else { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unrecognized protocol `" + prot + "'"); + throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unrecognized protocol `" + *p + "'"); } } @@ -182,9 +182,15 @@ SChannelEngine::initialize() const PropertiesPtr properties = communicator()->getProperties(); // - // Protocols selects which protocols to enable. + // Protocols selects which protocols to enable, by default we only enable TLS1.0 + // TLS1.1 and TLS1.2 to avoid security issues with SSLv3 // - const_cast<DWORD&>(_protocols) = parseProtocols(properties->getPropertyAsList(prefix + "Protocols")); + vector<string> defaultProtocols; + defaultProtocols.push_back("tls1_0"); + defaultProtocols.push_back("tls1_1"); + defaultProtocols.push_back("tls1_2"); + const_cast<DWORD&>(_protocols) = + parseProtocols(properties->getPropertyAsListWithDefault(prefix + "Protocols", defaultProtocols)); // // Check for a default directory. We look in this directory for diff --git a/cpp/src/IceSSL/SecureTransportEngine.cpp b/cpp/src/IceSSL/SecureTransportEngine.cpp index 743347feb67..8d255f24124 100644 --- a/cpp/src/IceSSL/SecureTransportEngine.cpp +++ b/cpp/src/IceSSL/SecureTransportEngine.cpp @@ -751,27 +751,28 @@ CiphersHelper::ciphers() } SSLProtocol -parseProtocol(const string& prot) +parseProtocol(const string& p) { - if(prot == "ssl3" || prot == "sslv3") + const string prot = IceUtilInternal::toUpper(p); + if(prot == "SSL3" || prot == "SSLV3") { return kSSLProtocol3; } - else if(prot == "tls" || prot == "tls1" || prot == "tlsv1" || prot == "tls1_0" || prot == "tlsv1_0") + else if(prot == "TLS" || prot == "TLS1" || prot == "TLSV1" || prot == "TLS1_0" || prot == "TLSV1_0") { return kTLSProtocol1; } - else if(prot == "tls1_1" || prot == "tlsv1_1") + else if(prot == "TLS1_1" || prot == "TLSV1_1") { return kTLSProtocol11; } - else if(prot == "tls1_2" || prot == "tlsv1_2") + else if(prot == "TLS1_2" || prot == "TLSV1_2") { return kTLSProtocol12; } else { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unrecognized protocol `" + prot + "'"); + throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unrecognized protocol `" + p + "'"); } } @@ -1212,7 +1213,10 @@ IceSSL::SecureTransportEngine::initialize() _protocolVersionMax = parseProtocol(protocolVersionMax); } - const string protocolVersionMin = properties->getProperty(propPrefix + "ProtocolVersionMin"); + // + // The default min protocol version is set to TLS1.0 to avoid security issues with SSLv3 + // + const string protocolVersionMin = properties->getPropertyWithDefault(propPrefix + "ProtocolVersionMin", "tls1_0"); if(!protocolVersionMin.empty()) { _protocolVersionMin = parseProtocol(protocolVersionMin); |