summaryrefslogtreecommitdiff
path: root/cpp
diff options
context:
space:
mode:
Diffstat (limited to 'cpp')
-rw-r--r--cpp/src/Ice/PropertyNames.cpp3
-rw-r--r--cpp/src/Ice/PropertyNames.h2
-rw-r--r--cpp/src/IceSSL/Makefile2
-rw-r--r--cpp/src/IceSSL/OpenSSLEngine.cpp59
-rw-r--r--cpp/src/IceSSL/Util.cpp159
-rw-r--r--cpp/src/IceUtil/Makefile2
-rw-r--r--cpp/test/IceSSL/configuration/AllTests.cpp30
7 files changed, 238 insertions, 19 deletions
diff --git a/cpp/src/Ice/PropertyNames.cpp b/cpp/src/Ice/PropertyNames.cpp
index 69f03cade5f..e4f02285b90 100644
--- a/cpp/src/Ice/PropertyNames.cpp
+++ b/cpp/src/Ice/PropertyNames.cpp
@@ -6,7 +6,7 @@
// ICE_LICENSE file included in this distribution.
//
// **********************************************************************
-// Generated by makeprops.py from file ./config/PropertyNames.xml, Thu Apr 7 10:23:17 2016
+// Generated by makeprops.py from file ../config/PropertyNames.xml, Fri Jul 1 19:08:40 2016
// IMPORTANT: Do not edit this file -- any edits made here will be lost!
@@ -1032,6 +1032,7 @@ const IceInternal::Property IceSSLPropsData[] =
IceInternal::Property("IceSSL.ProtocolVersionMax", false, 0),
IceInternal::Property("IceSSL.ProtocolVersionMin", false, 0),
IceInternal::Property("IceSSL.Random", false, 0),
+ IceInternal::Property("IceSSL.SecurityLevel", false, 0),
IceInternal::Property("IceSSL.Trace.Security", false, 0),
IceInternal::Property("IceSSL.TrustOnly", false, 0),
IceInternal::Property("IceSSL.TrustOnly.Client", false, 0),
diff --git a/cpp/src/Ice/PropertyNames.h b/cpp/src/Ice/PropertyNames.h
index d5712c8e2ab..151097655fc 100644
--- a/cpp/src/Ice/PropertyNames.h
+++ b/cpp/src/Ice/PropertyNames.h
@@ -6,7 +6,7 @@
// ICE_LICENSE file included in this distribution.
//
// **********************************************************************
-// Generated by makeprops.py from file ./config/PropertyNames.xml, Thu Apr 7 10:23:17 2016
+// Generated by makeprops.py from file ../config/PropertyNames.xml, Fri Jul 1 19:08:40 2016
// IMPORTANT: Do not edit this file -- any edits made here will be lost!
diff --git a/cpp/src/IceSSL/Makefile b/cpp/src/IceSSL/Makefile
index 5e551f3e363..ab3b8222167 100644
--- a/cpp/src/IceSSL/Makefile
+++ b/cpp/src/IceSSL/Makefile
@@ -55,7 +55,7 @@ include $(top_srcdir)/config/Make.rules
CPPFLAGS := -I.. $(CPPFLAGS) -DICE_SSL_API_EXPORTS $(OPENSSL_FLAGS)
SLICE2CPPFLAGS := --ice --include-dir IceSSL --dll-export ICE_SSL_API $(SLICE2CPPFLAGS)
-LINKWITH := $(BZIP2_RPATH_LINK) -lIce -lIceUtil $(SSL_OS_LIBS) $(CXXLIBS)
+LINKWITH := $(BZIP2_RPATH_LINK) $(OPENSSL_LIBS) -lIce -lIceUtil $(SSL_OS_LIBS) $(CXXLIBS)
ifeq ($(STATICLIBS),yes)
$(libdir)/$(LIBNAME): $(OBJS)
diff --git a/cpp/src/IceSSL/OpenSSLEngine.cpp b/cpp/src/IceSSL/OpenSSLEngine.cpp
index 029cf825ffd..a7232b06f7f 100644
--- a/cpp/src/IceSSL/OpenSSLEngine.cpp
+++ b/cpp/src/IceSSL/OpenSSLEngine.cpp
@@ -42,7 +42,10 @@ namespace
IceUtil::Mutex* staticMutex = 0;
int instanceCount = 0;
bool initOpenSSL = false;
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
IceUtil::Mutex* locks = 0;
+#endif
class Init
{
@@ -55,17 +58,22 @@ public:
~Init()
{
+ //
+ // OpenSSL 1.1.0 introduces a new thread API and removes
+ // the need to use a custom thread callback.
+ //
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
CRYPTO_set_locking_callback(0);
CRYPTO_set_id_callback(0);
- delete staticMutex;
- staticMutex = 0;
-
if(locks)
{
delete[] locks;
locks = 0;
}
+#endif
+ delete staticMutex;
+ staticMutex = 0;
}
};
@@ -76,6 +84,11 @@ extern "C"
{
//
+// OpenSSL 1.1.0 introduces a new thread API and removes
+// the need to use a custom thread callback.
+//
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+//
// OpenSSL mutex callback.
//
void
@@ -114,6 +127,7 @@ IceSSL_opensslThreadIdCallback()
# error "Unknown platform"
# endif
}
+#endif
int
IceSSL_opensslPasswordCallback(char* buf, int size, int flag, void* userData)
@@ -144,7 +158,12 @@ IceSSL_opensslPasswordCallback(char* buf, int size, int flag, void* userData)
DH*
IceSSL_opensslDHCallback(SSL* ssl, int /*isExport*/, int keyLength)
{
- OpenSSLEngine* p = reinterpret_cast<OpenSSLEngine*>(SSL_CTX_get_ex_data(ssl->ctx, 0));
+# if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ SSL_CTX* ctx = SSL_get_SSL_CTX(ssl);
+# else
+ SSL_CTX* ctx = ssl->ctx;
+# endif
+ OpenSSLEngine* p = reinterpret_cast<OpenSSLEngine*>(SSL_CTX_get_ex_data(ctx, 0));
return p->dhParams(keyLength);
}
# endif
@@ -196,6 +215,11 @@ OpenSSLEngine::OpenSSLEngine(const CommunicatorPtr& communicator) :
initOpenSSL = properties->getPropertyAsIntWithDefault("IceSSL.InitOpenSSL", 1) > 0;
if(initOpenSSL)
{
+
+ //
+ // OpenSSL 1.1.0 remove the need for library initialization and cleanup.
+ //
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
//
// Create the mutexes and set the callbacks.
//
@@ -221,13 +245,11 @@ OpenSSLEngine::OpenSSLEngine(const CommunicatorPtr& communicator) :
// load private key files generated by OpenSSL 1.x.
//
OpenSSL_add_all_algorithms();
+#endif
//
// Initialize the PRNG.
//
-# ifdef WINDOWS
- RAND_screen(); // Uses data from the screen if possible.
-# endif
char randFile[1024];
if(RAND_file_name(randFile, sizeof(randFile))) // Gets the name of a default seed file.
{
@@ -301,6 +323,10 @@ OpenSSLEngine::OpenSSLEngine(const CommunicatorPtr& communicator) :
OpenSSLEngine::~OpenSSLEngine()
{
+//
+// OpenSSL 1.1.0 remove the need for library initialization and cleanup.
+//
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
//
// Clean up OpenSSL resources.
//
@@ -323,6 +349,7 @@ OpenSSLEngine::~OpenSSLEngine()
ERR_free_strings();
EVP_cleanup();
}
+#endif
}
bool
@@ -372,6 +399,18 @@ OpenSSLEngine::initialize()
"IceSSL: unable to create SSL context:\n" + sslErrors());
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ int securityLevel = properties->getPropertyAsIntWithDefault(propPrefix + "SecurityLevel", -1);
+ if(securityLevel != -1)
+ {
+ SSL_CTX_set_security_level(_ctx, securityLevel);
+ if(SSL_CTX_get_security_level(_ctx) != securityLevel)
+ {
+ throw PluginInitializationException(__FILE__, __LINE__,
+ "IceSSL: unable to set SSL security level:\n" + sslErrors());
+ }
+ }
+#endif
//
// Check for a default directory. We look in this directory for
// files mentioned in the configuration.
@@ -528,6 +567,7 @@ OpenSSLEngine::initialize()
"IceSSL: certificate file not found:\n" + file);
}
file = resolved;
+
//
// First we try to load the certificate using PKCS12 format if that fails
// we fallback to PEM format.
@@ -945,6 +985,9 @@ OpenSSLEngine::parseProtocols(const StringSeq& protocols) const
SSL_METHOD*
OpenSSLEngine::getMethod(int /*protocols*/)
{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ SSL_METHOD* meth = const_cast<SSL_METHOD*>(TLS_method());
+#else
//
// Despite its name, the SSLv23 method can negotiate SSL3, TLS1.0, TLS1.1, and TLS1.2.
// We use the const_cast for backward compatibility with older OpenSSL releases.
@@ -959,7 +1002,7 @@ OpenSSLEngine::getMethod(int /*protocols*/)
meth = const_cast<SSL_METHOD*>(TLSv1_2_method());
}
*/
-
+#endif
return meth;
}
diff --git a/cpp/src/IceSSL/Util.cpp b/cpp/src/IceSSL/Util.cpp
index b55ca494233..a60ee4c1e97 100644
--- a/cpp/src/IceSSL/Util.cpp
+++ b/cpp/src/IceSSL/Util.cpp
@@ -109,7 +109,8 @@ parseBytes(const string& arg, vector<unsigned char>& buffer)
namespace
{
-# ifndef OPENSSL_NO_DH
+# ifndef OPENSSL_NO_DH
+# if OPENSSL_VERSION_NUMBER < 0x10100000L
// The following arrays are predefined Diffie Hellman group parameters.
// These are known strong primes, distributed with the OpenSSL library
@@ -223,11 +224,127 @@ unsigned char dh4096_p[] =
unsigned char dh4096_g[] = { 0x02 };
+# else
+//
+// With OpenSSL 1.1.0 is no longer possible to acess the DH p and g
+// data members to set the DH params. We still use the same default
+// parameters but they were converted to DER format using
+// i2d_DHparams and can be restored using d2i_DHparams
+
+unsigned char dh512[] =
+{
+ 0x30,0x46,0x02,0x41,0x00,0xF5,0x2A,0xFF,0x3C,0xE1,0xB1,0x29,
+ 0x40,0x18,0x11,0x8D,0x7C,0x84,0xA7,0x0A,0x72,0xD6,0x86,0xC4,
+ 0x03,0x19,0xC8,0x07,0x29,0x7A,0xCA,0x95,0x0C,0xD9,0x96,0x9F,
+ 0xAB,0xD0,0x0A,0x50,0x9B,0x02,0x46,0xD3,0x08,0x3D,0x66,0xA4,
+ 0x5D,0x41,0x9F,0x9C,0x7C,0xBD,0x89,0x4B,0x22,0x19,0x26,0xBA,
+ 0xAB,0xA2,0x5E,0xC3,0x55,0xE9,0x2A,0x05,0x5F,0x02,0x01,0x02,
+};
+
+unsigned char dh1024[] =
+{
+ 0x30,0x81,0x87,0x02,0x81,0x81,0x00,0xF4,0x88,0xFD,0x58,0x4E,
+ 0x49,0xDB,0xCD,0x20,0xB4,0x9D,0xE4,0x91,0x07,0x36,0x6B,0x33,
+ 0x6C,0x38,0x0D,0x45,0x1D,0x0F,0x7C,0x88,0xB3,0x1C,0x7C,0x5B,
+ 0x2D,0x8E,0xF6,0xF3,0xC9,0x23,0xC0,0x43,0xF0,0xA5,0x5B,0x18,
+ 0x8D,0x8E,0xBB,0x55,0x8C,0xB8,0x5D,0x38,0xD3,0x34,0xFD,0x7C,
+ 0x17,0x57,0x43,0xA3,0x1D,0x18,0x6C,0xDE,0x33,0x21,0x2C,0xB5,
+ 0x2A,0xFF,0x3C,0xE1,0xB1,0x29,0x40,0x18,0x11,0x8D,0x7C,0x84,
+ 0xA7,0x0A,0x72,0xD6,0x86,0xC4,0x03,0x19,0xC8,0x07,0x29,0x7A,
+ 0xCA,0x95,0x0C,0xD9,0x96,0x9F,0xAB,0xD0,0x0A,0x50,0x9B,0x02,
+ 0x46,0xD3,0x08,0x3D,0x66,0xA4,0x5D,0x41,0x9F,0x9C,0x7C,0xBD,
+ 0x89,0x4B,0x22,0x19,0x26,0xBA,0xAB,0xA2,0x5E,0xC3,0x55,0xE9,
+ 0x2F,0x78,0xC7,0x02,0x01,0x02,
+};
+
+unsigned char dh2048[] =
+{
+ 0x30,0x82,0x01,0x08,0x02,0x82,0x01,0x01,0x00,0xF6,0x42,0x57,
+ 0xB7,0x08,0x7F,0x08,0x17,0x72,0xA2,0xBA,0xD6,0xA9,0x42,0xF3,
+ 0x05,0xE8,0xF9,0x53,0x11,0x39,0x4F,0xB6,0xF1,0x6E,0xB9,0x4B,
+ 0x38,0x20,0xDA,0x01,0xA7,0x56,0xA3,0x14,0xE9,0x8F,0x40,0x55,
+ 0xF3,0xD0,0x07,0xC6,0xCB,0x43,0xA9,0x94,0xAD,0xF7,0x4C,0x64,
+ 0x86,0x49,0xF8,0x0C,0x83,0xBD,0x65,0xE9,0x17,0xD4,0xA1,0xD3,
+ 0x50,0xF8,0xF5,0x59,0x5F,0xDC,0x76,0x52,0x4F,0x3D,0x3D,0x8D,
+ 0xDB,0xCE,0x99,0xE1,0x57,0x92,0x59,0xCD,0xFD,0xB8,0xAE,0x74,
+ 0x4F,0xC5,0xFC,0x76,0xBC,0x83,0xC5,0x47,0x30,0x61,0xCE,0x7C,
+ 0xC9,0x66,0xFF,0x15,0xF9,0xBB,0xFD,0x91,0x5E,0xC7,0x01,0xAA,
+ 0xD3,0x5B,0x9E,0x8D,0xA0,0xA5,0x72,0x3A,0xD4,0x1A,0xF0,0xBF,
+ 0x46,0x00,0x58,0x2B,0xE5,0xF4,0x88,0xFD,0x58,0x4E,0x49,0xDB,
+ 0xCD,0x20,0xB4,0x9D,0xE4,0x91,0x07,0x36,0x6B,0x33,0x6C,0x38,
+ 0x0D,0x45,0x1D,0x0F,0x7C,0x88,0xB3,0x1C,0x7C,0x5B,0x2D,0x8E,
+ 0xF6,0xF3,0xC9,0x23,0xC0,0x43,0xF0,0xA5,0x5B,0x18,0x8D,0x8E,
+ 0xBB,0x55,0x8C,0xB8,0x5D,0x38,0xD3,0x34,0xFD,0x7C,0x17,0x57,
+ 0x43,0xA3,0x1D,0x18,0x6C,0xDE,0x33,0x21,0x2C,0xB5,0x2A,0xFF,
+ 0x3C,0xE1,0xB1,0x29,0x40,0x18,0x11,0x8D,0x7C,0x84,0xA7,0x0A,
+ 0x72,0xD6,0x86,0xC4,0x03,0x19,0xC8,0x07,0x29,0x7A,0xCA,0x95,
+ 0x0C,0xD9,0x96,0x9F,0xAB,0xD0,0x0A,0x50,0x9B,0x02,0x46,0xD3,
+ 0x08,0x3D,0x66,0xA4,0x5D,0x41,0x9F,0x9C,0x7C,0xBD,0x89,0x4B,
+ 0x22,0x19,0x26,0xBA,0xAB,0xA2,0x5E,0xC3,0x55,0xE9,0x32,0x0B,
+ 0x3B,0x02,0x01,0x02,
+};
+
+unsigned char dh4096[] =
+{
+ 0x30,0x82,0x02,0x08,0x02,0x82,0x02,0x01,0x00,0xFA,0x14,0x72,
+ 0x52,0xC1,0x4D,0xE1,0x5A,0x49,0xD4,0xEF,0x09,0x2D,0xC0,0xA8,
+ 0xFD,0x55,0xAB,0xD7,0xD9,0x37,0x04,0x28,0x09,0xE2,0xE9,0x3E,
+ 0x77,0xE2,0xA1,0x7A,0x18,0xDD,0x46,0xA3,0x43,0x37,0x23,0x90,
+ 0x97,0xF3,0x0E,0xC9,0x03,0x50,0x7D,0x65,0xCF,0x78,0x62,0xA6,
+ 0x3A,0x62,0x22,0x83,0xA1,0x2F,0xFE,0x79,0xBA,0x35,0xFF,0x59,
+ 0xD8,0x1D,0x61,0xDD,0x1E,0x21,0x13,0x17,0xFE,0xCD,0x38,0x87,
+ 0x9E,0xF5,0x4F,0x79,0x10,0x61,0x8D,0xD4,0x22,0xF3,0x5A,0xED,
+ 0x5D,0xEA,0x21,0xE9,0x33,0x6B,0x48,0x12,0x0A,0x20,0x77,0xD4,
+ 0x25,0x60,0x61,0xDE,0xF6,0xB4,0x4F,0x1C,0x63,0x40,0x8B,0x3A,
+ 0x21,0x93,0x8B,0x79,0x53,0x51,0x2C,0xCA,0xB3,0x7B,0x29,0x56,
+ 0xA8,0xC7,0xF8,0xF4,0x7B,0x08,0x5E,0xA6,0xDC,0xA2,0x45,0x12,
+ 0x56,0xDD,0x41,0x92,0xF2,0xDD,0x5B,0x8F,0x23,0xF0,0xF3,0xEF,
+ 0xE4,0x3B,0x0A,0x44,0xDD,0xED,0x96,0x84,0xF1,0xA8,0x32,0x46,
+ 0xA3,0xDB,0x4A,0xBE,0x3D,0x45,0xBA,0x4E,0xF8,0x03,0xE5,0xDD,
+ 0x6B,0x59,0x0D,0x84,0x1E,0xCA,0x16,0x5A,0x8C,0xC8,0xDF,0x7C,
+ 0x54,0x44,0xC4,0x27,0xA7,0x3B,0x2A,0x97,0xCE,0xA3,0x7D,0x26,
+ 0x9C,0xAD,0xF4,0xC2,0xAC,0x37,0x4B,0xC3,0xAD,0x68,0x84,0x7F,
+ 0x99,0xA6,0x17,0xEF,0x6B,0x46,0x3A,0x7A,0x36,0x7A,0x11,0x43,
+ 0x92,0xAD,0xE9,0x9C,0xFB,0x44,0x6C,0x3D,0x82,0x49,0xCC,0x5C,
+ 0x6A,0x52,0x42,0xF8,0x42,0xFB,0x44,0xF9,0x39,0x73,0xFB,0x60,
+ 0x79,0x3B,0xC2,0x9E,0x0B,0xDC,0xD4,0xA6,0x67,0xF7,0x66,0x3F,
+ 0xFC,0x42,0x3B,0x1B,0xDB,0x4F,0x66,0xDC,0xA5,0x8F,0x66,0xF9,
+ 0xEA,0xC1,0xED,0x31,0xFB,0x48,0xA1,0x82,0x7D,0xF8,0xE0,0xCC,
+ 0xB1,0xC7,0x03,0xE4,0xF8,0xB3,0xFE,0xB7,0xA3,0x13,0x73,0xA6,
+ 0x7B,0xC1,0x0E,0x39,0xC7,0x94,0x48,0x26,0x00,0x85,0x79,0xFC,
+ 0x6F,0x7A,0xAF,0xC5,0x52,0x35,0x75,0xD7,0x75,0xA4,0x40,0xFA,
+ 0x14,0x74,0x61,0x16,0xF2,0xEB,0x67,0x11,0x6F,0x04,0x43,0x3D,
+ 0x11,0x14,0x4C,0xA7,0x94,0x2A,0x39,0xA1,0xC9,0x90,0xCF,0x83,
+ 0xC6,0xFF,0x02,0x8F,0xA3,0x2A,0xAC,0x26,0xDF,0x0B,0x8B,0xBE,
+ 0x64,0x4A,0xF1,0xA1,0xDC,0xEE,0xBA,0xC8,0x03,0x82,0xF6,0x62,
+ 0x2C,0x5D,0xB6,0xBB,0x13,0x19,0x6E,0x86,0xC5,0x5B,0x2B,0x5E,
+ 0x3A,0xF3,0xB3,0x28,0x6B,0x70,0x71,0x3A,0x8E,0xFF,0x5C,0x15,
+ 0xE6,0x02,0xA4,0xCE,0xED,0x59,0x56,0xCC,0x15,0x51,0x07,0x79,
+ 0x1A,0x0F,0x25,0x26,0x27,0x30,0xA9,0x15,0xB2,0xC8,0xD4,0x5C,
+ 0xCC,0x30,0xE8,0x1B,0xD8,0xD5,0x0F,0x19,0xA8,0x80,0xA4,0xC7,
+ 0x01,0xAA,0x8B,0xBA,0x53,0xBB,0x47,0xC2,0x1F,0x6B,0x54,0xB0,
+ 0x17,0x60,0xED,0x79,0x21,0x95,0xB6,0x05,0x84,0x37,0xC8,0x03,
+ 0xA4,0xDD,0xD1,0x06,0x69,0x8F,0x4C,0x39,0xE0,0xC8,0x5D,0x83,
+ 0x1D,0xBE,0x6A,0x9A,0x99,0xF3,0x9F,0x0B,0x45,0x29,0xD4,0xCB,
+ 0x29,0x66,0xEE,0x1E,0x7E,0x3D,0xD7,0x13,0x4E,0xDB,0x90,0x90,
+ 0x58,0xCB,0x5E,0x9B,0xCD,0x2E,0x2B,0x0F,0xA9,0x4E,0x78,0xAC,
+ 0x05,0x11,0x7F,0xE3,0x9E,0x27,0xD4,0x99,0xE1,0xB9,0xBD,0x78,
+ 0xE1,0x84,0x41,0xA0,0xDF,0x02,0x01,0x02,
+};
+# endif
+
}
//
// Convert a predefined parameter set into a DH value.
//
+# if OPENSSL_VERSION_NUMBER >= 0x10100000L
+static DH*
+convertDH(const unsigned char* buf, int len)
+{
+ return d2i_DHparams(0, &buf, len);
+}
+# else
static DH*
convertDH(unsigned char* p, int plen, unsigned char* g, int glen)
{
@@ -247,9 +364,9 @@ convertDH(unsigned char* p, int plen, unsigned char* g, int glen)
dh = 0;
}
}
-
return dh;
}
+# endif
IceSSL::DHParams::DHParams() :
_dh512(0), _dh1024(0), _dh2048(0), _dh4096(0)
@@ -311,7 +428,40 @@ IceSSL::DHParams::get(int keyLength)
// No match found. Use one of the predefined parameter sets instead.
//
IceUtil::Mutex::Lock sync(*this);
-
+# if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ if(keyLength >= 4096)
+ {
+ if(!_dh4096)
+ {
+ _dh4096 = convertDH(dh4096, (int) sizeof(dh4096));
+ }
+ return _dh4096;
+ }
+ else if(keyLength >= 2048)
+ {
+ if(!_dh2048)
+ {
+ _dh2048 = convertDH(dh2048, (int) sizeof(dh2048));
+ }
+ return _dh2048;
+ }
+ else if(keyLength >= 1024)
+ {
+ if(!_dh1024)
+ {
+ _dh1024 = convertDH(dh1024, (int) sizeof(dh1024));
+ }
+ return _dh1024;
+ }
+ else
+ {
+ if(!_dh512)
+ {
+ _dh512 = convertDH(dh512, (int) sizeof(dh512));
+ }
+ return _dh512;
+ }
+# else
if(keyLength >= 4096)
{
if(!_dh4096)
@@ -344,9 +494,10 @@ IceSSL::DHParams::get(int keyLength)
}
return _dh512;
}
+# endif
}
-# endif
+# endif
string
IceSSL::getSslErrors(bool verbose)
diff --git a/cpp/src/IceUtil/Makefile b/cpp/src/IceUtil/Makefile
index 934522baa08..b14150f19bf 100644
--- a/cpp/src/IceUtil/Makefile
+++ b/cpp/src/IceUtil/Makefile
@@ -40,7 +40,7 @@ OBJS = ArgVector.o \
include $(top_srcdir)/config/Make.rules
-CPPFLAGS := $(CPPFLAGS) $(ICEUTIL_FLAGS) -DICE_UTIL_API_EXPORTS -I..
+CPPFLAGS := $(CPPFLAGS) $(ICEUTIL_FLAGS) $(OPENSSL_FLAGS) -DICE_UTIL_API_EXPORTS -I..
LINKWITH := $(ICEUTIL_OS_LIBS)
ifeq ($(STATICLIBS),yes)
diff --git a/cpp/test/IceSSL/configuration/AllTests.cpp b/cpp/test/IceSSL/configuration/AllTests.cpp
index d0235809622..458aded1cbb 100644
--- a/cpp/test/IceSSL/configuration/AllTests.cpp
+++ b/cpp/test/IceSSL/configuration/AllTests.cpp
@@ -476,6 +476,10 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12);
initData.properties->setProperty("Ice.InitPlugins", "0");
# ifdef ICE_USE_OPENSSL
+ //
+ // With OpenSSL 1.1.0 we need to set SECLEVEL=0 to allow ADH ciphers
+ //
+ initData.properties->setProperty("IceSSL.SecurityLevel", "0");
initData.properties->setProperty("IceSSL.Ciphers", "ADH");
# else
initData.properties->setProperty("IceSSL.Ciphers", "DH_anon_WITH_AES_256_CBC_SHA");
@@ -489,6 +493,10 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(obj);
Test::Properties d = createServerProps(defaultProps, defaultDir, defaultHost, p12);
# ifdef ICE_USE_OPENSSL
+ //
+ // With OpenSSL 1.1.0 we need to set SECLEVEL=0 to allow ADH ciphers
+ //
+ d["IceSSL.SecurityLevel"] = "0";
d["IceSSL.Ciphers"] = "ADH";
# else
d["IceSSL.Ciphers"] = "DH_anon_WITH_AES_256_CBC_SHA";
@@ -1197,6 +1205,10 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
InitializationData initData;
initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12);
# ifdef ICE_USE_OPENSSL
+ //
+ // With OpenSSL 1.1.0 we need to set SECLEVEL=0 to allow ADH ciphers
+ //
+ initData.properties->setProperty("IceSSL.SecurityLevel", "0");
initData.properties->setProperty("IceSSL.Ciphers", "ADH");
# else
initData.properties->setProperty("IceSSL.Ciphers", "(DH_anon*)");
@@ -1212,7 +1224,11 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
test(fact);
Test::Properties d = createServerProps(defaultProps, defaultDir, defaultHost, p12);
# ifdef ICE_USE_OPENSSL
+ //
+ // With OpenSSL 1.1.0 we need to set SECLEVEL=0 to allow ADH ciphers
+ //
string cipherSub = "ADH-";
+ d["IceSSL.SecurityLevel"] = "0";
d["IceSSL.Ciphers"] = "ADH";
# else
string cipherSub = "DH_anon";
@@ -1800,6 +1816,10 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
InitializationData initData;
initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12);
# ifdef ICE_USE_OPENSSL
+ //
+ // With OpenSSL 1.1.0 we need to set SECLEVEL=0 to allow ADH ciphers
+ //
+ initData.properties->setProperty("IceSSL.SecurityLevel", "0");
initData.properties->setProperty("IceSSL.Ciphers", "ADH");
# else
initData.properties->setProperty("IceSSL.Ciphers", "(DH_anon*)");
@@ -1809,6 +1829,10 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
test(fact);
Test::Properties d = createServerProps(defaultProps, defaultDir, defaultHost, p12, "s_rsa_ca1", "cacert1");
# ifdef ICE_USE_OPENSSL
+ //
+ // With OpenSSL 1.1.0 we need to set SECLEVEL=0 to allow ADH ciphers
+ //
+ d["IceSSL.SecurityLevel"] = "0";
string cipherSub = "ADH-";
d["IceSSL.Ciphers"] = "RSA:ADH";
# else
@@ -2043,13 +2067,14 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
//
InitializationData initData;
initData.properties = createClientProps(defaultProps, defaultDir, defaultHost, p12, "c_dsa_ca1", "cacert1");
- initData.properties->setProperty("IceSSL.Ciphers", "DEFAULT:DSS");
+ initData.properties->setProperty("IceSSL.Ciphers", "DHE:DSS");
CommunicatorPtr comm = initialize(initData);
Test::ServerFactoryPrx fact = Test::ServerFactoryPrx::checkedCast(comm->stringToProxy(factoryRef));
test(fact);
Test::Properties d = createServerProps(defaultProps, defaultDir, defaultHost, p12, "s_dsa_ca1", "cacert1");
- d["IceSSL.Ciphers"] = "DEFAULT:DSS";
+ d["IceSSL.Ciphers"] = "DHE:DSS";
d["IceSSL.VerifyPeer"] = "1";
+
Test::ServerPrx server = fact->createServer(d);
try
{
@@ -2061,7 +2086,6 @@ allTests(const CommunicatorPtr& communicator, const string& testDir, bool p12, b
}
fact->destroyServer(server);
comm->destroy();
-
//
// Next try a client with an RSA certificate.
//
generated by cgit v1.2.3 (git 2.46.0) at 2025-08-03 20:08:30 +0000