From 1a81dbef1569bc68df9e49731518947fd63f3e8b Mon Sep 17 00:00:00 2001 From: Guenter Obiltschnig Date: Tue, 2 Sep 2014 18:54:12 +0200 Subject: [PATCH] enabled TLSv1.1 and 1.2 support in configuration --- NetSSL_OpenSSL/include/Poco/Net/SSLManager.h | 6 ++++ NetSSL_OpenSSL/src/SSLManager.cpp | 30 ++++++++++++++++++-- 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h b/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h index 246906866..2aa539ef6 100644 --- a/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h +++ b/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h @@ -92,6 +92,8 @@ class NetSSL_API SSLManager /// 0..n /// true|false /// true|false + /// true|false + /// true|false /// /// false /// @@ -133,6 +135,8 @@ class NetSSL_API SSLManager /// - extendedVerification (boolean): Enable or disable the automatic post-connection /// extended certificate verification. /// - requireTLSv1 (boolean): Require a TLSv1 connection. + /// - requireTLSv1_1 (boolean): Require a TLSv1.1 connection. + /// - requireTLSv1_2 (boolean): Require a TLSv1.2 connection. /// - fips: Enable or disable OpenSSL FIPS mode. Only supported if the OpenSSL version /// that this library is built against supports FIPS mode. { @@ -313,6 +317,8 @@ private: static const std::string CFG_SESSION_TIMEOUT; static const std::string CFG_EXTENDED_VERIFICATION; static const std::string CFG_REQUIRE_TLSV1; + static const std::string CFG_REQUIRE_TLSV1_1; + static const std::string CFG_REQUIRE_TLSV1_2; #ifdef OPENSSL_FIPS static const std::string CFG_FIPS_MODE; diff --git a/NetSSL_OpenSSL/src/SSLManager.cpp b/NetSSL_OpenSSL/src/SSLManager.cpp index 7f5d8f712..db8e24bd6 100644 --- a/NetSSL_OpenSSL/src/SSLManager.cpp +++ b/NetSSL_OpenSSL/src/SSLManager.cpp @@ -54,6 +54,8 @@ const std::string SSLManager::CFG_SESSION_CACHE_SIZE("sessionCacheSize"); const std::string SSLManager::CFG_SESSION_TIMEOUT("sessionTimeout"); const std::string SSLManager::CFG_EXTENDED_VERIFICATION("extendedVerification"); const std::string SSLManager::CFG_REQUIRE_TLSV1("requireTLSv1"); +const std::string SSLManager::CFG_REQUIRE_TLSV1_1("requireTLSv1_1"); +const std::string SSLManager::CFG_REQUIRE_TLSV1_2("requireTLSv1_2"); #ifdef OPENSSL_FIPS const std::string SSLManager::CFG_FIPS_MODE("openSSL.fips"); const bool SSLManager::VAL_FIPS_MODE(false); @@ -251,10 +253,34 @@ void SSLManager::initDefaultContext(bool server) std::string cipherList = config.getString(prefix + CFG_CIPHER_LIST, VAL_CIPHER_LIST); cipherList = config.getString(prefix + CFG_CYPHER_LIST, cipherList); // for backwards compatibility bool requireTLSv1 = config.getBool(prefix + CFG_REQUIRE_TLSV1, false); + bool requireTLSv1_1 = config.getBool(prefix + CFG_REQUIRE_TLSV1_1, false); + bool requireTLSv1_2 = config.getBool(prefix + CFG_REQUIRE_TLSV1_2, false); + Context::Usage usage; + if (server) - _ptrDefaultServerContext = new Context(requireTLSv1 ? Context::TLSV1_SERVER_USE : Context::SERVER_USE, privKeyFile, certFile, caLocation, verMode, verDepth, loadDefCA, cipherList); + { + if (requireTLSv1_2) + usage = Context::TLSV1_2_SERVER_USE; + else if (requireTLSv1_1) + usage = Context::TLSV1_1_SERVER_USE; + else if (requireTLSv1) + usage = Context::TLSV1_SERVER_USE; + else + usage = Context::SERVER_USE; + } else - _ptrDefaultClientContext = new Context(requireTLSv1 ? Context::TLSV1_CLIENT_USE : Context::CLIENT_USE, privKeyFile, certFile, caLocation, verMode, verDepth, loadDefCA, cipherList); + { + if (requireTLSv1_2) + usage = Context::TLSV1_2_CLIENT_USE; + else if (requireTLSv1_1) + usage = Context::TLSV1_1_CLIENT_USE; + else if (requireTLSv1) + usage = Context::TLSV1_CLIENT_USE; + else + usage = Context::CLIENT_USE; + } + + _ptrDefaultClientContext = new Context(usage, privKeyFile, certFile, caLocation, verMode, verDepth, loadDefCA, cipherList); bool cacheSessions = config.getBool(prefix + CFG_CACHE_SESSIONS, false); if (server)