generic-library/poco
1
0
Fork 0
mirror of https://github.com/pocoproject/poco.git synced 2025-10-16 18:56:52 +02:00
Code Issues Projects Releases Wiki Activity

added preliminary TLSv1.3 support with OpenSSL version 1.1.1

Browse Source
This commit is contained in:
Günter Obiltschnig
2018-08-24 10:47:05 +02:00
parent 64a3c8124a
commit 6000982c8b
4 changed files with 79 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
NetSSL_OpenSSL/include/Poco/Net/Context.h
View File

@@ -42,6 +42,23 @@ class NetSSL_API Context: public Poco::RefCountedObject
/// ///
/// The Context class is also used to control /// The Context class is also used to control
/// SSL session caching on the server and client side. /// SSL session caching on the server and client side.
///
/// A Note Regarding TLSv1.3 Support:
///
/// TLSv1.3 support requires at least OpenSSL version 1.1.1.
/// In order to enable TLSv1.3 support, specify TLSV1_3_CLIENT_USE
/// or TLSV1_3_SERVER_USE and make sure that the TLSv1.3
/// cipher suites are enabled:
///
/// - TLS_AES_256_GCM_SHA384
/// - TLS_CHACHA20_POLY1305_SHA256
/// - TLS_AES_128_GCM_SHA256
/// - TLS_AES_128_CCM_8_SHA256
/// - TLS_AES_128_CCM_SHA256
///
/// The first three of the above cipher suites should be enabled
/// by default in OpenSSL if you do not provide an explicit
/// cipher configuration (cipherList).
{ {
public: public:
typedef Poco::AutoPtr<Context> Ptr; typedef Poco::AutoPtr<Context> Ptr;
@@ -55,7 +72,9 @@ public:
TLSV1_1_CLIENT_USE, /// Context is used by a client requiring TLSv1.1 (OpenSSL 1.0.0 or newer). TLSV1_1_CLIENT_USE, /// Context is used by a client requiring TLSv1.1 (OpenSSL 1.0.0 or newer).
TLSV1_1_SERVER_USE, /// Context is used by a server requiring TLSv1.1 (OpenSSL 1.0.0 or newer). TLSV1_1_SERVER_USE, /// Context is used by a server requiring TLSv1.1 (OpenSSL 1.0.0 or newer).
TLSV1_2_CLIENT_USE, /// Context is used by a client requiring TLSv1.2 (OpenSSL 1.0.1 or newer). TLSV1_2_CLIENT_USE, /// Context is used by a client requiring TLSv1.2 (OpenSSL 1.0.1 or newer).
TLSV1_2_SERVER_USE /// Context is used by a server requiring TLSv1.2 (OpenSSL 1.0.1 or newer). TLSV1_2_SERVER_USE, /// Context is used by a server requiring TLSv1.2 (OpenSSL 1.0.1 or newer).
TLSV1_3_CLIENT_USE, /// Context is used by a client requiring TLSv1.3 (OpenSSL 1.1.1 or newer).
TLSV1_3_SERVER_USE /// Context is used by a server requiring TLSv1.3 (OpenSSL 1.1.1 or newer).
}; };
enum VerificationMode enum VerificationMode
@@ -101,7 +120,8 @@ public:
PROTO_SSLV3 = 0x02, PROTO_SSLV3 = 0x02,
PROTO_TLSV1 = 0x04, PROTO_TLSV1 = 0x04,
PROTO_TLSV1_1 = 0x08, PROTO_TLSV1_1 = 0x08,
PROTO_TLSV1_2 = 0x10 PROTO_TLSV1_2 = 0x10,
PROTO_TLSV1_3 = 0x20
}; };
struct NetSSL_API Params struct NetSSL_API Params

45
NetSSL_OpenSSL/include/Poco/Net/SSLManager.h
View File

@@ -42,7 +42,7 @@ class Context;
class NetSSL_API SSLManager class NetSSL_API SSLManager
/// SSLManager is a singleton for holding the default server/client /// SSLManager is a singleton for holding the default server/client
/// Context and handling callbacks for certificate verification errors /// Context and handling callbacks for certificate verification errors
/// and private key passphrases. /// and private key passphrases.
/// ///
@@ -62,7 +62,7 @@ class NetSSL_API SSLManager
/// ClientVerificationError and PrivateKeyPassphraseRequired events /// ClientVerificationError and PrivateKeyPassphraseRequired events
/// must be registered. /// must be registered.
/// ///
/// An exemplary documentation which sets either the server or client default context and creates /// An exemplary documentation which sets either the server or client default context and creates
/// a PrivateKeyPassphraseHandler that reads the password from the XML file looks like this: /// a PrivateKeyPassphraseHandler that reads the password from the XML file looks like this:
/// ///
/// <AppConfig> /// <AppConfig>
@@ -93,7 +93,8 @@ class NetSSL_API SSLManager
/// <requireTLSv1>true|false</requireTLSv1> /// <requireTLSv1>true|false</requireTLSv1>
/// <requireTLSv1_1>true|false</requireTLSv1_1> /// <requireTLSv1_1>true|false</requireTLSv1_1>
/// <requireTLSv1_2>true|false</requireTLSv1_2> /// <requireTLSv1_2>true|false</requireTLSv1_2>
/// <disableProtocols>sslv2,sslv3,tlsv1,tlsv1_1,tlsv1_2</disableProtocols> /// <requireTLSv1_3>true|false</requireTLSv1_3>
/// <disableProtocols>sslv2,sslv3,tlsv1,tlsv1_1,tlsv1_2,tlsv1_3</disableProtocols>
/// <dhParamsFile>dh.pem</dhParamsFile> /// <dhParamsFile>dh.pem</dhParamsFile>
/// <ecdhCurve>prime256v1</ecdhCurve> /// <ecdhCurve>prime256v1</ecdhCurve>
/// </server|client> /// </server|client>
@@ -104,7 +105,7 @@ class NetSSL_API SSLManager
/// Following is a list of supported configuration properties. Property names must always /// Following is a list of supported configuration properties. Property names must always
/// be prefixed with openSSL.server or openSSL.client. Some properties are only supported /// be prefixed with openSSL.server or openSSL.client. Some properties are only supported
/// for servers. /// for servers.
/// ///
/// - privateKeyFile (string): The path to the file containing the private key for the certificate /// - privateKeyFile (string): The path to the file containing the private key for the certificate
/// in PEM format (or containing both the private key and the certificate). /// in PEM format (or containing both the private key and the certificate).
/// - certificateFile (string): The Path to the file containing the server's or client's certificate /// - certificateFile (string): The Path to the file containing the server's or client's certificate
@@ -117,9 +118,9 @@ class NetSSL_API SSLManager
/// - loadDefaultCAFile (boolean): Specifies whether the builtin CA certificates from OpenSSL are used. /// - loadDefaultCAFile (boolean): Specifies whether the builtin CA certificates from OpenSSL are used.
/// - cipherList (string): Specifies the supported ciphers in OpenSSL notation /// - cipherList (string): Specifies the supported ciphers in OpenSSL notation
/// (e.g. "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"). /// (e.g. "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH").
/// - preferServerCiphers (bool): When choosing a cipher, use the server's preferences instead of the /// - preferServerCiphers (bool): When choosing a cipher, use the server's preferences instead of the
/// client preferences. When not called, the SSL server will always follow the clients /// client preferences. When not called, the SSL server will always follow the clients
/// preferences. When called, the SSL/TLS server will choose following its own /// preferences. When called, the SSL/TLS server will choose following its own
/// preferences. /// preferences.
/// - privateKeyPassphraseHandler.name (string): The name of the class (subclass of PrivateKeyPassphraseHandler) /// - privateKeyPassphraseHandler.name (string): The name of the class (subclass of PrivateKeyPassphraseHandler)
/// used for obtaining the passphrase for accessing the private key. /// used for obtaining the passphrase for accessing the private key.
@@ -127,14 +128,14 @@ class NetSSL_API SSLManager
/// - invalidCertificateHandler.name: The name of the class (subclass of CertificateHandler) /// - invalidCertificateHandler.name: The name of the class (subclass of CertificateHandler)
/// used for confirming invalid certificates. /// used for confirming invalid certificates.
/// - cacheSessions (boolean): Enables or disables session caching. /// - cacheSessions (boolean): Enables or disables session caching.
/// - sessionIdContext (string): contains the application's unique session ID context, which becomes /// - sessionIdContext (string): contains the application's unique session ID context, which becomes
/// part of each session identifier generated by the server. Can be an arbitrary sequence /// part of each session identifier generated by the server. Can be an arbitrary sequence
/// of bytes with a maximum length of SSL_MAX_SSL_SESSION_ID_LENGTH. Should be specified /// of bytes with a maximum length of SSL_MAX_SSL_SESSION_ID_LENGTH. Should be specified
/// for a server to enable session caching. Should be specified even if session caching /// for a server to enable session caching. Should be specified even if session caching
/// is disabled to avoid problems with clients that request session caching (e.g. Firefox 3.6). /// is disabled to avoid problems with clients that request session caching (e.g. Firefox 3.6).
/// If not specified, defaults to ${application.name}. /// If not specified, defaults to ${application.name}.
/// - sessionCacheSize (integer): Sets the maximum size of the server session cache, in number of /// - sessionCacheSize (integer): Sets the maximum size of the server session cache, in number of
/// sessions. The default size (according to OpenSSL documentation) is 1024*20, which may be too /// sessions. The default size (according to OpenSSL documentation) is 1024*20, which may be too
/// large for many applications, especially on embedded platforms with limited memory. /// large for many applications, especially on embedded platforms with limited memory.
/// Specifying a size of 0 will set an unlimited cache size. /// Specifying a size of 0 will set an unlimited cache size.
/// - sessionTimeout (integer): Sets the timeout (in seconds) of cached sessions on the server. /// - sessionTimeout (integer): Sets the timeout (in seconds) of cached sessions on the server.
@@ -143,14 +144,17 @@ class NetSSL_API SSLManager
/// - requireTLSv1 (boolean): Require a TLSv1 connection. /// - requireTLSv1 (boolean): Require a TLSv1 connection.
/// - requireTLSv1_1 (boolean): Require a TLSv1.1 connection. /// - requireTLSv1_1 (boolean): Require a TLSv1.1 connection.
/// - requireTLSv1_2 (boolean): Require a TLSv1.2 connection. /// - requireTLSv1_2 (boolean): Require a TLSv1.2 connection.
/// - requireTLSv1_3 (boolean): Require a TLSv1.3 connection
/// - disableProtocols (string): A comma-separated list of protocols that should be /// - disableProtocols (string): A comma-separated list of protocols that should be
/// disabled. Valid protocol names are sslv2, sslv3, tlsv1, tlsv1_1, tlsv1_2. /// disabled. Valid protocol names are sslv2, sslv3, tlsv1, tlsv1_1, tlsv1_2, tlsv1_3.
/// - dhParamsFile (string): Specifies a file containing Diffie-Hellman parameters. /// - dhParamsFile (string): Specifies a file containing Diffie-Hellman parameters.
/// If not specified or empty, the default parameters are used. /// If not specified or empty, the default parameters are used.
/// - ecdhCurve (string): Specifies the name of the curve to use for ECDH, based /// - ecdhCurve (string): Specifies the name of the curve to use for ECDH, based
/// on the curve names specified in RFC 4492. Defaults to "prime256v1". /// on the curve names specified in RFC 4492. Defaults to "prime256v1".
/// - fips: Enable or disable OpenSSL FIPS mode. Only supported if the OpenSSL version /// - fips: Enable or disable OpenSSL FIPS mode. Only supported if the OpenSSL version
/// that this library is built against supports FIPS mode. /// that this library is built against supports FIPS mode.
///
/// Please see the Context class documentation regarding TLSv1.3 support.
{ {
public: public:
typedef Poco::SharedPtr<PrivateKeyPassphraseHandler> PrivateKeyPassphraseHandlerPtr; typedef Poco::SharedPtr<PrivateKeyPassphraseHandler> PrivateKeyPassphraseHandlerPtr;
@@ -176,7 +180,7 @@ public:
/// PtrPassphraseHandler and ptrCertificateHandler can be 0. However, in this case, event delegates /// PtrPassphraseHandler and ptrCertificateHandler can be 0. However, in this case, event delegates
/// must be registered with the ServerVerificationError and PrivateKeyPassphraseRequired events. /// must be registered with the ServerVerificationError and PrivateKeyPassphraseRequired events.
/// ///
/// Note: Always create the handlers (or register the corresponding event delegates) before creating /// Note: Always create the handlers (or register the corresponding event delegates) before creating
/// the Context, as during creation of the Context the passphrase for the private key might be needed. /// the Context, as during creation of the Context the passphrase for the private key might be needed.
/// ///
/// Valid initialization code would be: /// Valid initialization code would be:
@@ -192,7 +196,7 @@ public:
/// PtrPassphraseHandler and ptrCertificateHandler can be 0. However, in this case, event delegates /// PtrPassphraseHandler and ptrCertificateHandler can be 0. However, in this case, event delegates
/// must be registered with the ClientVerificationError and PrivateKeyPassphraseRequired events. /// must be registered with the ClientVerificationError and PrivateKeyPassphraseRequired events.
/// ///
/// Note: Always create the handlers (or register the corresponding event delegates) before creating /// Note: Always create the handlers (or register the corresponding event delegates) before creating
/// the Context, as during creation of the Context the passphrase for the private key might be needed. /// the Context, as during creation of the Context the passphrase for the private key might be needed.
/// ///
/// Valid initialization code would be: /// Valid initialization code would be:
@@ -202,13 +206,13 @@ public:
/// SSLManager::instance().initializeClient(pConsoleHandler, pInvalidCertHandler, pContext); /// SSLManager::instance().initializeClient(pConsoleHandler, pInvalidCertHandler, pContext);
Context::Ptr defaultServerContext(); Context::Ptr defaultServerContext();
/// Returns the default Context used by the server. /// Returns the default Context used by the server.
/// ///
/// Unless initializeServer() has been called, the first call to this method initializes the default Context /// Unless initializeServer() has been called, the first call to this method initializes the default Context
/// from the application configuration. /// from the application configuration.
Context::Ptr defaultClientContext(); Context::Ptr defaultClientContext();
/// Returns the default Context used by the client. /// Returns the default Context used by the client.
/// ///
/// Unless initializeClient() has been called, the first call to this method initializes the default Context /// Unless initializeClient() has been called, the first call to this method initializes the default Context
/// from the application configuration. /// from the application configuration.
@@ -230,16 +234,16 @@ public:
/// If none is set, it will try to auto-initialize one from an application configuration. /// If none is set, it will try to auto-initialize one from an application configuration.
PrivateKeyFactoryMgr& privateKeyFactoryMgr(); PrivateKeyFactoryMgr& privateKeyFactoryMgr();
/// Returns the private key factory manager which stores the /// Returns the private key factory manager which stores the
/// factories for the different registered passphrase handlers for private keys. /// factories for the different registered passphrase handlers for private keys.
CertificateHandlerFactoryMgr& certificateHandlerFactoryMgr(); CertificateHandlerFactoryMgr& certificateHandlerFactoryMgr();
/// Returns the CertificateHandlerFactoryMgr which stores the /// Returns the CertificateHandlerFactoryMgr which stores the
/// factories for the different registered certificate handlers. /// factories for the different registered certificate handlers.
static bool isFIPSEnabled(); static bool isFIPSEnabled();
// Returns true if FIPS mode is enabled, false otherwise. // Returns true if FIPS mode is enabled, false otherwise.
void shutdown(); void shutdown();
/// Shuts down the SSLManager and releases the default Context /// Shuts down the SSLManager and releases the default Context
/// objects. After a call to shutdown(), the SSLManager can no /// objects. After a call to shutdown(), the SSLManager can no
@@ -267,7 +271,7 @@ protected:
/// Method is invoked by OpenSSL to retrieve a passwd for an encrypted certificate. /// Method is invoked by OpenSSL to retrieve a passwd for an encrypted certificate.
/// The request is delegated to the PrivatekeyPassword event. This method returns the /// The request is delegated to the PrivatekeyPassword event. This method returns the
/// length of the password. /// length of the password.
static Poco::Util::AbstractConfiguration& appConfig(); static Poco::Util::AbstractConfiguration& appConfig();
/// Returns the application configuration. /// Returns the application configuration.
/// ///
@@ -333,6 +337,7 @@ private:
static const std::string CFG_REQUIRE_TLSV1; static const std::string CFG_REQUIRE_TLSV1;
static const std::string CFG_REQUIRE_TLSV1_1; static const std::string CFG_REQUIRE_TLSV1_1;
static const std::string CFG_REQUIRE_TLSV1_2; static const std::string CFG_REQUIRE_TLSV1_2;
static const std::string CFG_REQUIRE_TLSV1_3;
static const std::string CFG_DISABLE_PROTOCOLS; static const std::string CFG_DISABLE_PROTOCOLS;
static const std::string CFG_DH_PARAMS_FILE; static const std::string CFG_DH_PARAMS_FILE;
static const std::string CFG_ECDH_CURVE; static const std::string CFG_ECDH_CURVE;

14
NetSSL_OpenSSL/src/Context.cpp
View File

@@ -372,6 +372,12 @@ void Context::disableProtocols(int protocols)
{ {
#if defined(SSL_OP_NO_TLSv1_2) #if defined(SSL_OP_NO_TLSv1_2)
SSL_CTX_set_options(_pSSLContext, SSL_OP_NO_TLSv1_2); SSL_CTX_set_options(_pSSLContext, SSL_OP_NO_TLSv1_2);
#endif
}
if (protocols & PROTO_TLSV1_3)
{
#if defined(SSL_OP_NO_TLSv1_3)
SSL_CTX_set_options(_pSSLContext, SSL_OP_NO_TLSv1_3);
#endif #endif
} }
} }
@@ -436,6 +442,14 @@ void Context::createSSLContext()
case TLSV1_2_SERVER_USE: case TLSV1_2_SERVER_USE:
_pSSLContext = SSL_CTX_new(TLSv1_2_server_method()); _pSSLContext = SSL_CTX_new(TLSv1_2_server_method());
break; break;
#endif
#if defined(SSL_OP_NO_TLSv1_3) && !defined(OPENSSL_NO_TLS1)
case TLSV1_3_CLIENT_USE:
_pSSLContext = SSL_CTX_new(TLS_client_method());
break;
case TLSV1_3_SERVER_USE:
_pSSLContext = SSL_CTX_new(TLS_server_method());
break;
#endif #endif
default: default:
throw Poco::InvalidArgumentException("Invalid or unsupported usage"); throw Poco::InvalidArgumentException("Invalid or unsupported usage");

28
NetSSL_OpenSSL/src/SSLManager.cpp
View File

@@ -57,6 +57,7 @@ const std::string SSLManager::CFG_EXTENDED_VERIFICATION("extendedVerification");
const std::string SSLManager::CFG_REQUIRE_TLSV1("requireTLSv1"); const std::string SSLManager::CFG_REQUIRE_TLSV1("requireTLSv1");
const std::string SSLManager::CFG_REQUIRE_TLSV1_1("requireTLSv1_1"); const std::string SSLManager::CFG_REQUIRE_TLSV1_1("requireTLSv1_1");
const std::string SSLManager::CFG_REQUIRE_TLSV1_2("requireTLSv1_2"); const std::string SSLManager::CFG_REQUIRE_TLSV1_2("requireTLSv1_2");
const std::string SSLManager::CFG_REQUIRE_TLSV1_3("requireTLSv1_3");
const std::string SSLManager::CFG_DISABLE_PROTOCOLS("disableProtocols"); const std::string SSLManager::CFG_DISABLE_PROTOCOLS("disableProtocols");
const std::string SSLManager::CFG_DH_PARAMS_FILE("dhParamsFile"); const std::string SSLManager::CFG_DH_PARAMS_FILE("dhParamsFile");
const std::string SSLManager::CFG_ECDH_CURVE("ecdhCurve"); const std::string SSLManager::CFG_ECDH_CURVE("ecdhCurve");
@@ -125,7 +126,7 @@ void SSLManager::initializeClient(PrivateKeyPassphraseHandlerPtr ptrPassphraseHa
Context::Ptr SSLManager::defaultServerContext() Context::Ptr SSLManager::defaultServerContext()
{ {
Poco::FastMutex::ScopedLock lock(_mutex); Poco::FastMutex::ScopedLock lock(_mutex);
if (!_ptrDefaultServerContext) if (!_ptrDefaultServerContext)
initDefaultContext(true); initDefaultContext(true);
@@ -150,7 +151,7 @@ Context::Ptr SSLManager::defaultClientContext()
_ptrDefaultClientContext->disableProtocols(Context::PROTO_SSLV2 | Context::PROTO_SSLV3); _ptrDefaultClientContext->disableProtocols(Context::PROTO_SSLV2 | Context::PROTO_SSLV3);
} }
} }
return _ptrDefaultClientContext; return _ptrDefaultClientContext;
} }
@@ -256,7 +257,7 @@ void SSLManager::initDefaultContext(bool server)
Context::Params params; Context::Params params;
// mandatory options // mandatory options
params.privateKeyFile = config.getString(prefix + CFG_PRIV_KEY_FILE, ""); params.privateKeyFile = config.getString(prefix + CFG_PRIV_KEY_FILE, "");
params.certificateFile = config.getString(prefix + CFG_CERTIFICATE_FILE, params.privateKeyFile); params.certificateFile = config.getString(prefix + CFG_CERTIFICATE_FILE, params.privateKeyFile);
params.caLocation = config.getString(prefix + CFG_CA_LOCATION, ""); params.caLocation = config.getString(prefix + CFG_CA_LOCATION, "");
if (server && params.certificateFile.empty() && params.privateKeyFile.empty()) if (server && params.certificateFile.empty() && params.privateKeyFile.empty())
@@ -278,15 +279,18 @@ void SSLManager::initDefaultContext(bool server)
bool requireTLSv1 = config.getBool(prefix + CFG_REQUIRE_TLSV1, false); bool requireTLSv1 = config.getBool(prefix + CFG_REQUIRE_TLSV1, false);
bool requireTLSv1_1 = config.getBool(prefix + CFG_REQUIRE_TLSV1_1, false); bool requireTLSv1_1 = config.getBool(prefix + CFG_REQUIRE_TLSV1_1, false);
bool requireTLSv1_2 = config.getBool(prefix + CFG_REQUIRE_TLSV1_2, false); bool requireTLSv1_2 = config.getBool(prefix + CFG_REQUIRE_TLSV1_2, false);
bool requireTLSv1_3 = config.getBool(prefix + CFG_REQUIRE_TLSV1_3, false);
params.dhParamsFile = config.getString(prefix + CFG_DH_PARAMS_FILE, ""); params.dhParamsFile = config.getString(prefix + CFG_DH_PARAMS_FILE, "");
params.ecdhCurve = config.getString(prefix + CFG_ECDH_CURVE, ""); params.ecdhCurve = config.getString(prefix + CFG_ECDH_CURVE, "");
Context::Usage usage; Context::Usage usage;
if (server) if (server)
{ {
if (requireTLSv1_2) if (requireTLSv1_3)
usage = Context::TLSV1_3_SERVER_USE;
else if (requireTLSv1_2)
usage = Context::TLSV1_2_SERVER_USE; usage = Context::TLSV1_2_SERVER_USE;
else if (requireTLSv1_1) else if (requireTLSv1_1)
usage = Context::TLSV1_1_SERVER_USE; usage = Context::TLSV1_1_SERVER_USE;
@@ -298,7 +302,9 @@ void SSLManager::initDefaultContext(bool server)
} }
else else
{ {
if (requireTLSv1_2) if (requireTLSv1_3)
usage = Context::TLSV1_3_CLIENT_USE;
else if (requireTLSv1_2)
usage = Context::TLSV1_2_CLIENT_USE; usage = Context::TLSV1_2_CLIENT_USE;
else if (requireTLSv1_1) else if (requireTLSv1_1)
usage = Context::TLSV1_1_CLIENT_USE; usage = Context::TLSV1_1_CLIENT_USE;
@@ -308,7 +314,7 @@ void SSLManager::initDefaultContext(bool server)
usage = Context::CLIENT_USE; usage = Context::CLIENT_USE;
_ptrDefaultClientContext = new Context(usage, params); _ptrDefaultClientContext = new Context(usage, params);
} }
std::string disabledProtocolsList = config.getString(prefix + CFG_DISABLE_PROTOCOLS, ""); std::string disabledProtocolsList = config.getString(prefix + CFG_DISABLE_PROTOCOLS, "");
Poco::StringTokenizer dpTok(disabledProtocolsList, ";,", Poco::StringTokenizer::TOK_TRIM | Poco::StringTokenizer::TOK_IGNORE_EMPTY); Poco::StringTokenizer dpTok(disabledProtocolsList, ";,", Poco::StringTokenizer::TOK_TRIM | Poco::StringTokenizer::TOK_IGNORE_EMPTY);
int disabledProtocols = 0; int disabledProtocols = 0;
@@ -324,12 +330,14 @@ void SSLManager::initDefaultContext(bool server)
disabledProtocols |= Context::PROTO_TLSV1_1; disabledProtocols |= Context::PROTO_TLSV1_1;
else if (*it == "tlsv1_2") else if (*it == "tlsv1_2")
disabledProtocols |= Context::PROTO_TLSV1_2; disabledProtocols |= Context::PROTO_TLSV1_2;
else if (*it == "tlsv1_3")
disabledProtocols |= Context::PROTO_TLSV1_3;
} }
if (server) if (server)
_ptrDefaultServerContext->disableProtocols(disabledProtocols); _ptrDefaultServerContext->disableProtocols(disabledProtocols);
else else
_ptrDefaultClientContext->disableProtocols(disabledProtocols); _ptrDefaultClientContext->disableProtocols(disabledProtocols);
bool cacheSessions = config.getBool(prefix + CFG_CACHE_SESSIONS, false); bool cacheSessions = config.getBool(prefix + CFG_CACHE_SESSIONS, false);
if (server) if (server)
{ {
@@ -378,7 +386,7 @@ void SSLManager::initPassphraseHandler(bool server)
{ {
if (server && _ptrServerPassphraseHandler) return; if (server && _ptrServerPassphraseHandler) return;
if (!server && _ptrClientPassphraseHandler) return; if (!server && _ptrClientPassphraseHandler) return;
std::string prefix = server ? CFG_SERVER_PREFIX : CFG_CLIENT_PREFIX; std::string prefix = server ? CFG_SERVER_PREFIX : CFG_CLIENT_PREFIX;
Poco::Util::AbstractConfiguration& config = appConfig(); Poco::Util::AbstractConfiguration& config = appConfig();
@@ -399,7 +407,7 @@ void SSLManager::initPassphraseHandler(bool server)
} }
else throw Poco::Util::UnknownOptionException(std::string("No passphrase handler known with the name ") + className); else throw Poco::Util::UnknownOptionException(std::string("No passphrase handler known with the name ") + className);
} }
void SSLManager::initCertificateHandler(bool server) void SSLManager::initCertificateHandler(bool server)
{ {