generic-library/poco
1
0
Fork 0
mirror of https://github.com/pocoproject/poco.git synced 2025-10-17 19:25:53 +02:00
Code Issues Projects Releases Wiki Activity

added preliminary TLSv1.3 support with OpenSSL version 1.1.1

Browse Source
This commit is contained in:
Günter Obiltschnig
2018-08-24 10:47:05 +02:00
parent 64a3c8124a
commit 6000982c8b
4 changed files with 79 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
NetSSL_OpenSSL/include/Poco/Net/Context.h
View File

@@ -42,6 +42,23 @@ class NetSSL_API Context: public Poco::RefCountedObject
///
/// The Context class is also used to control
/// SSL session caching on the server and client side.
///
/// A Note Regarding TLSv1.3 Support:
///
/// TLSv1.3 support requires at least OpenSSL version 1.1.1.
/// In order to enable TLSv1.3 support, specify TLSV1_3_CLIENT_USE
/// or TLSV1_3_SERVER_USE and make sure that the TLSv1.3
/// cipher suites are enabled:
///
/// - TLS_AES_256_GCM_SHA384
/// - TLS_CHACHA20_POLY1305_SHA256
/// - TLS_AES_128_GCM_SHA256
/// - TLS_AES_128_CCM_8_SHA256
/// - TLS_AES_128_CCM_SHA256
///
/// The first three of the above cipher suites should be enabled
/// by default in OpenSSL if you do not provide an explicit
/// cipher configuration (cipherList).
{
public:
typedef Poco::AutoPtr<Context> Ptr;
@@ -55,7 +72,9 @@ public:
TLSV1_1_CLIENT_USE, /// Context is used by a client requiring TLSv1.1 (OpenSSL 1.0.0 or newer).
TLSV1_1_SERVER_USE, /// Context is used by a server requiring TLSv1.1 (OpenSSL 1.0.0 or newer).
TLSV1_2_CLIENT_USE, /// Context is used by a client requiring TLSv1.2 (OpenSSL 1.0.1 or newer).
TLSV1_2_SERVER_USE /// Context is used by a server requiring TLSv1.2 (OpenSSL 1.0.1 or newer).
TLSV1_2_SERVER_USE, /// Context is used by a server requiring TLSv1.2 (OpenSSL 1.0.1 or newer).
TLSV1_3_CLIENT_USE, /// Context is used by a client requiring TLSv1.3 (OpenSSL 1.1.1 or newer).
TLSV1_3_SERVER_USE /// Context is used by a server requiring TLSv1.3 (OpenSSL 1.1.1 or newer).
};
enum VerificationMode
@@ -101,7 +120,8 @@ public:
PROTO_SSLV3 = 0x02,
PROTO_TLSV1 = 0x04,
PROTO_TLSV1_1 = 0x08,
PROTO_TLSV1_2 = 0x10
PROTO_TLSV1_2 = 0x10,
PROTO_TLSV1_3 = 0x20
};
struct NetSSL_API Params

45
NetSSL_OpenSSL/include/Poco/Net/SSLManager.h
View File

@@ -42,7 +42,7 @@ class Context;
class NetSSL_API SSLManager
/// SSLManager is a singleton for holding the default server/client
/// SSLManager is a singleton for holding the default server/client
/// Context and handling callbacks for certificate verification errors
/// and private key passphrases.
///
@@ -62,7 +62,7 @@ class NetSSL_API SSLManager
/// ClientVerificationError and PrivateKeyPassphraseRequired events
/// must be registered.
///
/// An exemplary documentation which sets either the server or client default context and creates
/// An exemplary documentation which sets either the server or client default context and creates
/// a PrivateKeyPassphraseHandler that reads the password from the XML file looks like this:
///
/// <AppConfig>
@@ -93,7 +93,8 @@ class NetSSL_API SSLManager
/// <requireTLSv1>true|false</requireTLSv1>
/// <requireTLSv1_1>true|false</requireTLSv1_1>
/// <requireTLSv1_2>true|false</requireTLSv1_2>
/// <disableProtocols>sslv2,sslv3,tlsv1,tlsv1_1,tlsv1_2</disableProtocols>
/// <requireTLSv1_3>true|false</requireTLSv1_3>
/// <disableProtocols>sslv2,sslv3,tlsv1,tlsv1_1,tlsv1_2,tlsv1_3</disableProtocols>
/// <dhParamsFile>dh.pem</dhParamsFile>
/// <ecdhCurve>prime256v1</ecdhCurve>
/// </server|client>
@@ -104,7 +105,7 @@ class NetSSL_API SSLManager
/// Following is a list of supported configuration properties. Property names must always
/// be prefixed with openSSL.server or openSSL.client. Some properties are only supported
/// for servers.
///
///
/// - privateKeyFile (string): The path to the file containing the private key for the certificate
/// in PEM format (or containing both the private key and the certificate).
/// - certificateFile (string): The Path to the file containing the server's or client's certificate
@@ -117,9 +118,9 @@ class NetSSL_API SSLManager
/// - loadDefaultCAFile (boolean): Specifies whether the builtin CA certificates from OpenSSL are used.
/// - cipherList (string): Specifies the supported ciphers in OpenSSL notation
/// (e.g. "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH").
/// - preferServerCiphers (bool): When choosing a cipher, use the server's preferences instead of the
/// client preferences. When not called, the SSL server will always follow the clients
/// preferences. When called, the SSL/TLS server will choose following its own
/// - preferServerCiphers (bool): When choosing a cipher, use the server's preferences instead of the
/// client preferences. When not called, the SSL server will always follow the clients
/// preferences. When called, the SSL/TLS server will choose following its own
/// preferences.
/// - privateKeyPassphraseHandler.name (string): The name of the class (subclass of PrivateKeyPassphraseHandler)
/// used for obtaining the passphrase for accessing the private key.
@@ -127,14 +128,14 @@ class NetSSL_API SSLManager
/// - invalidCertificateHandler.name: The name of the class (subclass of CertificateHandler)
/// used for confirming invalid certificates.
/// - cacheSessions (boolean): Enables or disables session caching.
/// - sessionIdContext (string): contains the application's unique session ID context, which becomes
/// part of each session identifier generated by the server. Can be an arbitrary sequence
/// - sessionIdContext (string): contains the application's unique session ID context, which becomes
/// part of each session identifier generated by the server. Can be an arbitrary sequence
/// of bytes with a maximum length of SSL_MAX_SSL_SESSION_ID_LENGTH. Should be specified
/// for a server to enable session caching. Should be specified even if session caching
/// is disabled to avoid problems with clients that request session caching (e.g. Firefox 3.6).
/// If not specified, defaults to ${application.name}.
/// - sessionCacheSize (integer): Sets the maximum size of the server session cache, in number of
/// sessions. The default size (according to OpenSSL documentation) is 1024*20, which may be too
/// sessions. The default size (according to OpenSSL documentation) is 1024*20, which may be too
/// large for many applications, especially on embedded platforms with limited memory.
/// Specifying a size of 0 will set an unlimited cache size.
/// - sessionTimeout (integer): Sets the timeout (in seconds) of cached sessions on the server.
@@ -143,14 +144,17 @@ class NetSSL_API SSLManager
/// - requireTLSv1 (boolean): Require a TLSv1 connection.
/// - requireTLSv1_1 (boolean): Require a TLSv1.1 connection.
/// - requireTLSv1_2 (boolean): Require a TLSv1.2 connection.
/// - requireTLSv1_3 (boolean): Require a TLSv1.3 connection
/// - disableProtocols (string): A comma-separated list of protocols that should be
/// disabled. Valid protocol names are sslv2, sslv3, tlsv1, tlsv1_1, tlsv1_2.
/// disabled. Valid protocol names are sslv2, sslv3, tlsv1, tlsv1_1, tlsv1_2, tlsv1_3.
/// - dhParamsFile (string): Specifies a file containing Diffie-Hellman parameters.
/// If not specified or empty, the default parameters are used.
/// - ecdhCurve (string): Specifies the name of the curve to use for ECDH, based
/// on the curve names specified in RFC 4492. Defaults to "prime256v1".
/// - fips: Enable or disable OpenSSL FIPS mode. Only supported if the OpenSSL version
/// - fips: Enable or disable OpenSSL FIPS mode. Only supported if the OpenSSL version
/// that this library is built against supports FIPS mode.
///
/// Please see the Context class documentation regarding TLSv1.3 support.
{
public:
typedef Poco::SharedPtr<PrivateKeyPassphraseHandler> PrivateKeyPassphraseHandlerPtr;
@@ -176,7 +180,7 @@ public:
/// PtrPassphraseHandler and ptrCertificateHandler can be 0. However, in this case, event delegates
/// must be registered with the ServerVerificationError and PrivateKeyPassphraseRequired events.
///
/// Note: Always create the handlers (or register the corresponding event delegates) before creating
/// Note: Always create the handlers (or register the corresponding event delegates) before creating
/// the Context, as during creation of the Context the passphrase for the private key might be needed.
///
/// Valid initialization code would be:
@@ -192,7 +196,7 @@ public:
/// PtrPassphraseHandler and ptrCertificateHandler can be 0. However, in this case, event delegates
/// must be registered with the ClientVerificationError and PrivateKeyPassphraseRequired events.
///
/// Note: Always create the handlers (or register the corresponding event delegates) before creating
/// Note: Always create the handlers (or register the corresponding event delegates) before creating
/// the Context, as during creation of the Context the passphrase for the private key might be needed.
///
/// Valid initialization code would be:
@@ -202,13 +206,13 @@ public:
/// SSLManager::instance().initializeClient(pConsoleHandler, pInvalidCertHandler, pContext);
Context::Ptr defaultServerContext();
/// Returns the default Context used by the server.
/// Returns the default Context used by the server.
///
/// Unless initializeServer() has been called, the first call to this method initializes the default Context
/// from the application configuration.
Context::Ptr defaultClientContext();
/// Returns the default Context used by the client.
/// Returns the default Context used by the client.
///
/// Unless initializeClient() has been called, the first call to this method initializes the default Context
/// from the application configuration.
@@ -230,16 +234,16 @@ public:
/// If none is set, it will try to auto-initialize one from an application configuration.
PrivateKeyFactoryMgr& privateKeyFactoryMgr();
/// Returns the private key factory manager which stores the
/// Returns the private key factory manager which stores the
/// factories for the different registered passphrase handlers for private keys.
CertificateHandlerFactoryMgr& certificateHandlerFactoryMgr();
/// Returns the CertificateHandlerFactoryMgr which stores the
/// Returns the CertificateHandlerFactoryMgr which stores the
/// factories for the different registered certificate handlers.
static bool isFIPSEnabled();
// Returns true if FIPS mode is enabled, false otherwise.
void shutdown();
/// Shuts down the SSLManager and releases the default Context
/// objects. After a call to shutdown(), the SSLManager can no
@@ -267,7 +271,7 @@ protected:
/// Method is invoked by OpenSSL to retrieve a passwd for an encrypted certificate.
/// The request is delegated to the PrivatekeyPassword event. This method returns the
/// length of the password.
static Poco::Util::AbstractConfiguration& appConfig();
/// Returns the application configuration.
///
@@ -333,6 +337,7 @@ private:
static const std::string CFG_REQUIRE_TLSV1;
static const std::string CFG_REQUIRE_TLSV1_1;
static const std::string CFG_REQUIRE_TLSV1_2;
static const std::string CFG_REQUIRE_TLSV1_3;
static const std::string CFG_DISABLE_PROTOCOLS;
static const std::string CFG_DH_PARAMS_FILE;
static const std::string CFG_ECDH_CURVE;

14
NetSSL_OpenSSL/src/Context.cpp
View File

@@ -372,6 +372,12 @@ void Context::disableProtocols(int protocols)
{
#if defined(SSL_OP_NO_TLSv1_2)
SSL_CTX_set_options(_pSSLContext, SSL_OP_NO_TLSv1_2);
#endif
}
if (protocols & PROTO_TLSV1_3)
{
#if defined(SSL_OP_NO_TLSv1_3)
SSL_CTX_set_options(_pSSLContext, SSL_OP_NO_TLSv1_3);
#endif
}
}
@@ -436,6 +442,14 @@ void Context::createSSLContext()
case TLSV1_2_SERVER_USE:
_pSSLContext = SSL_CTX_new(TLSv1_2_server_method());
break;
#endif
#if defined(SSL_OP_NO_TLSv1_3) && !defined(OPENSSL_NO_TLS1)
case TLSV1_3_CLIENT_USE:
_pSSLContext = SSL_CTX_new(TLS_client_method());
break;
case TLSV1_3_SERVER_USE:
_pSSLContext = SSL_CTX_new(TLS_server_method());
break;
#endif
default:
throw Poco::InvalidArgumentException("Invalid or unsupported usage");

28
NetSSL_OpenSSL/src/SSLManager.cpp
View File

@@ -57,6 +57,7 @@ const std::string SSLManager::CFG_EXTENDED_VERIFICATION("extendedVerification");
const std::string SSLManager::CFG_REQUIRE_TLSV1("requireTLSv1");
const std::string SSLManager::CFG_REQUIRE_TLSV1_1("requireTLSv1_1");
const std::string SSLManager::CFG_REQUIRE_TLSV1_2("requireTLSv1_2");
const std::string SSLManager::CFG_REQUIRE_TLSV1_3("requireTLSv1_3");
const std::string SSLManager::CFG_DISABLE_PROTOCOLS("disableProtocols");
const std::string SSLManager::CFG_DH_PARAMS_FILE("dhParamsFile");
const std::string SSLManager::CFG_ECDH_CURVE("ecdhCurve");
@@ -125,7 +126,7 @@ void SSLManager::initializeClient(PrivateKeyPassphraseHandlerPtr ptrPassphraseHa
Context::Ptr SSLManager::defaultServerContext()
{
Poco::FastMutex::ScopedLock lock(_mutex);
if (!_ptrDefaultServerContext)
initDefaultContext(true);
@@ -150,7 +151,7 @@ Context::Ptr SSLManager::defaultClientContext()
_ptrDefaultClientContext->disableProtocols(Context::PROTO_SSLV2 | Context::PROTO_SSLV3);
}
}
return _ptrDefaultClientContext;
}
@@ -256,7 +257,7 @@ void SSLManager::initDefaultContext(bool server)
Context::Params params;
// mandatory options
params.privateKeyFile = config.getString(prefix + CFG_PRIV_KEY_FILE, "");
params.certificateFile = config.getString(prefix + CFG_CERTIFICATE_FILE, params.privateKeyFile);
params.certificateFile = config.getString(prefix + CFG_CERTIFICATE_FILE, params.privateKeyFile);
params.caLocation = config.getString(prefix + CFG_CA_LOCATION, "");
if (server && params.certificateFile.empty() && params.privateKeyFile.empty())
@@ -278,15 +279,18 @@ void SSLManager::initDefaultContext(bool server)
bool requireTLSv1 = config.getBool(prefix + CFG_REQUIRE_TLSV1, false);
bool requireTLSv1_1 = config.getBool(prefix + CFG_REQUIRE_TLSV1_1, false);
bool requireTLSv1_2 = config.getBool(prefix + CFG_REQUIRE_TLSV1_2, false);
bool requireTLSv1_3 = config.getBool(prefix + CFG_REQUIRE_TLSV1_3, false);
params.dhParamsFile = config.getString(prefix + CFG_DH_PARAMS_FILE, "");
params.ecdhCurve = config.getString(prefix + CFG_ECDH_CURVE, "");
Context::Usage usage;
if (server)
{
if (requireTLSv1_2)
if (requireTLSv1_3)
usage = Context::TLSV1_3_SERVER_USE;
else if (requireTLSv1_2)
usage = Context::TLSV1_2_SERVER_USE;
else if (requireTLSv1_1)
usage = Context::TLSV1_1_SERVER_USE;
@@ -298,7 +302,9 @@ void SSLManager::initDefaultContext(bool server)
}
else
{
if (requireTLSv1_2)
if (requireTLSv1_3)
usage = Context::TLSV1_3_CLIENT_USE;
else if (requireTLSv1_2)
usage = Context::TLSV1_2_CLIENT_USE;
else if (requireTLSv1_1)
usage = Context::TLSV1_1_CLIENT_USE;
@@ -308,7 +314,7 @@ void SSLManager::initDefaultContext(bool server)
usage = Context::CLIENT_USE;
_ptrDefaultClientContext = new Context(usage, params);
}
std::string disabledProtocolsList = config.getString(prefix + CFG_DISABLE_PROTOCOLS, "");
Poco::StringTokenizer dpTok(disabledProtocolsList, ";,", Poco::StringTokenizer::TOK_TRIM | Poco::StringTokenizer::TOK_IGNORE_EMPTY);
int disabledProtocols = 0;
@@ -324,12 +330,14 @@ void SSLManager::initDefaultContext(bool server)
disabledProtocols |= Context::PROTO_TLSV1_1;
else if (*it == "tlsv1_2")
disabledProtocols |= Context::PROTO_TLSV1_2;
else if (*it == "tlsv1_3")
disabledProtocols |= Context::PROTO_TLSV1_3;
}
if (server)
_ptrDefaultServerContext->disableProtocols(disabledProtocols);
else
_ptrDefaultClientContext->disableProtocols(disabledProtocols);
bool cacheSessions = config.getBool(prefix + CFG_CACHE_SESSIONS, false);
if (server)
{
@@ -378,7 +386,7 @@ void SSLManager::initPassphraseHandler(bool server)
{
if (server && _ptrServerPassphraseHandler) return;
if (!server && _ptrClientPassphraseHandler) return;
std::string prefix = server ? CFG_SERVER_PREFIX : CFG_CLIENT_PREFIX;
Poco::Util::AbstractConfiguration& config = appConfig();
@@ -399,7 +407,7 @@ void SSLManager::initPassphraseHandler(bool server)
}
else throw Poco::Util::UnknownOptionException(std::string("No passphrase handler known with the name ") + className);
}
void SSLManager::initCertificateHandler(bool server)
{