NetSSL_OpenSSL: better way to specify TLS version for Context

2025-10-22 16:02:29 +02:00 · 2020-01-09 21:25:30 +01:00
parent d4077125cf
commit a2f8f8fbe1
2 changed files with 136 additions and 23 deletions
--- a/NetSSL_OpenSSL/include/Poco/Net/Context.h
+++ b/NetSSL_OpenSSL/include/Poco/Net/Context.h
@@ -46,9 +46,7 @@ class NetSSL_API Context: public Poco::RefCountedObject
 	/// A Note Regarding TLSv1.3 Support:
 	///
 	/// TLSv1.3 support requires at least OpenSSL version 1.1.1.
-	/// In order to enable TLSv1.3 support, specify TLSV1_3_CLIENT_USE
-	/// or TLSV1_3_SERVER_USE and make sure that the TLSv1.3
-	/// cipher suites are enabled:
+	/// Make sure that the TLSv1.3 cipher suites are enabled:
 	///
 	///   - TLS_AES_256_GCM_SHA384
 	///   - TLS_CHACHA20_POLY1305_SHA256
@@ -65,16 +63,18 @@ public:

 	enum Usage
 	{
-		CLIENT_USE, 	    /// Context is used by a client.
-		SERVER_USE,         /// Context is used by a server.
-		TLSV1_CLIENT_USE,   /// Context is used by a client requiring TLSv1.
-		TLSV1_SERVER_USE,   /// Context is used by a server requiring TLSv1.
-		TLSV1_1_CLIENT_USE, /// Context is used by a client requiring TLSv1.1 (OpenSSL 1.0.0 or newer).
-		TLSV1_1_SERVER_USE, /// Context is used by a server requiring TLSv1.1 (OpenSSL 1.0.0 or newer).
-		TLSV1_2_CLIENT_USE, /// Context is used by a client requiring TLSv1.2 (OpenSSL 1.0.1 or newer).
-		TLSV1_2_SERVER_USE, /// Context is used by a server requiring TLSv1.2 (OpenSSL 1.0.1 or newer).
-		TLSV1_3_CLIENT_USE, /// Context is used by a client requiring TLSv1.3 (OpenSSL 1.1.1 or newer).
-		TLSV1_3_SERVER_USE  /// Context is used by a server requiring TLSv1.3 (OpenSSL 1.1.1 or newer).
+		TLS_CLIENT_USE,     /// Context is used by a client for TLSv1 or higher. Use requireMinimumProtocol() or disableProtocols() to disable undesired older versions.
+		TLS_SERVER_USE,     /// Context is used by a client for TLSv1 or higher. Use requireMinimumProtocol() or disableProtocols() to disable undesired older versions.
+		CLIENT_USE, 	    /// DEPRECATED. Context is used by a client.
+		SERVER_USE,         /// DEPRECATED. Context is used by a server.
+		TLSV1_CLIENT_USE,   /// DEPRECATED. Context is used by a client requiring TLSv1.
+		TLSV1_SERVER_USE,   /// DEPRECATED. Context is used by a server requiring TLSv1.
+		TLSV1_1_CLIENT_USE, /// DEPRECATED. Context is used by a client requiring TLSv1.1 (OpenSSL 1.0.0 or newer).
+		TLSV1_1_SERVER_USE, /// DEPRECATED. Context is used by a server requiring TLSv1.1 (OpenSSL 1.0.0 or newer).
+		TLSV1_2_CLIENT_USE, /// DEPRECATED. Context is used by a client requiring TLSv1.2 (OpenSSL 1.0.1 or newer).
+		TLSV1_2_SERVER_USE, /// DEPRECATED. Context is used by a server requiring TLSv1.2 (OpenSSL 1.0.1 or newer).
+		TLSV1_3_CLIENT_USE, /// DEPRECATED. Context is used by a client requiring TLSv1.3 (OpenSSL 1.1.1 or newer).
+		TLSV1_3_SERVER_USE  /// DEPRECATED. Context is used by a server requiring TLSv1.3 (OpenSSL 1.1.1 or newer).
 	};

 	enum VerificationMode
@@ -367,6 +367,12 @@ public:
 		///
 		///   context.disableProtocols(PROTO_SSLV2 | PROTO_SSLV3);

+	void requireMinimumProtocol(Protocols protocol);
+		/// Disables all protocol version lower than the given one.
+		/// To require at least TLS 1.2 or later:
+		///
+		///   context.requireMinimumProtocol(PROTO_TLSV1_2);
+
 	void preferServerCiphers();
 		/// When choosing a cipher, use the server's preferences instead of the client
 		/// preferences. When not called, the SSL server will always follow the clients