From: jfarrell Date: Fri, 21 Feb 2014 18:43:43 +0000 (-0500) Subject: Revert "THRIFT-2258 cpp: Add TLS v1.1/1.2 support to TSSLSocket.cpp" X-Git-Url: https://source.supwisdom.com/gerrit/gitweb?a=commitdiff_plain;h=db536cf6bb7a561ca83c7f4b8c1c7fd1fed00375;p=common%2Fthrift.git Revert "THRIFT-2258 cpp: Add TLS v1.1/1.2 support to TSSLSocket.cpp" This reverts commit 01386c95a8f18d55cefc0ad0f33a1154e095f51a. --- diff --git a/lib/cpp/src/thrift/transport/TSSLSocket.cpp b/lib/cpp/src/thrift/transport/TSSLSocket.cpp index 5f91c895..ce971d3f 100644 --- a/lib/cpp/src/thrift/transport/TSSLSocket.cpp +++ b/lib/cpp/src/thrift/transport/TSSLSocket.cpp @@ -55,45 +55,14 @@ static bool matchName(const char* host, const char* pattern, int size); static char uppercase(char c); // SSLContext implementation -SSLContext::SSLContext(const SSLProtocol& protocol) { - if(protocol == SSLProtocol::SSLTLS) - { - ctx_ = SSL_CTX_new(SSLv23_method()); - } - else if(protocol == SSLProtocol::SSLv3) - { - ctx_ = SSL_CTX_new(SSLv3_method()); - } - else if(protocol == SSLProtocol::TLSv1_0) - { - ctx_ = SSL_CTX_new(TLSv1_method()); - } - else if(protocol == SSLProtocol::TLSv1_1) - { - ctx_ = SSL_CTX_new(TLSv1_1_method()); - } - else if(protocol == SSLProtocol::TLSv1_2) - { - ctx_ = SSL_CTX_new(TLSv1_2_method()); - } - else - { - /// UNKNOWN PROTOCOL! - throw TSSLException("SSL_CTX_new: Unknown protocol"); - } - +SSLContext::SSLContext() { + ctx_ = SSL_CTX_new(TLSv1_method()); if (ctx_ == NULL) { string errors; buildErrors(errors); throw TSSLException("SSL_CTX_new: " + errors); } SSL_CTX_set_mode(ctx_, SSL_MODE_AUTO_RETRY); - - // Disable horribly insecure SSLv2! - if(protocol == SSLProtocol::SSLTLS) - { - SSL_CTX_set_options(ctx_, SSL_OP_NO_SSLv2); - } } SSLContext::~SSLContext() { @@ -381,14 +350,14 @@ bool TSSLSocketFactory::initialized = false; uint64_t TSSLSocketFactory::count_ = 0; Mutex TSSLSocketFactory::mutex_; -TSSLSocketFactory::TSSLSocketFactory(const SSLProtocol& protocol): server_(false) { +TSSLSocketFactory::TSSLSocketFactory(): server_(false) { Guard guard(mutex_); if (count_ == 0) { initializeOpenSSL(); randomize(); } count_++; - ctx_ = boost::shared_ptr(new SSLContext(protocol)); + ctx_ = boost::shared_ptr(new SSLContext); } TSSLSocketFactory::~TSSLSocketFactory() { diff --git a/lib/cpp/src/thrift/transport/TSSLSocket.h b/lib/cpp/src/thrift/transport/TSSLSocket.h index 02d5bda5..b379d23a 100644 --- a/lib/cpp/src/thrift/transport/TSSLSocket.h +++ b/lib/cpp/src/thrift/transport/TSSLSocket.h @@ -31,15 +31,6 @@ namespace apache { namespace thrift { namespace transport { class AccessManager; class SSLContext; -enum SSLProtocol { - SSLTLS = 0, // Supports SSLv3 and TLSv1. - SSLv2 = 1, // Supports SSLv3 only. => HORRIBLY INSECURE! - SSLv3 = 2, // Supports SSLv3 only. - TLSv1_0 = 3, // Supports TLSv1_0 only. - TLSv1_1 = 4, // Supports TLSv1_1 only. - TLSv1_2 = 5 // Supports TLSv1_2 only. -}; - /** * OpenSSL implementation for SSL socket interface. */ @@ -117,10 +108,8 @@ class TSSLSocketFactory { public: /** * Constructor/Destructor - * - * @param protocol The SSL/TLS protocol to use. */ - TSSLSocketFactory(const SSLProtocol& protocol = SSLProtocol::SSLTLS); + TSSLSocketFactory(); virtual ~TSSLSocketFactory(); /** * Create an instance of TSSLSocket with a fresh new socket. @@ -245,7 +234,7 @@ class TSSLException: public TTransportException { */ class SSLContext { public: - SSLContext(const SSLProtocol& protocol = SSLProtocol::SSLTLS); + SSLContext(); virtual ~SSLContext(); SSL* createSSL(); SSL_CTX* get() { return ctx_; }