From 01386c95a8f18d55cefc0ad0f33a1154e095f51a Mon Sep 17 00:00:00 2001 From: Roger Meier Date: Wed, 19 Feb 2014 23:07:25 +0100 Subject: [PATCH] THRIFT-2258 cpp: Add TLS v1.1/1.2 support to TSSLSocket.cpp Patch: Chris Stylianou --- lib/cpp/src/thrift/transport/TSSLSocket.cpp | 39 ++++++++++++++++++--- lib/cpp/src/thrift/transport/TSSLSocket.h | 15 ++++++-- 2 files changed, 48 insertions(+), 6 deletions(-) diff --git a/lib/cpp/src/thrift/transport/TSSLSocket.cpp b/lib/cpp/src/thrift/transport/TSSLSocket.cpp index ce971d3f..5f91c895 100644 --- a/lib/cpp/src/thrift/transport/TSSLSocket.cpp +++ b/lib/cpp/src/thrift/transport/TSSLSocket.cpp @@ -55,14 +55,45 @@ static bool matchName(const char* host, const char* pattern, int size); static char uppercase(char c); // SSLContext implementation -SSLContext::SSLContext() { - ctx_ = SSL_CTX_new(TLSv1_method()); +SSLContext::SSLContext(const SSLProtocol& protocol) { + if(protocol == SSLProtocol::SSLTLS) + { + ctx_ = SSL_CTX_new(SSLv23_method()); + } + else if(protocol == SSLProtocol::SSLv3) + { + ctx_ = SSL_CTX_new(SSLv3_method()); + } + else if(protocol == SSLProtocol::TLSv1_0) + { + ctx_ = SSL_CTX_new(TLSv1_method()); + } + else if(protocol == SSLProtocol::TLSv1_1) + { + ctx_ = SSL_CTX_new(TLSv1_1_method()); + } + else if(protocol == SSLProtocol::TLSv1_2) + { + ctx_ = SSL_CTX_new(TLSv1_2_method()); + } + else + { + /// UNKNOWN PROTOCOL! + throw TSSLException("SSL_CTX_new: Unknown protocol"); + } + if (ctx_ == NULL) { string errors; buildErrors(errors); throw TSSLException("SSL_CTX_new: " + errors); } SSL_CTX_set_mode(ctx_, SSL_MODE_AUTO_RETRY); + + // Disable horribly insecure SSLv2! + if(protocol == SSLProtocol::SSLTLS) + { + SSL_CTX_set_options(ctx_, SSL_OP_NO_SSLv2); + } } SSLContext::~SSLContext() { @@ -350,14 +381,14 @@ bool TSSLSocketFactory::initialized = false; uint64_t TSSLSocketFactory::count_ = 0; Mutex TSSLSocketFactory::mutex_; -TSSLSocketFactory::TSSLSocketFactory(): server_(false) { +TSSLSocketFactory::TSSLSocketFactory(const SSLProtocol& protocol): server_(false) { Guard guard(mutex_); if (count_ == 0) { initializeOpenSSL(); randomize(); } count_++; - ctx_ = boost::shared_ptr(new SSLContext); + ctx_ = boost::shared_ptr(new SSLContext(protocol)); } TSSLSocketFactory::~TSSLSocketFactory() { diff --git a/lib/cpp/src/thrift/transport/TSSLSocket.h b/lib/cpp/src/thrift/transport/TSSLSocket.h index b379d23a..02d5bda5 100644 --- a/lib/cpp/src/thrift/transport/TSSLSocket.h +++ b/lib/cpp/src/thrift/transport/TSSLSocket.h @@ -31,6 +31,15 @@ namespace apache { namespace thrift { namespace transport { class AccessManager; class SSLContext; +enum SSLProtocol { + SSLTLS = 0, // Supports SSLv3 and TLSv1. + SSLv2 = 1, // Supports SSLv3 only. => HORRIBLY INSECURE! + SSLv3 = 2, // Supports SSLv3 only. + TLSv1_0 = 3, // Supports TLSv1_0 only. + TLSv1_1 = 4, // Supports TLSv1_1 only. + TLSv1_2 = 5 // Supports TLSv1_2 only. +}; + /** * OpenSSL implementation for SSL socket interface. */ @@ -108,8 +117,10 @@ class TSSLSocketFactory { public: /** * Constructor/Destructor + * + * @param protocol The SSL/TLS protocol to use. */ - TSSLSocketFactory(); + TSSLSocketFactory(const SSLProtocol& protocol = SSLProtocol::SSLTLS); virtual ~TSSLSocketFactory(); /** * Create an instance of TSSLSocket with a fresh new socket. @@ -234,7 +245,7 @@ class TSSLException: public TTransportException { */ class SSLContext { public: - SSLContext(); + SSLContext(const SSLProtocol& protocol = SSLProtocol::SSLTLS); virtual ~SSLContext(); SSL* createSSL(); SSL_CTX* get() { return ctx_; } -- 2.17.1