Clear protocol filters for openssl before initializing. This does not impact applications, as they never have the chance to reinitialize. This was necessary for the tests as the protocol filters on the SSL context don't get over-written when calling `SSL_CTX_set_options`.
Review: https://reviews.apache.org/r/35888 Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/c8700f98 Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/c8700f98 Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/c8700f98 Branch: refs/heads/master Commit: c8700f981dc0420d873b474f39101d8fedc9e7dd Parents: 0b04fec Author: Joris Van Remoortere <[email protected]> Authored: Thu Jun 25 21:05:41 2015 -0700 Committer: Benjamin Hindman <[email protected]> Committed: Thu Jun 25 21:05:41 2015 -0700 ---------------------------------------------------------------------- 3rdparty/libprocess/src/openssl.cpp | 11 +++++++++++ 1 file changed, 11 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/c8700f98/3rdparty/libprocess/src/openssl.cpp ---------------------------------------------------------------------- diff --git a/3rdparty/libprocess/src/openssl.cpp b/3rdparty/libprocess/src/openssl.cpp index 40b60bf..3c0fc4b 100644 --- a/3rdparty/libprocess/src/openssl.cpp +++ b/3rdparty/libprocess/src/openssl.cpp @@ -434,6 +434,17 @@ void initialize() EXIT(EXIT_FAILURE) << "Could not set ciphers: " << ssl_flags->ciphers; } + // Clear all the protocol options. They will be reset if needed + // below. We do this because 'SSL_CTX_set_options' only augments, it + // does not do an overwrite. + SSL_CTX_clear_options( + ctx, + SSL_OP_NO_SSLv2 | + SSL_OP_NO_SSLv3 | + SSL_OP_NO_TLSv1 | + SSL_OP_NO_TLSv1_1 | + SSL_OP_NO_TLSv1_2); + // Use server preference for cipher. long ssl_options = SSL_OP_CIPHER_SERVER_PREFERENCE; // Disable SSLv2.
