svn commit: r1397231 - /qpid/proton/trunk/proton-c/src/ssl/openssl.c

Thu, 11 Oct 2012 11:45:03 -0700 

Author: kgiusti
Date: Thu Oct 11 18:44:17 2012
New Revision: 1397231

URL: http://svn.apache.org/viewvc?rev=1397231&view=rev
Log:
PROTON-64: No need to remove anonymous ciphers - SSL will not use them if a 
certificate is given.

Modified:
    qpid/proton/trunk/proton-c/src/ssl/openssl.c

Modified: qpid/proton/trunk/proton-c/src/ssl/openssl.c
URL: 
http://svn.apache.org/viewvc/qpid/proton/trunk/proton-c/src/ssl/openssl.c?rev=1397231&r1=1397230&r2=1397231&view=diff
==============================================================================
--- qpid/proton/trunk/proton-c/src/ssl/openssl.c (original)
+++ qpid/proton/trunk/proton-c/src/ssl/openssl.c Thu Oct 11 18:44:17 2012
@@ -400,22 +400,11 @@ int pn_ssl_set_peer_authentication(pn_ss
 #if (OPENSSL_VERSION_NUMBER < 0x00905100L)
     SSL_CTX_set_verify_depth(ssl->ctx, 1);
 #endif
-
-    // Since we will exchange certificates, we must avoid anonymous ciphers.
-    if (!SSL_CTX_set_cipher_list( ssl->ctx, CIPHERS_AUTHENTICATE )) {
-      _log_ssl_error(ssl, "Failed to set cipher list to %s\n", 
CIPHERS_AUTHENTICATE);
-      return -2;
-    }
     _log( ssl, "Peer authentication mode set to VERIFY-PEER\n");
     break;
 
   case PN_SSL_ANONYMOUS_PEER:   // hippie free love mode... :)
     SSL_CTX_set_verify( ssl->ctx, SSL_VERIFY_NONE, NULL );
-
-    if (!SSL_CTX_set_cipher_list( ssl->ctx, CIPHERS_ANONYMOUS )) {
-      _log_ssl_error(ssl, "Failed to set cipher list to %s\n", 
CIPHERS_ANONYMOUS);
-      return -2;
-    }
     _log( ssl, "Peer authentication mode set to ANONYMOUS-PEER\n");
     break;
 
@@ -524,6 +513,12 @@ int pn_ssl_init(pn_ssl_t *ssl, pn_ssl_mo
   }
 
   // by default, allow anonymous ciphers so certificates are not required 'out 
of the box'
+  if (!SSL_CTX_set_cipher_list( ssl->ctx, CIPHERS_ANONYMOUS )) {
+    _log_ssl_error(ssl, "Failed to set cipher list to %s\n", 
CIPHERS_ANONYMOUS);
+    return -2;
+  }
+
+  // ditto: by default do not authenticate the peer (can be done by SASL).
   if (pn_ssl_set_peer_authentication( ssl, PN_SSL_ANONYMOUS_PEER, NULL )) {
     return -2;
   }



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to