Author: kgiusti
Date: Thu Oct 25 18:31:07 2012
New Revision: 1402256
URL: http://svn.apache.org/viewvc?rev=1402256&view=rev
Log:
NO-JIRA: load extra ciphers and force nonanony for older ssl impls
Modified:
qpid/proton/trunk/proton-c/src/ssl/openssl.c
qpid/proton/trunk/tests/proton_tests/ssl.py
Modified: qpid/proton/trunk/proton-c/src/ssl/openssl.c
URL:
http://svn.apache.org/viewvc/qpid/proton/trunk/proton-c/src/ssl/openssl.c?rev=1402256&r1=1402255&r2=1402256&view=diff
==============================================================================
--- qpid/proton/trunk/proton-c/src/ssl/openssl.c (original)
+++ qpid/proton/trunk/proton-c/src/ssl/openssl.c Thu Oct 25 18:31:07 2012
@@ -296,6 +296,14 @@ int pn_ssl_set_credentials( pn_ssl_t *ss
ssl->has_certificate = true;
+ // bug in older versions of OpenSSL: servers may request client cert even if
anonymous
+ // cipher was negotiated. TLSv1 will reject such a request. Hack: once a
cert is
+ // configured, allow only authenticated ciphers.
+ if (!SSL_CTX_set_cipher_list( ssl->ctx, CIPHERS_AUTHENTICATE )) {
+ _log_ssl_error(ssl, "Failed to set cipher list to %s\n",
CIPHERS_AUTHENTICATE);
+ return -6;
+ }
+
_log( ssl, "Configured local certificate file %s\n", certificate_file );
return 0;
}
@@ -543,6 +551,7 @@ pn_ssl_t *pn_ssl(pn_transport_t *transpo
ssl_initialized = 1;
SSL_library_init();
SSL_load_error_strings();
+ OpenSSL_add_all_algorithms();
}
pn_ssl_t *ssl = calloc(1, sizeof(pn_ssl_t));
Modified: qpid/proton/trunk/tests/proton_tests/ssl.py
URL:
http://svn.apache.org/viewvc/qpid/proton/trunk/tests/proton_tests/ssl.py?rev=1402256&r1=1402255&r2=1402256&view=diff
==============================================================================
--- qpid/proton/trunk/tests/proton_tests/ssl.py (original)
+++ qpid/proton/trunk/tests/proton_tests/ssl.py Thu Oct 25 18:31:07 2012
@@ -183,4 +183,30 @@ class SslTest(common.Test):
server_conn.close()
self._pump()
+ def test_server_only_authentication(self):
+ """ Client verifies server, but server does not verify client.
+ """
+ self.server.set_credentials(self._testpath("server-certificate.pem"),
+ self._testpath("server-private-key.pem"),
+ "server-password")
+ self.server.set_peer_authentication( SSL.ANONYMOUS_PEER )
+
+ self.client.set_credentials(self._testpath("client-certificate.pem"),
+ self._testpath("client-private-key.pem"),
+ "client-password")
+ self.client.set_trusted_ca_db(self._testpath("ca-certificate.pem"))
+ self.client.set_peer_authentication( SSL.VERIFY_PEER )
+
+ client_conn = Connection()
+ self.t_client.bind(client_conn)
+ server_conn = Connection()
+ self.t_server.bind(server_conn)
+ client_conn.open()
+ server_conn.open()
+ self._pump()
+ assert self.client.protocol_name() is not None
+ client_conn.close()
+ server_conn.close()
+ self._pump()
+
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
