Repository: qpid-proton Updated Branches: refs/heads/master 5105b6418 -> b03f8aad1
PROTON-1582: Allow applications to set the permitted SSL ciphers Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/b03f8aad Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/b03f8aad Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/b03f8aad Branch: refs/heads/master Commit: b03f8aad13034f6aa3f81bbc11ac57ca5b55756f Parents: 5105b64 Author: Andrew Stitcher <[email protected]> Authored: Thu Sep 28 16:26:57 2017 -0400 Committer: Andrew Stitcher <[email protected]> Committed: Fri Sep 29 08:23:39 2017 -0400 ---------------------------------------------------------------------- proton-c/include/proton/ssl.h | 12 ++++++++++++ proton-c/src/ssl/openssl.c | 16 +++++++++++++++- proton-c/src/ssl/schannel.c | 5 +++++ proton-c/src/ssl/ssl_stub.c | 5 +++++ 4 files changed, 37 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/b03f8aad/proton-c/include/proton/ssl.h ---------------------------------------------------------------------- diff --git a/proton-c/include/proton/ssl.h b/proton-c/include/proton/ssl.h index 4e5ae77..2d6322f 100644 --- a/proton-c/include/proton/ssl.h +++ b/proton-c/include/proton/ssl.h @@ -227,6 +227,18 @@ PN_EXTERN int pn_ssl_domain_set_peer_authentication(pn_ssl_domain_t *domain, const char *trusted_CAs); /** + * Configure the list of permitted ciphers + * + * @note The syntax of the permitted list is undefined and will depend on the + * underlying SSL implementation. + * + * @param[in] domain the ssl domain to configure. + * @param[in] ciphers string representing the cipher list + * @return 0 on success + */ +PN_EXTERN int pn_ssl_domain_set_ciphers(pn_ssl_domain_t *domain, const char *ciphers); + +/** * Permit a server to accept connection requests from non-SSL clients. * * This configures the server to "sniff" the incoming client data stream, and dynamically http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/b03f8aad/proton-c/src/ssl/openssl.c ---------------------------------------------------------------------- diff --git a/proton-c/src/ssl/openssl.c b/proton-c/src/ssl/openssl.c index 3a4e1a3..669f975 100644 --- a/proton-c/src/ssl/openssl.c +++ b/proton-c/src/ssl/openssl.c @@ -71,6 +71,8 @@ struct pn_ssl_domain_t { // settings used for all connections char *trusted_CAs; + char *ciphers; + int ref_count; #if OPENSSL_VERSION_NUMBER >= 0x10100000 int default_seclevel; @@ -561,6 +563,7 @@ void pn_ssl_domain_free( pn_ssl_domain_t *domain ) if (domain->ctx) SSL_CTX_free(domain->ctx); if (domain->keyfile_pw) free(domain->keyfile_pw); if (domain->trusted_CAs) free(domain->trusted_CAs); + if (domain->ciphers) free(domain->ciphers); free(domain); } } @@ -600,7 +603,7 @@ int pn_ssl_domain_set_credentials( pn_ssl_domain_t *domain, // bug in older versions of OpenSSL: servers may request client cert even if anonymous // cipher was negotiated. TLSv1 will reject such a request. Hack: once a cert is // configured, allow only authenticated ciphers. - if (!SSL_CTX_set_cipher_list( domain->ctx, CIPHERS_AUTHENTICATE )) { + if (!domain->ciphers && !SSL_CTX_set_cipher_list( domain->ctx, CIPHERS_AUTHENTICATE )) { ssl_log_error("Failed to set cipher list to %s", CIPHERS_AUTHENTICATE); return -6; } @@ -608,6 +611,17 @@ int pn_ssl_domain_set_credentials( pn_ssl_domain_t *domain, return 0; } +int pn_ssl_domain_set_ciphers(pn_ssl_domain_t *domain, const char *ciphers) +{ + if (!SSL_CTX_set_cipher_list(domain->ctx, ciphers)) { + ssl_log_error("Failed to set cipher list to %s", ciphers); + return -6; + } + if (domain->ciphers) free(domain->ciphers); + domain->ciphers = pn_strdup(ciphers); + return 0; +} + int pn_ssl_domain_set_trusted_ca_db(pn_ssl_domain_t *domain, const char *certificate_db) http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/b03f8aad/proton-c/src/ssl/schannel.c ---------------------------------------------------------------------- diff --git a/proton-c/src/ssl/schannel.c b/proton-c/src/ssl/schannel.c index 5dae80c..763cae5 100644 --- a/proton-c/src/ssl/schannel.c +++ b/proton-c/src/ssl/schannel.c @@ -573,6 +573,11 @@ int pn_ssl_domain_set_peer_authentication(pn_ssl_domain_t *domain, return 0; } +int pn_ssl_domain_set_ciphers(pn_ssl_domain_t *domain, const char *ciphers) +{ + return -1; +} + const pn_io_layer_t ssl_layer = { process_input_ssl, process_output_ssl, http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/b03f8aad/proton-c/src/ssl/ssl_stub.c ---------------------------------------------------------------------- diff --git a/proton-c/src/ssl/ssl_stub.c b/proton-c/src/ssl/ssl_stub.c index 2d58a5c..8607b88 100644 --- a/proton-c/src/ssl/ssl_stub.c +++ b/proton-c/src/ssl/ssl_stub.c @@ -120,6 +120,11 @@ int pn_ssl_domain_allow_unsecured_client(pn_ssl_domain_t *domain) return -1; } +int pn_ssl_domain_set_ciphers(pn_ssl_domain_t *domain, const char *ciphers) +{ + return -1; +} + bool pn_ssl_allow_unsecured(pn_ssl_t *ssl) { return true; --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
