martinzink commented on code in PR #1595:
URL: https://github.com/apache/nifi-minifi-cpp/pull/1595#discussion_r1280692000
##########
libminifi/src/utils/net/AsioSocketUtils.cpp:
##########
@@ -30,9 +30,9 @@ asio::awaitable<std::tuple<std::error_code>>
handshake(SslSocket& socket, asio::
co_return co_await
asyncOperationWithTimeout(socket.async_handshake(HandshakeType::client,
use_nothrow_awaitable), timeout_duration); // NOLINT
}
-asio::ssl::context getSslContext(const controllers::SSLContextService&
ssl_context_service) {
- asio::ssl::context ssl_context(asio::ssl::context::tls_client);
- ssl_context.set_options(asio::ssl::context::no_tlsv1 |
asio::ssl::context::no_tlsv1_1);
+asio::ssl::context getSslContext(const controllers::SSLContextService&
ssl_context_service, asio::ssl::context::method ssl_context_method) {
+ asio::ssl::context ssl_context(ssl_context_method);
+ ssl_context.set_options(asio::ssl::context::default_workarounds |
asio::ssl::context::single_dh_use | asio::ssl::context::no_tlsv1 |
asio::ssl::context::no_tlsv1_1);
Review Comment:
If we dont care about the tls_v13 support just yet, we could keep the
explicit tlsv12 in the ctor and even remove the asio::ssl::context::no_tlsv1 |
asio::ssl::context::no_tlsv1_1 part from the options.
I wouldnt mind something similar to the [Test ListenTCP SSL/TLS
compatibility](https://github.com/apache/nifi-minifi-cpp/blob/main/extensions/standard-processors/tests/unit/ListenTcpTests.cpp#L240)
that checks this function aswell.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
