QPID-6160: disable SSLv3 in CPP broker and client

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1633146 13f79535-47bb-0310-9956-ffa450edef68
author: Ken Giusti <kgiusti@apache.org> 2014-10-20 13:07:15 +0000
committer: Ken Giusti <kgiusti@apache.org> 2014-10-20 13:07:15 +0000
commit: 8482720c7de46e97e73182964c7a0a222f1b6649 (patch)
tree: 2c50bf31e7261c3ca8360bd1eae43dac6c0c6c5f /qpid/cpp/src
parent: a3b00d826e57f830b3f01e3a56f088b0c6bbd1d4 (diff)
download: qpid-python-8482720c7de46e97e73182964c7a0a222f1b6649.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/qpid/cpp/src/qpid/sys/ssl/util.cpp b/qpid/cpp/src/qpid/sys/ssl/util.cpp
index de5d638b09..e19f35f3c7 100644
--- a/qpid/cpp/src/qpid/sys/ssl/util.cpp
+++ b/qpid/cpp/src/qpid/sys/ssl/util.cpp
@@ -107,6 +107,16 @@ void initNSS(const SslOptions& options, bool server)
         //use defaults for all args, TODO: may want to make this configurable
         SSL_ConfigServerSessionIDCache(0, 0, 0, 0);
     }
+
+    // disable SSLv2 and SSLv3 versions of the protocol - they are
+    // no longer considered secure
+    SSLVersionRange vrange;
+    const uint16_t tlsv1 = 0x0301;  // Protocol version for TLSv1.0
+    NSS_CHECK(SSL_VersionRangeGetDefault(ssl_variant_stream, &vrange));
+    if (vrange.min < tlsv1) {
+        vrange.min = tlsv1;
+        NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &vrange));
+    }
 }
 
 void shutdownNSS()
author	Ken Giusti <kgiusti@apache.org>	2014-10-20 13:07:15 +0000
committer	Ken Giusti <kgiusti@apache.org>	2014-10-20 13:07:15 +0000
commit	8482720c7de46e97e73182964c7a0a222f1b6649 (patch)
tree	2c50bf31e7261c3ca8360bd1eae43dac6c0c6c5f /qpid/cpp/src
parent	a3b00d826e57f830b3f01e3a56f088b0c6bbd1d4 (diff)
download	qpid-python-8482720c7de46e97e73182964c7a0a222f1b6649.tar.gz