diff options
| author | Clifford Jansen <cliffjansen@apache.org> | 2014-10-28 19:47:41 +0000 |
|---|---|---|
| committer | Clifford Jansen <cliffjansen@apache.org> | 2014-10-28 19:47:41 +0000 |
| commit | ebc6a5ad2f93c33df268b54ea0b57ff3ab037478 (patch) | |
| tree | 52a825deb6a9cf8399de4fd1435816315e8cb5be /qpid/cpp/src | |
| parent | 3e89910f94daefaa565f7b21e4989e44e735b25b (diff) | |
| download | qpid-python-ebc6a5ad2f93c33df268b54ea0b57ff3ab037478.tar.gz | |
QPID-6187: Disable SSL v3 for Windows SChannel
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1634961 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'qpid/cpp/src')
| -rw-r--r-- | qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp b/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp index 079627372b..29f673c156 100644 --- a/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp +++ b/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp @@ -458,7 +458,22 @@ void SslAsynchIO::idle(qpid::sys::AsynchIO&) { } } - /**************************************************/ +/**************************************************/ + +namespace { + +bool unsafeNegotiatedTlsVersion(CtxtHandle &ctxtHandle) { + // See if SChannel ultimately negotiated <= SSL3, perhaps due to + // global registry settings. + SecPkgContext_ConnectionInfo info; + ::QueryContextAttributes(&ctxtHandle, SECPKG_ATTR_CONNECTION_INFO, &info); + // Ascending bit patterns denote newer SSL/TLS protocol versions + return (info.dwProtocol < SP_PROT_TLS1_SERVER) ? true : false; +} + +} // namespace + +/**************************************************/ ClientSslAsynchIO::ClientSslAsynchIO(const std::string& brokerHost, const qpid::sys::Socket& s, @@ -589,6 +604,13 @@ void ClientSslAsynchIO::negotiateStep(BufferBase* buff) { } // Nothing to send back to the server... aio->queueReadBuffer(sendbuff); + + if (status == SEC_E_OK && unsafeNegotiatedTlsVersion(ctxtHandle)) { + // Refuse a connection that negotiates to less than TLS 1.0. + QPID_LOG(notice, "client SSL negotiation to unsafe protocol version."); + status = SEC_E_UNSUPPORTED_FUNCTION; + } + // SEC_I_CONTEXT_EXPIRED means session stop complete; SEC_E_OK can be // either session stop or negotiation done (session up). if (status == SEC_E_OK || status == SEC_I_CONTEXT_EXPIRED) @@ -691,6 +713,12 @@ void ServerSslAsynchIO::negotiateStep(BufferBase* buff) { // Nothing to send back to the server... aio->queueReadBuffer(sendbuff); + if (status == SEC_E_OK && unsafeNegotiatedTlsVersion(ctxtHandle)) { + // Refuse a connection that negotiates to less than TLS 1.0. + QPID_LOG(notice, "server SSL negotiation to unsafe protocol version."); + status = SEC_E_UNSUPPORTED_FUNCTION; + } + // SEC_I_CONTEXT_EXPIRED means session stop complete; SEC_E_OK can be // either session stop or negotiation done (session up). if (status == SEC_E_OK || status == SEC_I_CONTEXT_EXPIRED) { |