diff options
| author | JackLivio <jack@livio.io> | 2021-03-08 10:13:34 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-03-08 10:13:34 -0500 |
| commit | 620b3ab1b1c2fe38dbd66b9fc29e4d2e7b3a1224 (patch) | |
| tree | 0e7243040c5de5456a9f6da17169c4c0850470bd | |
| parent | fcd0b380339321763fca5ab768a89b0683c94924 (diff) | |
| download | sdl_core-620b3ab1b1c2fe38dbd66b9fc29e4d2e7b3a1224.tar.gz | |
Update OpenSSL Context Config (#3654)
* Update boost installation to 1.72.0
* Fix boost installation process
Properly set boost directories when the library is found, also run clean step before installation to prevent lingering old versions of boost
* Fix websocket implementation
* Update Configurations for openssl 1.1.1
* Update src/components/security_manager/src/crypto_manager_impl.cc
Co-authored-by: Jacob Keeler <jacob.keeler@livioradio.com>
Co-authored-by: jacobkeeler <jacob.keeler@livioradio.com>
| -rw-r--r-- | src/components/security_manager/src/crypto_manager_impl.cc | 19 | ||||
| -rw-r--r-- | src/components/security_manager/test/crypto_manager_impl_test.cc | 7 |
2 files changed, 25 insertions, 1 deletions
diff --git a/src/components/security_manager/src/crypto_manager_impl.cc b/src/components/security_manager/src/crypto_manager_impl.cc index 7d3b7869f2..b5dbea0ad3 100644 --- a/src/components/security_manager/src/crypto_manager_impl.cc +++ b/src/components/security_manager/src/crypto_manager_impl.cc @@ -171,6 +171,7 @@ bool CryptoManagerImpl::Init() { #else SDL_LOG_DEBUG("SSLv3 is used"); method = is_server ? SSLv3_server_method() : SSLv3_client_method(); + SSL_CTX_set_max_proto_version(context_, SSL3_VERSION); break; #endif case TLSv1: @@ -179,6 +180,7 @@ bool CryptoManagerImpl::Init() { method = is_server ? TLSv1_server_method() : TLSv1_client_method(); #else method = is_server ? TLS_server_method() : TLS_client_method(); + SSL_CTX_set_max_proto_version(context_, TLS1_VERSION); #endif break; case TLSv1_1: @@ -191,6 +193,7 @@ bool CryptoManagerImpl::Init() { method = is_server ? TLSv1_1_server_method() : TLSv1_1_client_method(); #else method = is_server ? TLS_server_method() : TLS_client_method(); + SSL_CTX_set_max_proto_version(context_, TLS1_1_VERSION); #endif break; case TLSv1_2: @@ -203,6 +206,7 @@ bool CryptoManagerImpl::Init() { method = is_server ? TLSv1_2_server_method() : TLSv1_2_client_method(); #else method = is_server ? TLS_server_method() : TLS_client_method(); + SSL_CTX_set_max_proto_version(context_, TLS1_2_VERSION); #endif break; case DTLSv1: @@ -211,6 +215,7 @@ bool CryptoManagerImpl::Init() { method = is_server ? DTLSv1_server_method() : DTLSv1_client_method(); #else method = is_server ? DTLS_server_method() : DTLS_client_method(); + SSL_CTX_set_max_proto_version(context_, DTLS1_VERSION); #endif break; default: @@ -226,7 +231,8 @@ bool CryptoManagerImpl::Init() { utils::ScopeGuard guard = utils::MakeGuard(free_ctx, &context_); // Disable SSL2 as deprecated - SSL_CTX_set_options(context_, SSL_OP_NO_SSLv2); + // TLS 1.2 is the max supported TLS version for SDL + SSL_CTX_set_options(context_, SSL_OP_NO_SSLv2 | SSL_OP_NO_TLSv1_3); SaveCertificateData(get_settings().certificate_data()); @@ -234,12 +240,23 @@ bool CryptoManagerImpl::Init() { SDL_LOG_WARN("Empty ciphers list"); } else { SDL_LOG_DEBUG("Cipher list: " << get_settings().ciphers_list()); + // If using openssl 1.1.1, this method may always return true + // https://github.com/openssl/openssl/issues/7196#issue-359287519 if (!SSL_CTX_set_cipher_list(context_, get_settings().ciphers_list().c_str())) { SDL_LOG_ERROR( "Could not set cipher list: " << get_settings().ciphers_list()); return false; } + auto sk = SSL_CTX_get_ciphers(context_); + const char* p; + for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++) { + const SSL_CIPHER* c = sk_SSL_CIPHER_value(sk, i); + p = SSL_CIPHER_get_name(c); + if (p == NULL) + break; + SDL_LOG_DEBUG("Using Cipher: " << p); + } } if (get_settings().ca_cert_path().empty()) { diff --git a/src/components/security_manager/test/crypto_manager_impl_test.cc b/src/components/security_manager/test/crypto_manager_impl_test.cc index d30fa5ef23..85e1ad3129 100644 --- a/src/components/security_manager/test/crypto_manager_impl_test.cc +++ b/src/components/security_manager/test/crypto_manager_impl_test.cc @@ -33,6 +33,7 @@ #ifdef __QNXNTO__ #include <openssl/ssl3.h> #else +#include <openssl/opensslv.h> #include <openssl/ssl.h> #endif //__QNXNTO__ #include <fstream> @@ -43,6 +44,8 @@ #include "security_manager/crypto_manager_impl.h" #include "security_manager/mock_security_manager_settings.h" +#define OPENSSL1_1_VERSION 0x1010000fL + using ::testing::NiceMock; using ::testing::Return; using ::testing::ReturnRef; @@ -158,6 +161,9 @@ TEST_F(CryptoManagerTest, WrongInit) { EXPECT_FALSE(crypto_manager_->Init()); EXPECT_NE(std::string(), crypto_manager_->LastError()); +#if OPENSSL1_1_VERSION >= OPENSSL_VERSION_NUMBER + // Legacy test, openssl 1.1.1 changed the error behavior of + // SSL_CTX_set_cipher_list EXPECT_CALL(*mock_security_manager_settings_, security_manager_protocol_name()) .WillOnce(Return(security_manager::TLSv1_2)); @@ -167,6 +173,7 @@ TEST_F(CryptoManagerTest, WrongInit) { .WillRepeatedly(ReturnRef(invalid_cipher)); EXPECT_FALSE(crypto_manager_->Init()); EXPECT_NE(std::string(), crypto_manager_->LastError()); +#endif } // #ifndef __QNXNTO__ |