diff options
author | James E. King, III <jking@apache.org> | 2017-02-20 08:52:11 -0500 |
---|---|---|
committer | James E. King, III <jking@apache.org> | 2017-02-20 08:52:11 -0500 |
commit | 06190874c8ba8f3a0c7ae83a59965d56c205e080 (patch) | |
tree | fa2bedf10194cb1ec79b2d9546b4917bc4107e59 /lib/perl | |
parent | 239233afb6fd5bd2fb81743e88303c9ac17d7edb (diff) | |
download | thrift-06190874c8ba8f3a0c7ae83a59965d56c205e080.tar.gz |
THRIFT-4084: Add a SSL/TLS negotiation check to crossfeature to verify SSLv3 is not active and that at least one of TLSv1.0 through 1.2 are accepted.
Client: csharp, d, go, nodejs, perl
This closes #1197
Diffstat (limited to 'lib/perl')
-rw-r--r-- | lib/perl/lib/Thrift/SSLServerSocket.pm | 6 | ||||
-rw-r--r-- | lib/perl/lib/Thrift/SSLSocket.pm | 6 |
2 files changed, 8 insertions, 4 deletions
diff --git a/lib/perl/lib/Thrift/SSLServerSocket.pm b/lib/perl/lib/Thrift/SSLServerSocket.pm index e885ede8b..a8dfa5602 100644 --- a/lib/perl/lib/Thrift/SSLServerSocket.pm +++ b/lib/perl/lib/Thrift/SSLServerSocket.pm @@ -60,13 +60,15 @@ sub __listen Proto => 'tcp', ReuseAddr => 1}; + my $verify = IO::Socket::SSL::SSL_VERIFY_PEER | IO::Socket::SSL::SSL_VERIFY_FAIL_IF_NO_PEER_CERT | IO::Socket::SSL::SSL_VERIFY_CLIENT_ONCE; + $opts->{SSL_ca_file} = $self->{ca} if defined $self->{ca}; $opts->{SSL_cert_file} = $self->{cert} if defined $self->{cert}; $opts->{SSL_cipher_list} = $self->{ciphers} if defined $self->{ciphers}; $opts->{SSL_key_file} = $self->{key} if defined $self->{key}; $opts->{SSL_use_cert} = (defined $self->{cert}) ? 1 : 0; - $opts->{SSL_verify_mode} = (defined $self->{ca}) ? IO::Socket::SSL::SSL_VERIFY_PEER : IO::Socket::SSL::SSL_VERIFY_NONE; - $opts->{SSL_version} = (defined $self->{version}) ? $self->{version} : 'SSLv23:!SSLv2:!SSLv3'; + $opts->{SSL_verify_mode} = (defined $self->{ca}) ? $verify : IO::Socket::SSL::SSL_VERIFY_NONE; + $opts->{SSL_version} = (defined $self->{version}) ? $self->{version} : 'SSLv23:!SSLv3:!SSLv2'; return IO::Socket::SSL->new(%$opts); } diff --git a/lib/perl/lib/Thrift/SSLSocket.pm b/lib/perl/lib/Thrift/SSLSocket.pm index 046692e61..99a41071a 100644 --- a/lib/perl/lib/Thrift/SSLSocket.pm +++ b/lib/perl/lib/Thrift/SSLSocket.pm @@ -71,13 +71,15 @@ sub __open Proto => 'tcp', Timeout => $self->{sendTimeout} / 1000}; + my $verify = IO::Socket::SSL::SSL_VERIFY_PEER | IO::Socket::SSL::SSL_VERIFY_FAIL_IF_NO_PEER_CERT | IO::Socket::SSL::SSL_VERIFY_CLIENT_ONCE; + $opts->{SSL_ca_file} = $self->{ca} if defined $self->{ca}; $opts->{SSL_cert_file} = $self->{cert} if defined $self->{cert}; $opts->{SSL_cipher_list} = $self->{ciphers} if defined $self->{ciphers}; $opts->{SSL_key_file} = $self->{key} if defined $self->{key}; $opts->{SSL_use_cert} = (defined $self->{cert}) ? 1 : 0; - $opts->{SSL_verify_mode} = (defined $self->{ca}) ? IO::Socket::SSL::SSL_VERIFY_PEER : IO::Socket::SSL::SSL_VERIFY_NONE; - $opts->{SSL_version} = (defined $self->{version}) ? $self->{version} : 'SSLv23:!SSLv2:!SSLv3'; + $opts->{SSL_verify_mode} = (defined $self->{ca}) ? $verify : IO::Socket::SSL::SSL_VERIFY_NONE; + $opts->{SSL_version} = (defined $self->{version}) ? $self->{version} : 'SSLv23:!SSLv3:!SSLv2'; return IO::Socket::SSL->new(%$opts); } |