diff options
| author | Phil Mesnier <mesnier_p@ociweb.com> | 2015-03-06 12:14:42 -0600 |
|---|---|---|
| committer | Phil Mesnier <mesnier_p@ociweb.com> | 2015-03-06 12:14:42 -0600 |
| commit | 497c711fc1cb8380bd3ca71584067eb6d41ea554 (patch) | |
| tree | af8c9bcf45e6ca19d9657d103b30d0774183e9f1 | |
| parent | d9d80deb1788bce9fe58b3b030baf804d9b32f50 (diff) | |
| download | ATCD-497c711fc1cb8380bd3ca71584067eb6d41ea554.tar.gz | |
Restore support for building SSL modules on macosx
Add the ability to limit the specific cypher versions supported by OpenSSL to avoid
vulnerabilities such as the POODLE attack
| -rw-r--r-- | ACE/ace/SSL/SSL_Context.cpp | 40 | ||||
| -rw-r--r-- | ACE/ace/SSL/SSL_Context.h | 3 | ||||
| -rw-r--r-- | ACE/include/makeinclude/platform_macosx_lion.GNU | 2 |
3 files changed, 43 insertions, 2 deletions
diff --git a/ACE/ace/SSL/SSL_Context.cpp b/ACE/ace/SSL/SSL_Context.cpp index be788cf7f3d..3a2cfc8c124 100644 --- a/ACE/ace/SSL/SSL_Context.cpp +++ b/ACE/ace/SSL/SSL_Context.cpp @@ -318,6 +318,46 @@ ACE_SSL_Context::set_mode (int mode) } int +ACE_SSL_Context::filter_versions (const char* versionlist) +{ + this->check_context (); + + ACE_CString ssl_versions = versionlist; + +#if defined (SSL_OP_NO_SSLv2) + if (ssl_versions.find("SSLv2") == ACE_CString::npos) + { + ::SSL_CTX_set_options(this->context_, SSL_OP_NO_SSLv2); + } +#endif /* SSL_OP_NO_SSLv2 */ +#if defined (SSL_OP_NO_SSLv3) + if (ssl_versions.find("SSLv3") == ACE_CString::npos) + { + ::SSL_CTX_set_options(this->context_, SSL_OP_NO_SSLv3); + } +#endif /* SSL_OP_NO_SSLv3 */ +#if defined (SSL_OP_NO_TLSv1) + if (ssl_versions.find("TLSv1") == ACE_CString::npos) + { + ::SSL_CTX_set_options(this->context_, SSL_OP_NO_TLSv1); + } +#endif /* SSL_OP_NO_TLSv1 */ +#if defined (SSL_OP_NO_TLSv1_1) + if (ssl_versions.find("TLSv1.1") == ACE_CString::npos) + { + ::SSL_CTX_set_options(this->context_, SSL_OP_NO_TLSv1_1); + } +#endif /* SSL_OP_NO_TLSv1_1 */ +#if defined (SSL_OP_NO_TLSv1_2) + if (ssl_versions.find("TLSv1.2") == ACE_CString::npos) + { + ::SSL_CTX_set_options(this->context_, SSL_OP_NO_TLSv1_2); + } +#endif /* SSL_OP_NO_TLSv1_2 */ + return 0; +} + +int ACE_SSL_Context::load_trusted_ca (const char* ca_file, const char* ca_dir, bool use_env_defaults) diff --git a/ACE/ace/SSL/SSL_Context.h b/ACE/ace/SSL/SSL_Context.h index eab491d322d..85648042421 100644 --- a/ACE/ace/SSL/SSL_Context.h +++ b/ACE/ace/SSL/SSL_Context.h @@ -180,6 +180,9 @@ public: /// Load certificate from memory rather than a file. int certificate (X509* cert); + /// Parse the string and filter crypto versions accordingly + int filter_versions (const char *filter); + /** * Load the location of the trusted certification authority * certificates. Note that CA certificates are stored in PEM format diff --git a/ACE/include/makeinclude/platform_macosx_lion.GNU b/ACE/include/makeinclude/platform_macosx_lion.GNU index b7e4300e700..bca8cc9b997 100644 --- a/ACE/include/makeinclude/platform_macosx_lion.GNU +++ b/ACE/include/makeinclude/platform_macosx_lion.GNU @@ -1,6 +1,4 @@ -ssl=0 - INSLIB?=$(ACE_ROOT)/lib ifeq ($(buildbits),32) |