diff options
author | Pavel Moravec <pmoravec@apache.org> | 2016-01-05 12:59:09 +0000 |
---|---|---|
committer | Pavel Moravec <pmoravec@apache.org> | 2016-01-05 12:59:09 +0000 |
commit | f9fb3bf6bc141444924bc949ddf76d73c3df3e49 (patch) | |
tree | 0f9977812f0d81260a08dc890b1e2a496c0273f5 | |
parent | 874382b2456ac58a53ea5154e932955b71885bfa (diff) | |
download | qpid-python-f9fb3bf6bc141444924bc949ddf76d73c3df3e49.tar.gz |
QPID-6966: C++ broker and client to support TLS1.1 and TLS1.2 by default
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1723066 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | qpid/cpp/src/qpid/sys/ssl/util.cpp | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/qpid/cpp/src/qpid/sys/ssl/util.cpp b/qpid/cpp/src/qpid/sys/ssl/util.cpp index 9f5493cbbf..e527606fde 100644 --- a/qpid/cpp/src/qpid/sys/ssl/util.cpp +++ b/qpid/cpp/src/qpid/sys/ssl/util.cpp @@ -110,12 +110,17 @@ void initNSS(const SslOptions& options, bool server) // disable SSLv2 and SSLv3 versions of the protocol - they are // no longer considered secure - SSLVersionRange vrange; + SSLVersionRange drange, srange; // default and supported ranges const uint16_t tlsv1 = 0x0301; // Protocol version for TLSv1.0 - NSS_CHECK(SSL_VersionRangeGetDefault(ssl_variant_stream, &vrange)); - if (vrange.min < tlsv1) { - vrange.min = tlsv1; - NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &vrange)); + NSS_CHECK(SSL_VersionRangeGetDefault(ssl_variant_stream, &drange)); + NSS_CHECK(SSL_VersionRangeGetSupported(ssl_variant_stream, &srange)); + if (drange.min < tlsv1) { + drange.min = tlsv1; + NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &drange)); + } + if (srange.max > drange.max) { + drange.max = srange.max; + NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &drange)); } } |