diff options
| author | Alan Antonuk <alan.antonuk@gmail.com> | 2021-04-07 05:54:33 +0000 |
|---|---|---|
| committer | Alan Antonuk <alan.antonuk@gmail.com> | 2021-04-06 23:04:57 -0700 |
| commit | 853734dfe799e70d44a9ce357198d3a3260c1be7 (patch) | |
| tree | 45ab07a9ce222a20e688fe0353c8ee400ce72d2d /librabbitmq | |
| parent | 85a51d01fa7712ff42a6fcb432c2821fe9583459 (diff) | |
| download | rabbitmq-c-853734dfe799e70d44a9ce357198d3a3260c1be7.tar.gz | |
Add TLSv1.3 support and set min-version to TLSv1.2
Add support for TLSv1.3, and set the default supported versions to be
TLSv1.2 and TLSv1.3. TLSv1.0 and TLSv1.1 both have security flaws that
make them unsuitable as a default. If these versions are required, they
can be explictly set by users to use these older versions.
Signed-off-by: GitHub <noreply@github.com>
Diffstat (limited to 'librabbitmq')
| -rw-r--r-- | librabbitmq/amqp_openssl.c | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/librabbitmq/amqp_openssl.c b/librabbitmq/amqp_openssl.c index 478c1e1..e090f0e 100644 --- a/librabbitmq/amqp_openssl.c +++ b/librabbitmq/amqp_openssl.c @@ -359,6 +359,8 @@ amqp_socket_t *amqp_ssl_socket_new(amqp_connection_state_t state) { } /* Disable SSLv2 and SSLv3 */ SSL_CTX_set_options(self->ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + amqp_ssl_socket_set_ssl_versions((amqp_socket_t *)self, AMQP_TLSv1_2, + AMQP_TLSvLATEST); SSL_CTX_set_mode(self->ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); /* OpenSSL v1.1.1 turns this on by default, which makes the non-blocking @@ -544,17 +546,15 @@ int amqp_ssl_socket_set_ssl_versions(amqp_socket_t *base, { long clear_options; long set_options = 0; -#if defined(SSL_OP_NO_TLSv1_2) +#if defined(SSL_OP_NO_TLSv1_3) + amqp_tls_version_t max_supported = AMQP_TLSv1_3; + clear_options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 | + SSL_OP_NO_TLSv1_3; +#elif defined(SSL_OP_NO_TLSv1_2) amqp_tls_version_t max_supported = AMQP_TLSv1_2; clear_options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2; -#elif defined(SSL_OP_NO_TLSv1_1) - amqp_tls_version_t max_supported = AMQP_TLSv1_1; - clear_options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1; -#elif defined(SSL_OP_NO_TLSv1) - amqp_tls_version_t max_supported = AMQP_TLSv1; - clear_options = SSL_OP_NO_TLSv1; #else -#error "Need a version of OpenSSL that can support TLSv1 or greater." +#error "Need a version of OpenSSL that can support TLSv1.2 or greater." #endif if (AMQP_TLSvLATEST == max) { @@ -585,6 +585,11 @@ int amqp_ssl_socket_set_ssl_versions(amqp_socket_t *base, set_options |= SSL_OP_NO_TLSv1_2; } #endif +#ifdef SSL_OP_NO_TLSv1_3 + if (max < AMQP_TLSv1_3) { + set_options |= SSL_OP_NO_TLSv1_3; + } +#endif SSL_CTX_clear_options(self->ctx, clear_options); SSL_CTX_set_options(self->ctx, set_options); } |