diff options
author | James E. King, III <jking@apache.org> | 2017-02-20 08:52:11 -0500 |
---|---|---|
committer | James E. King, III <jking@apache.org> | 2017-02-20 08:52:11 -0500 |
commit | 06190874c8ba8f3a0c7ae83a59965d56c205e080 (patch) | |
tree | fa2bedf10194cb1ec79b2d9546b4917bc4107e59 /lib/d | |
parent | 239233afb6fd5bd2fb81743e88303c9ac17d7edb (diff) | |
download | thrift-06190874c8ba8f3a0c7ae83a59965d56c205e080.tar.gz |
THRIFT-4084: Add a SSL/TLS negotiation check to crossfeature to verify SSLv3 is not active and that at least one of TLSv1.0 through 1.2 are accepted.
Client: csharp, d, go, nodejs, perl
This closes #1197
Diffstat (limited to 'lib/d')
-rw-r--r-- | lib/d/src/thrift/transport/ssl.d | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/d/src/thrift/transport/ssl.d b/lib/d/src/thrift/transport/ssl.d index a78a2edbc..fbcb6eea6 100644 --- a/lib/d/src/thrift/transport/ssl.d +++ b/lib/d/src/thrift/transport/ssl.d @@ -249,7 +249,9 @@ class TSSLContext { } count_++; - ctx_ = SSL_CTX_new(TLSv1_method()); + ctx_ = SSL_CTX_new(SSLv23_method()); + SSL_CTX_set_options(ctx_, SSL_OP_NO_SSLv2); + SSL_CTX_set_options(ctx_, SSL_OP_NO_SSLv3); // THRIFT-3164 enforce(ctx_, getSSLException("SSL_CTX_new")); SSL_CTX_set_mode(ctx_, SSL_MODE_AUTO_RETRY); } |