THRIFT-4084: Add a SSL/TLS negotiation check to crossfeature to verify SSLv3 is not active and that at least one of TLSv1.0 through 1.2 are accepted.

Client: csharp, d, go, nodejs, perl This closes #1197
author: James E. King, III <jking@apache.org> 2017-02-20 08:52:11 -0500
committer: James E. King, III <jking@apache.org> 2017-02-20 08:52:11 -0500
commit: 06190874c8ba8f3a0c7ae83a59965d56c205e080 (patch)
tree: fa2bedf10194cb1ec79b2d9546b4917bc4107e59 /lib/perl
parent: 239233afb6fd5bd2fb81743e88303c9ac17d7edb (diff)
download: thrift-06190874c8ba8f3a0c7ae83a59965d56c205e080.tar.gz
2 files changed, 8 insertions, 4 deletions
diff --git a/lib/perl/lib/Thrift/SSLServerSocket.pm b/lib/perl/lib/Thrift/SSLServerSocket.pm
index e885ede8b..a8dfa5602 100644
--- a/lib/perl/lib/Thrift/SSLServerSocket.pm
+++ b/lib/perl/lib/Thrift/SSLServerSocket.pm
@@ -60,13 +60,15 @@ sub __listen
                 Proto         => 'tcp',
                 ReuseAddr     => 1};
 
+    my $verify = IO::Socket::SSL::SSL_VERIFY_PEER | IO::Socket::SSL::SSL_VERIFY_FAIL_IF_NO_PEER_CERT | IO::Socket::SSL::SSL_VERIFY_CLIENT_ONCE;
+
     $opts->{SSL_ca_file}      = $self->{ca}      if defined $self->{ca};
     $opts->{SSL_cert_file}    = $self->{cert}    if defined $self->{cert};
     $opts->{SSL_cipher_list}  = $self->{ciphers} if defined $self->{ciphers};
     $opts->{SSL_key_file}     = $self->{key}     if defined $self->{key};
     $opts->{SSL_use_cert}     = (defined $self->{cert}) ? 1 : 0;
-    $opts->{SSL_verify_mode}  = (defined $self->{ca}) ? IO::Socket::SSL::SSL_VERIFY_PEER : IO::Socket::SSL::SSL_VERIFY_NONE;
-    $opts->{SSL_version}      = (defined $self->{version}) ? $self->{version} : 'SSLv23:!SSLv2:!SSLv3';
+    $opts->{SSL_verify_mode}  = (defined $self->{ca}) ? $verify : IO::Socket::SSL::SSL_VERIFY_NONE;
+    $opts->{SSL_version}      = (defined $self->{version}) ? $self->{version} : 'SSLv23:!SSLv3:!SSLv2';
 
     return IO::Socket::SSL->new(%$opts);
 }
diff --git a/lib/perl/lib/Thrift/SSLSocket.pm b/lib/perl/lib/Thrift/SSLSocket.pm
index 046692e61..99a41071a 100644
--- a/lib/perl/lib/Thrift/SSLSocket.pm
+++ b/lib/perl/lib/Thrift/SSLSocket.pm
@@ -71,13 +71,15 @@ sub __open
                 Proto         => 'tcp',
                 Timeout       => $self->{sendTimeout} / 1000};
 
+    my $verify = IO::Socket::SSL::SSL_VERIFY_PEER | IO::Socket::SSL::SSL_VERIFY_FAIL_IF_NO_PEER_CERT | IO::Socket::SSL::SSL_VERIFY_CLIENT_ONCE;
+
     $opts->{SSL_ca_file}      = $self->{ca}      if defined $self->{ca};
     $opts->{SSL_cert_file}    = $self->{cert}    if defined $self->{cert};
     $opts->{SSL_cipher_list}  = $self->{ciphers} if defined $self->{ciphers};
     $opts->{SSL_key_file}     = $self->{key}     if defined $self->{key};
     $opts->{SSL_use_cert}     = (defined $self->{cert}) ? 1 : 0;
-    $opts->{SSL_verify_mode}  = (defined $self->{ca}) ? IO::Socket::SSL::SSL_VERIFY_PEER : IO::Socket::SSL::SSL_VERIFY_NONE;
-    $opts->{SSL_version}      = (defined $self->{version}) ? $self->{version} : 'SSLv23:!SSLv2:!SSLv3';
+    $opts->{SSL_verify_mode}  = (defined $self->{ca}) ? $verify : IO::Socket::SSL::SSL_VERIFY_NONE;
+    $opts->{SSL_version}      = (defined $self->{version}) ? $self->{version} : 'SSLv23:!SSLv3:!SSLv2';
 
     return IO::Socket::SSL->new(%$opts);
 }
author	James E. King, III <jking@apache.org>	2017-02-20 08:52:11 -0500
committer	James E. King, III <jking@apache.org>	2017-02-20 08:52:11 -0500
commit	06190874c8ba8f3a0c7ae83a59965d56c205e080 (patch)
tree	fa2bedf10194cb1ec79b2d9546b4917bc4107e59 /lib/perl
parent	239233afb6fd5bd2fb81743e88303c9ac17d7edb (diff)
download	thrift-06190874c8ba8f3a0c7ae83a59965d56c205e080.tar.gz