Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implemented OpenSSL 1.1.0 TLS methods and deprecated SSLv23 ones. #2231

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Implemented OpenSSL 1.1.0 TLS methods and deprecated SSLv23 ones. #2231

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
2ca834a
Implemented OpenSSL 1.1.0 TLS methods and deprecated SSLv23 ones.
akotulu Apr 30, 2024
c9de201
Added backwards compatibility for SSLv23.
akotulu Apr 30, 2024
e41e3c8
Improved backwards compatibility according to review.
akotulu Apr 30, 2024
fe12cfe
Fixed deprecation warning for OpenSSL version below 1.1.0.
akotulu Apr 30, 2024
50033d9
Fixed fuzz errors.
akotulu Apr 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions ACE/ace/SSL/SSL_Context.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,6 +261,26 @@ ACE_SSL_Context::set_mode (int mode)
SSL_METHOD *method = 0;
#endif

#if OPENSSL_VERSION_NUMBER >= 0x10100000L
switch (mode)
{
case ACE_SSL_Context::SSLv23_client:
case ACE_SSL_Context::TLS_client:
method = ::TLS_client_method ();
break;
case ACE_SSL_Context::SSLv23_server:
case ACE_SSL_Context::TLS_server:
method = ::TLS_server_method ();
break;
case ACE_SSL_Context::SSLv23:
case ACE_SSL_Context::TLS:
method = ::TLS_method ();
break;
default:
method = ::TLS_method ();
break;
}
#else
switch (mode)
{
case ACE_SSL_Context::SSLv23_client:
Expand All @@ -276,6 +296,7 @@ ACE_SSL_Context::set_mode (int mode)
method = ::SSLv23_method ();
break;
}
#endif

this->context_ = ::SSL_CTX_new (method);
if (this->context_ == 0)
Expand Down Expand Up @@ -479,7 +500,11 @@ ACE_SSL_Context::load_trusted_ca (const char* ca_file,

// For TLS/SSL servers scan all certificates in ca_file and ca_dir and
// list them as acceptable CAs when requesting a client certificate.
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
if (mode_ == TLS || mode_ == TLS_server || mode_ == SSLv23 || mode_ == SSLv23_server)
#else
if (mode_ == SSLv23 || mode_ == SSLv23_server)
#endif
{
// Note: The STACK_OF(X509_NAME) pointer is a copy of the pointer in
// the CTX; any changes to it by way of these function calls will
Expand Down
23 changes: 18 additions & 5 deletions ACE/ace/SSL/SSL_Context.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ class ACE_SSL_Export ACE_SSL_Data_File
// when C library routines are passed CallBack functions pointers that are
// actually C++ functions.
//
// Unfortunatly you can not specify extern "C" linkage anywhere inside a class
// Unfortunately you can not specify extern "C" linkage anywhere inside a class
// declaration or inside a function prototype for individual parameters. I.e:
// class { extern "C" int (*callback_) (int, void *); };
// to store a function pointer as a data member of the class is illegal as is:
Expand All @@ -78,7 +78,7 @@ class ACE_SSL_Export ACE_SSL_Data_File
// Since we need an extern "C" function pointer as a parameter to be stored
// in the class and handled by member functions, we are forced to declare
// a typedef of that extern "C" function pointer that we can then use.
// Again unfortunatly you also are not allowed to simply add the extern "C"
// Again unfortunately you also are not allowed to simply add the extern "C"
// to the typedef itself, instead you have to place the typedef declaration
// inside an extern "C" block, thus:

Expand All @@ -104,9 +104,18 @@ class ACE_SSL_Export ACE_SSL_Context

enum {
INVALID_METHOD = -1,
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
TLS_client,
TLS_server,
TLS,
SSLv23_client [[deprecated("Use TLS_client instead.")]],
SSLv23_server [[deprecated("Use TLS_server instead.")]],
SSLv23 [[deprecated("Use TLS instead.")]]
#else
SSLv23_client,
SSLv23_server,
SSLv23
#endif
};

/// Constructor
Expand All @@ -130,7 +139,11 @@ class ACE_SSL_Export ACE_SSL_Context
* If the mode is not set, then the class automatically initializes
* itself to the default mode.
*/
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
int set_mode (int mode = ACE_SSL_Context::TLS);
#else
int set_mode (int mode = ACE_SSL_Context::SSLv23);
#endif

int get_mode () const;

Expand Down Expand Up @@ -268,7 +281,7 @@ class ACE_SSL_Export ACE_SSL_Context
*
* @doc Use this method when certificate chain verification is
* required. The default server behaviour is SSL_VERIFY_NONE
* i.e. client certicates are requested for verified. This method
* i.e. client certificates are requested for verified. This method
* can be used to configure server to request client certificates
* and perform the certificate verification. If <strict> is set
* true the client connection is rejected when certificate
Expand Down Expand Up @@ -301,15 +314,15 @@ class ACE_SSL_Export ACE_SSL_Context
/**
* Set and query the default verify mode for this context, it is
* inherited by all the ACE_SSL objects created using the context.
* It can be overriden on a per-ACE_SSL object.
* It can be overridden on a per-ACE_SSL object.
*/
void default_verify_mode (int mode);
int default_verify_mode () const;

/**
* Set and query the default verify callback for this context, it is
* inherited by all the ACE_SSL objects created using the context.
* It can be overriden on a per-ACE_SSL object.
* It can be overridden on a per-ACE_SSL object.
*/
void default_verify_callback (extern_C_CallBackVerify_t);
extern_C_CallBackVerify_t default_verify_callback () const;
Expand Down