From 4d3cf2c626daebca25dd63148e31c4f0e8873871 Mon Sep 17 00:00:00 2001
From: Jamie Newbon <Jamie@symless.com>
Date: Tue, 12 Nov 2019 17:04:43 +0000
Subject: [PATCH 1/5] Preventing older insecure version of TLS/SSL

---
 src/lib/net/SecureSocket.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/lib/net/SecureSocket.cpp b/src/lib/net/SecureSocket.cpp
index 72d1aa29..922d3419 100644
--- a/src/lib/net/SecureSocket.cpp
+++ b/src/lib/net/SecureSocket.cpp
@@ -393,6 +393,9 @@ SecureSocket::initContext(bool server)
     SSL_METHOD* m = const_cast<SSL_METHOD*>(method);
     m_ssl->m_context = SSL_CTX_new(m);
 
+    //Prevent the usage of of all version prior to TLSv1.2 as they are known to be vulnerable
+    SSL_CTX_set_options(m_ssl->m_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
+
     if (m_ssl->m_context == NULL) {
         showError();
     }
@@ -848,7 +851,7 @@ SecureSocket::showSecureConnectInfo()
         SSL_CIPHER_description(cipher, msg, kMsgSize);
         LOG((CLOG_DEBUG "openssl cipher: %s", msg));
 
-        LOG((CLOG_INFO "network encryption protocol: %s", SSL_CIPHER_get_version(cipher)));
+        LOG((CLOG_INFO "network encryption protocol: %s", SSL_get_version(m_ssl->m_ssl)));
 
     }
     else {

From 8ee5475447d33b9f856607f8035c23c8e0aa1b07 Mon Sep 17 00:00:00 2001
From: Jamie Newbon <Jamie@symless.com>
Date: Tue, 12 Nov 2019 17:10:20 +0000
Subject: [PATCH 2/5] Removed openssl@1.1 due to problems supporting multiple
 macOS versions

---
 CMakeLists.txt | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 75855d2a..a2297311 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -293,12 +293,7 @@ if (${CMAKE_SYSTEM_NAME} MATCHES "Windows")
         ${OPENSSL_ROOT}/lib/libcrypto.lib
     )
 elseif (${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
-    #Try use 1.1 for the latest features. otherwise use the default
-    IF(EXISTS /usr/local/opt/openssl@1.1)
-        set (OPENSSL_ROOT /usr/local/opt/openssl@1.1)
-    else()
-        set (OPENSSL_ROOT /usr/local/opt/openssl)
-    endif()
+    set (OPENSSL_ROOT /usr/local/opt/openssl)
     include_directories (BEFORE SYSTEM ${OPENSSL_ROOT}/include)
     set (OPENSSL_LIBS
         ${OPENSSL_ROOT}/lib/libssl.a
@@ -325,7 +320,7 @@ macro (configure_files srcDir destDir)
         set (sourceFilePath ${srcDir}/${sourceFile})
         if (IS_DIRECTORY ${sourceFilePath})
             message (STATUS "Copying directory ${sourceFile}")
-            make_directory (${destDir/${sourceFile})
+            make_directory (${destDir}/${sourceFile})
         else()
             message (STATUS "Copying file ${sourceFile}")
             configure_file (${sourceFilePath} ${destDir}/${sourceFile} COPYONLY)

From 27e5d3b0848880f5b2089aa2bcca04cb06872606 Mon Sep 17 00:00:00 2001
From: Jamie Newbon <Jamie@symless.com>
Date: Wed, 13 Nov 2019 10:01:27 +0000
Subject: [PATCH 3/5] Grabbed connection protocol from cipher for display to
 user

---
 src/lib/net/SecureSocket.cpp | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/lib/net/SecureSocket.cpp b/src/lib/net/SecureSocket.cpp
index 922d3419..48ea585e 100644
--- a/src/lib/net/SecureSocket.cpp
+++ b/src/lib/net/SecureSocket.cpp
@@ -30,6 +30,7 @@
 #include <cstdlib>
 #include <memory>
 #include <fstream>
+#include <regex>
 
 //
 // SecureSocket
@@ -850,9 +851,18 @@ SecureSocket::showSecureConnectInfo()
         char msg[kMsgSize];
         SSL_CIPHER_description(cipher, msg, kMsgSize);
         LOG((CLOG_DEBUG "openssl cipher: %s", msg));
-
-        LOG((CLOG_INFO "network encryption protocol: %s", SSL_get_version(m_ssl->m_ssl)));
-
+        
+        //For some reason SSL_get_version is return mismatching information to SSL_CIPHER_description
+        // so grab the version out the description instead, This seems like a hacky way of doing it.
+        // But when the cipher says "TLSv1.2" but the get_version returns "TLSv1/SSLv3" we it doesn't look right
+        const std::regex match(R"(^([\w-]*)\s+([\w-.]*).*$)");
+        const std::string message(msg);
+        std::smatch stringMatch;
+        
+        if (std::regex_search(message, stringMatch, match)) {
+            const std::string protocol = stringMatch[2];
+            LOG((CLOG_INFO "network encryption protocol: %s", protocol.c_str()));
+        }
     }
     else {
         LOG((CLOG_ERR "could not get secure socket cipher"));

From e64e4c598d0cfa54cd4ddf111d987c435593f3c2 Mon Sep 17 00:00:00 2001
From: Jamie Newbon <jamie@symless.com>
Date: Thu, 14 Nov 2019 11:29:17 +0000
Subject: [PATCH 4/5] Changed to stringstream as Mac had problems with regex

---
 src/lib/net/SecureSocket.cpp | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/src/lib/net/SecureSocket.cpp b/src/lib/net/SecureSocket.cpp
index 48ea585e..11bc05c0 100644
--- a/src/lib/net/SecureSocket.cpp
+++ b/src/lib/net/SecureSocket.cpp
@@ -27,6 +27,7 @@
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <cstring>
+#include <sstream>
 #include <cstdlib>
 #include <memory>
 #include <fstream>
@@ -855,13 +856,23 @@ SecureSocket::showSecureConnectInfo()
         //For some reason SSL_get_version is return mismatching information to SSL_CIPHER_description
         // so grab the version out the description instead, This seems like a hacky way of doing it.
         // But when the cipher says "TLSv1.2" but the get_version returns "TLSv1/SSLv3" we it doesn't look right
-        const std::regex match(R"(^([\w-]*)\s+([\w-.]*).*$)");
-        const std::string message(msg);
-        std::smatch stringMatch;
-        
-        if (std::regex_search(message, stringMatch, match)) {
-            const std::string protocol = stringMatch[2];
-            LOG((CLOG_INFO "network encryption protocol: %s", protocol.c_str()));
+        // For some reason macOS hates regex's so stringstream is used
+
+        std::istringstream iss(msg);
+
+        //Take the stream input and splits it into a vetor directly
+        const std::vector<std::string> parts{std::istream_iterator<std::string>{iss},
+                                       std::istream_iterator<std::string>{}};
+        if (parts.size() > 2)
+        {
+            //log the section containing the protocol version
+            LOG((CLOG_INFO "network encryption protocol: %s", parts[1].c_str()));
+        }
+        else
+        {
+            //log the error in spliting then display the whole description rather then nothing
+            LOG((CLOG_ERR "could not split cipher for protocol"));
+            LOG((CLOG_INFO "network encryption protocol: %s", msg));
         }
     }
     else {

From b641d4b33777d3184085b0202d2eebe36c9af835 Mon Sep 17 00:00:00 2001
From: Jamie Newbon <Jamie@symless.com>
Date: Thu, 14 Nov 2019 16:14:11 +0000
Subject: [PATCH 5/5] Fixed build issue on Windows unable to find iterator

---
 src/lib/net/SecureSocket.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lib/net/SecureSocket.cpp b/src/lib/net/SecureSocket.cpp
index 11bc05c0..d82547c2 100644
--- a/src/lib/net/SecureSocket.cpp
+++ b/src/lib/net/SecureSocket.cpp
@@ -28,10 +28,10 @@
 #include <openssl/err.h>
 #include <cstring>
 #include <sstream>
+#include <iterator>
 #include <cstdlib>
 #include <memory>
 #include <fstream>
-#include <regex>
 
 //
 // SecureSocket