Merge pull request #6595 from symless/v1-issue-6556-tls-updates
Open SSL fixes for macOS
This commit is contained in:
commit
36f2e7c8fd
|
@ -293,12 +293,7 @@ if (${CMAKE_SYSTEM_NAME} MATCHES "Windows")
|
||||||
${OPENSSL_ROOT}/lib/libcrypto.lib
|
${OPENSSL_ROOT}/lib/libcrypto.lib
|
||||||
)
|
)
|
||||||
elseif (${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
|
elseif (${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
|
||||||
#Try use 1.1 for the latest features. otherwise use the default
|
set (OPENSSL_ROOT /usr/local/opt/openssl)
|
||||||
IF(EXISTS /usr/local/opt/openssl@1.1)
|
|
||||||
set (OPENSSL_ROOT /usr/local/opt/openssl@1.1)
|
|
||||||
else()
|
|
||||||
set (OPENSSL_ROOT /usr/local/opt/openssl)
|
|
||||||
endif()
|
|
||||||
include_directories (BEFORE SYSTEM ${OPENSSL_ROOT}/include)
|
include_directories (BEFORE SYSTEM ${OPENSSL_ROOT}/include)
|
||||||
set (OPENSSL_LIBS
|
set (OPENSSL_LIBS
|
||||||
${OPENSSL_ROOT}/lib/libssl.a
|
${OPENSSL_ROOT}/lib/libssl.a
|
||||||
|
@ -325,7 +320,7 @@ macro (configure_files srcDir destDir)
|
||||||
set (sourceFilePath ${srcDir}/${sourceFile})
|
set (sourceFilePath ${srcDir}/${sourceFile})
|
||||||
if (IS_DIRECTORY ${sourceFilePath})
|
if (IS_DIRECTORY ${sourceFilePath})
|
||||||
message (STATUS "Copying directory ${sourceFile}")
|
message (STATUS "Copying directory ${sourceFile}")
|
||||||
make_directory (${destDir/${sourceFile})
|
make_directory (${destDir}/${sourceFile})
|
||||||
else()
|
else()
|
||||||
message (STATUS "Copying file ${sourceFile}")
|
message (STATUS "Copying file ${sourceFile}")
|
||||||
configure_file (${sourceFilePath} ${destDir}/${sourceFile} COPYONLY)
|
configure_file (${sourceFilePath} ${destDir}/${sourceFile} COPYONLY)
|
||||||
|
|
|
@ -27,6 +27,8 @@
|
||||||
#include <openssl/ssl.h>
|
#include <openssl/ssl.h>
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
#include <cstring>
|
#include <cstring>
|
||||||
|
#include <sstream>
|
||||||
|
#include <iterator>
|
||||||
#include <cstdlib>
|
#include <cstdlib>
|
||||||
#include <memory>
|
#include <memory>
|
||||||
#include <fstream>
|
#include <fstream>
|
||||||
|
@ -393,6 +395,9 @@ SecureSocket::initContext(bool server)
|
||||||
SSL_METHOD* m = const_cast<SSL_METHOD*>(method);
|
SSL_METHOD* m = const_cast<SSL_METHOD*>(method);
|
||||||
m_ssl->m_context = SSL_CTX_new(m);
|
m_ssl->m_context = SSL_CTX_new(m);
|
||||||
|
|
||||||
|
//Prevent the usage of of all version prior to TLSv1.2 as they are known to be vulnerable
|
||||||
|
SSL_CTX_set_options(m_ssl->m_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
|
||||||
|
|
||||||
if (m_ssl->m_context == NULL) {
|
if (m_ssl->m_context == NULL) {
|
||||||
showError();
|
showError();
|
||||||
}
|
}
|
||||||
|
@ -847,9 +852,28 @@ SecureSocket::showSecureConnectInfo()
|
||||||
char msg[kMsgSize];
|
char msg[kMsgSize];
|
||||||
SSL_CIPHER_description(cipher, msg, kMsgSize);
|
SSL_CIPHER_description(cipher, msg, kMsgSize);
|
||||||
LOG((CLOG_DEBUG "openssl cipher: %s", msg));
|
LOG((CLOG_DEBUG "openssl cipher: %s", msg));
|
||||||
|
|
||||||
|
//For some reason SSL_get_version is return mismatching information to SSL_CIPHER_description
|
||||||
|
// so grab the version out the description instead, This seems like a hacky way of doing it.
|
||||||
|
// But when the cipher says "TLSv1.2" but the get_version returns "TLSv1/SSLv3" we it doesn't look right
|
||||||
|
// For some reason macOS hates regex's so stringstream is used
|
||||||
|
|
||||||
LOG((CLOG_INFO "network encryption protocol: %s", SSL_CIPHER_get_version(cipher)));
|
std::istringstream iss(msg);
|
||||||
|
|
||||||
|
//Take the stream input and splits it into a vetor directly
|
||||||
|
const std::vector<std::string> parts{std::istream_iterator<std::string>{iss},
|
||||||
|
std::istream_iterator<std::string>{}};
|
||||||
|
if (parts.size() > 2)
|
||||||
|
{
|
||||||
|
//log the section containing the protocol version
|
||||||
|
LOG((CLOG_INFO "network encryption protocol: %s", parts[1].c_str()));
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
//log the error in spliting then display the whole description rather then nothing
|
||||||
|
LOG((CLOG_ERR "could not split cipher for protocol"));
|
||||||
|
LOG((CLOG_INFO "network encryption protocol: %s", msg));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
LOG((CLOG_ERR "could not get secure socket cipher"));
|
LOG((CLOG_ERR "could not get secure socket cipher"));
|
||||||
|
|
Loading…
Reference in New Issue