drill-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From timothyfar...@apache.org
Subject [drill] 03/03: DRILL-6610: Add support for Minimum TLS restriction.
Date Sat, 10 Nov 2018 03:14:41 GMT
This is an automated email from the ASF dual-hosted git repository.

timothyfarkas pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/drill.git

commit 33810dfbafaf73e4523a1c20751610855d03eca0
Author: superbstreak <robwu15@gmail.com>
AuthorDate: Wed Jul 18 14:26:09 2018 -0700

    DRILL-6610: Add support for Minimum TLS restriction.
    
    closes #1388
---
 contrib/native/client/src/clientlib/channel.cpp    |  4 +--
 contrib/native/client/src/clientlib/channel.hpp    | 29 ++++++++++++++++++++++
 contrib/native/client/src/clientlib/errmsgs.cpp    |  1 +
 contrib/native/client/src/clientlib/errmsgs.hpp    |  3 ++-
 contrib/native/client/src/include/drill/common.hpp |  2 +-
 5 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/contrib/native/client/src/clientlib/channel.cpp b/contrib/native/client/src/clientlib/channel.cpp
index bdc19f7..3af17d6 100644
--- a/contrib/native/client/src/clientlib/channel.cpp
+++ b/contrib/native/client/src/clientlib/channel.cpp
@@ -210,12 +210,12 @@ ChannelContext* ChannelFactory::getChannelContext(channelType_t t, DrillUserProp
                 verifyMode = boost::asio::ssl::context::verify_none;
             }
 
-            long customSSLCtxOptions = 0;
+            long customSSLCtxOptions = SSLChannelContext::ApplyMinTLSRestriction(protocol);
             std::string sslOptions;
             props->getProp(USERPROP_CUSTOM_SSLCTXOPTIONS, sslOptions);
             if (!sslOptions.empty()){
                 try{
-                    customSSLCtxOptions = boost::lexical_cast<long>(sslOptions);
+                    customSSLCtxOptions |= boost::lexical_cast<long>(sslOptions);
                 }
                 catch (...){
                       DRILL_LOG(LOG_ERROR) << "Unable to parse custom SSL CTX options."
<< std::endl;
diff --git a/contrib/native/client/src/clientlib/channel.hpp b/contrib/native/client/src/clientlib/channel.hpp
index fec4659..7d4ad60 100644
--- a/contrib/native/client/src/clientlib/channel.hpp
+++ b/contrib/native/client/src/clientlib/channel.hpp
@@ -82,11 +82,34 @@ class UserProperties;
                     return boost::asio::ssl::context::tlsv11;
                 } else if (version == "tlsv1") {
                     return boost::asio::ssl::context::tlsv1;
+                } else if ((version == "tlsv1+") || (version == "tlsv11+") || (version ==
"tlsv12+")) {
+                    // SSLv2 and SSLv3 are disabled, so this is the equivalent of 'tls' only
mode.
+                    // In boost version 1.64+, they've added support for context::tls; method.
+                    return boost::asio::ssl::context::sslv23;
                 } else {
                     return boost::asio::ssl::context::tlsv12;
                 }
             }
 
+            /// @brief Applies Minimum TLS protocol restrictions. 
+            ///         tlsv11+ means restrict to TLS version 1.1 and higher.
+            ///         tlsv12+ means restrict to TLS version 1.2 and higher.
+            ///  Please note that SSL_OP_NO_TLSv tags are depreecated in openSSL 1.1.0.
+            /// 
+            /// @param in_ver               The protocol version.
+            /// 
+            /// @return The SSL context options.
+            static long ApplyMinTLSRestriction(const std::string & in_ver){
+#if defined(IS_SSL_ENABLED)
+                if (in_ver == "tlsv11+") {
+                    return SSL_OP_NO_TLSv1;
+                } else if (in_ver == "tlsv12+") {
+                    return (SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
+                } 
+#endif
+                return SSL_OP_NO_SSLv3;
+            }
+
         SSLChannelContext(DrillUserProperties *props,
                           boost::asio::ssl::context::method tlsVersion,
                           boost::asio::ssl::verify_mode verifyMode,
@@ -256,6 +279,12 @@ class UserProperties;
                         CONN_HANDSHAKE_FAILED,
                         getMessage(ERR_CONN_SSL_CERTVERIFY, in_err.what()));
                 }
+                else if (boost::asio::error::get_ssl_category() == errcode.category() &&
+                    SSL_R_UNSUPPORTED_PROTOCOL == ERR_GET_REASON(errcode.value())){
+                    return handleError(
+                        CONN_HANDSHAKE_FAILED,
+                        getMessage(ERR_CONN_SSL_PROTOVER, in_err.what()));
+                }
                 else{
                     return handleError(
                         CONN_HANDSHAKE_FAILED,
diff --git a/contrib/native/client/src/clientlib/errmsgs.cpp b/contrib/native/client/src/clientlib/errmsgs.cpp
index 82f24fd..5ab8d8e 100644
--- a/contrib/native/client/src/clientlib/errmsgs.cpp
+++ b/contrib/native/client/src/clientlib/errmsgs.cpp
@@ -60,6 +60,7 @@ static Drill::ErrorMessages errorMessages[]={
     {ERR_CONN_SSL_GENERAL, ERR_CATEGORY_CONN, 0, "Encountered an exception during SSL handshake.
[Details: %s]"},
     {ERR_CONN_SSL_CN, ERR_CATEGORY_CONN, 0, "SSL certificate host name verification failure.
[Details: %s]" },
     {ERR_CONN_SSL_CERTVERIFY, ERR_CATEGORY_CONN, 0, "SSL certificate verification failed.
[Details: %s]"},
+    {ERR_CONN_SSL_PROTOVER, ERR_CATEGORY_CONN, 0, "Unsupported TLS protocol version. [Details:
%s]" },
     {ERR_QRY_OUTOFMEM, ERR_CATEGORY_QRY, 0, "Out of memory."},
     {ERR_QRY_COMMERR, ERR_CATEGORY_QRY, 0, "Communication error. %s"},
     {ERR_QRY_INVREADLEN, ERR_CATEGORY_QRY, 0, "Internal Error: Received a message with an
invalid read length."},
diff --git a/contrib/native/client/src/clientlib/errmsgs.hpp b/contrib/native/client/src/clientlib/errmsgs.hpp
index 7bcb805..7230611 100644
--- a/contrib/native/client/src/clientlib/errmsgs.hpp
+++ b/contrib/native/client/src/clientlib/errmsgs.hpp
@@ -58,7 +58,8 @@ namespace Drill{
 #define ERR_CONN_SSL_GENERAL    DRILL_ERR_START+26
 #define ERR_CONN_SSL_CN         DRILL_ERR_START+27
 #define ERR_CONN_SSL_CERTVERIFY DRILL_ERR_START+28
-#define ERR_CONN_MAX            DRILL_ERR_START+28
+#define ERR_CONN_SSL_PROTOVER   DRILL_ERR_START+29
+#define ERR_CONN_MAX            DRILL_ERR_START+29
 
 #define ERR_QRY_OUTOFMEM    ERR_CONN_MAX+1
 #define ERR_QRY_COMMERR     ERR_CONN_MAX+2
diff --git a/contrib/native/client/src/include/drill/common.hpp b/contrib/native/client/src/include/drill/common.hpp
index b5bb522..1324601 100644
--- a/contrib/native/client/src/include/drill/common.hpp
+++ b/contrib/native/client/src/include/drill/common.hpp
@@ -173,7 +173,7 @@ typedef enum{
 #define USERPROP_PASSWORD "password"
 #define USERPROP_SCHEMA   "schema"
 #define USERPROP_USESSL   "enableTLS"
-#define USERPROP_TLSPROTOCOL "TLSProtocol" //TLS version. The exact TLS version.
+#define USERPROP_TLSPROTOCOL "TLSProtocol" //TLS version.
 #define USERPROP_CUSTOM_SSLCTXOPTIONS "CustomSSLCtxOptions" // The custom SSL CTX options.
 #define USERPROP_CERTFILEPATH "certFilePath" // pem file path and name
 // TODO: support truststore protected by password. 


Mime
View raw message