qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From astitc...@apache.org
Subject [qpid-proton] 05/06: PROTON-2014: [c] Ensure SSL mutual authentication
Date Thu, 14 Mar 2019 20:05:34 GMT
This is an automated email from the ASF dual-hosted git repository.

astitcher pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/qpid-proton.git

commit 97c7733f07712665f3d08091c82c393e4c3adbf7
Author: Andrew Stitcher <astitcher@apache.org>
AuthorDate: Thu Mar 7 15:51:11 2019 -0500

    PROTON-2014: [c] Ensure SSL mutual authentication
---
 c/src/ssl/openssl.c  | 8 ++++++++
 c/src/ssl/schannel.c | 5 +++++
 2 files changed, 13 insertions(+)

diff --git a/c/src/ssl/openssl.c b/c/src/ssl/openssl.c
index 89cc1aa..63d7562 100644
--- a/c/src/ssl/openssl.c
+++ b/c/src/ssl/openssl.c
@@ -756,6 +756,14 @@ int pn_ssl_domain_set_peer_authentication(pn_ssl_domain_t *domain,
 #if (OPENSSL_VERSION_NUMBER < 0x00905100L)
     SSL_CTX_set_verify_depth(domain->ctx, 1);
 #endif
+
+    // A bit of a hack - If we asked for peer verification then disallow anonymous ciphers
+    // A much more robust thing would be to ensure that we actually have a peer certificate
+    // when we've finished the SSL handshake
+    if (!domain->ciphers && !SSL_CTX_set_cipher_list( domain->ctx, CIPHERS_AUTHENTICATE
)) {
+      ssl_log_error("Failed to set cipher list to %s", CIPHERS_AUTHENTICATE);
+      return -1;
+    }
     break;
 
    case PN_SSL_ANONYMOUS_PEER:   // hippie free love mode... :)
diff --git a/c/src/ssl/schannel.c b/c/src/ssl/schannel.c
index 15e7d8a..bebaf56 100644
--- a/c/src/ssl/schannel.c
+++ b/c/src/ssl/schannel.c
@@ -1354,6 +1354,11 @@ static void server_handshake(pn_transport_t* transport)
     ssl_log(transport, "server handshake successful %d max record size", max);
     break;
 
+  case SEC_E_ALGORITHM_MISMATCH:
+    ssl_log(transport, "server handshake failed: no common algorithm");
+    ssl_failed(transport, "server handshake failed: no common algorithm");
+    break;
+
   case SEC_I_CONTEXT_EXPIRED:
     // ended before we got going
   default:


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message