Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

THRIFT-5706: lib: cpp: Fix C++ SecurityTest compilation on OpenSSL1.x #2811

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

THRIFT-5706: lib: cpp: Fix C++ SecurityTest compilation on OpenSSL1.x #2811

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
18 changes: 14 additions & 4 deletions lib/cpp/test/SecurityFromBufferTest.cpp
View file
Open in desktop
Expand Up @@ -109,7 +109,13 @@ struct SecurityFromBufferFixture {
shared_ptr<TSSLServerSocket> pServerSocket;

pServerSocketFactory.reset(new TSSLSocketFactory(static_cast<apache::thrift::transport::SSLProtocol>(protocol)));
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
// OpenSSL 1.1.0 introduced @SECLEVEL. Modern distributions limit TLS 1.0/1.1
// to @SECLEVEL=0 or 1, so specify it to test all combinations.
pServerSocketFactory->ciphers("ALL:!ADH:!LOW:!EXP:!MD5:@SECLEVEL=0:@STRENGTH");
#else
pServerSocketFactory->ciphers("ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
#endif
pServerSocketFactory->loadCertificateFromBuffer(certString("server.crt").c_str());
pServerSocketFactory->loadPrivateKeyFromBuffer(certString("server.key").c_str());
pServerSocketFactory->server(true);
Expand Down Expand Up @@ -154,6 +160,11 @@ struct SecurityFromBufferFixture {

try {
pClientSocketFactory.reset(new TSSLSocketFactory(static_cast<apache::thrift::transport::SSLProtocol>(protocol)));
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
// OpenSSL 1.1.0 introduced @SECLEVEL. Modern distributions limit TLS 1.0/1.1
// to @SECLEVEL=0 or 1, so specify it to test all combinations.
pClientSocketFactory->ciphers("ALL:!ADH:!LOW:!EXP:!MD5:@SECLEVEL=0:@STRENGTH");
#endif
pClientSocketFactory->authenticate(true);
pClientSocketFactory->loadCertificateFromBuffer(certString("client.crt").c_str());
pClientSocketFactory->loadPrivateKeyFromBuffer(certString("client.key").c_str());
Expand Down Expand Up @@ -199,16 +210,15 @@ BOOST_AUTO_TEST_CASE(ssl_security_matrix) {
try {
// matrix of connection success between client and server with different SSLProtocol selections
static_assert(apache::thrift::transport::LATEST == 5, "Mismatch in assumed number of ssl protocols");
bool ossl1 = OPENSSL_VERSION_MAJOR == 1;
bool matrix[apache::thrift::transport::LATEST + 1][apache::thrift::transport::LATEST + 1] =
{
// server = SSLTLS SSLv2 SSLv3 TLSv1_0 TLSv1_1 TLSv1_2
// client
/* SSLTLS */ { true, false, false, ossl1, ossl1, true },
/* SSLTLS */ { true, false, false, true, true, true },
/* SSLv2 */ { false, false, false, false, false, false },
/* SSLv3 */ { false, false, true, false, false, false },
/* TLSv1_0 */ { ossl1, false, false, ossl1, false, false },
/* TLSv1_1 */ { ossl1, false, false, false, ossl1, false },
/* TLSv1_0 */ { true, false, false, true, false, false },
/* TLSv1_1 */ { true, false, false, false, true, false },
/* TLSv1_2 */ { true, false, false, false, false, true }
};

Expand Down
18 changes: 14 additions & 4 deletions lib/cpp/test/SecurityTest.cpp
View file
Open in desktop
Expand Up @@ -108,7 +108,13 @@ struct SecurityFixture
shared_ptr<TSSLServerSocket> pServerSocket;

pServerSocketFactory.reset(new TSSLSocketFactory(static_cast<apache::thrift::transport::SSLProtocol>(protocol)));
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
// OpenSSL 1.1.0 introduced @SECLEVEL. Modern distributions limit TLS 1.0/1.1
// to @SECLEVEL=0 or 1, so specify it to test all combinations.
pServerSocketFactory->ciphers("ALL:!ADH:!LOW:!EXP:!MD5:@SECLEVEL=0:@STRENGTH");
#else
pServerSocketFactory->ciphers("ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
#endif
pServerSocketFactory->loadCertificate(certFile("server.crt").string().c_str());
pServerSocketFactory->loadPrivateKey(certFile("server.key").string().c_str());
pServerSocketFactory->server(true);
Expand Down Expand Up @@ -161,6 +167,11 @@ struct SecurityFixture
try
{
pClientSocketFactory.reset(new TSSLSocketFactory(static_cast<apache::thrift::transport::SSLProtocol>(protocol)));
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
// OpenSSL 1.1.0 introduced @SECLEVEL. Modern distributions limit TLS 1.0/1.1
// to @SECLEVEL=0 or 1, so specify it to test all combinations.
pClientSocketFactory->ciphers("ALL:!ADH:!LOW:!EXP:!MD5:@SECLEVEL=0:@STRENGTH");
#endif
pClientSocketFactory->authenticate(true);
pClientSocketFactory->loadCertificate(certFile("client.crt").string().c_str());
pClientSocketFactory->loadPrivateKey(certFile("client.key").string().c_str());
Expand Down Expand Up @@ -221,16 +232,15 @@ BOOST_AUTO_TEST_CASE(ssl_security_matrix)
{
// matrix of connection success between client and server with different SSLProtocol selections
static_assert(apache::thrift::transport::LATEST == 5, "Mismatch in assumed number of ssl protocols");
bool ossl1 = OPENSSL_VERSION_MAJOR == 1;
bool matrix[apache::thrift::transport::LATEST + 1][apache::thrift::transport::LATEST + 1] =
{
// server = SSLTLS SSLv2 SSLv3 TLSv1_0 TLSv1_1 TLSv1_2
// client
/* SSLTLS */ { true, false, false, ossl1, ossl1, true },
/* SSLTLS */ { true, false, false, true, true, true },
/* SSLv2 */ { false, false, false, false, false, false },
/* SSLv3 */ { false, false, true, false, false, false },
/* TLSv1_0 */ { ossl1, false, false, ossl1, false, false },
/* TLSv1_1 */ { ossl1, false, false, false, ossl1, false },
/* TLSv1_0 */ { true, false, false, true, false, false },
/* TLSv1_1 */ { true, false, false, false, true, false },
/* TLSv1_2 */ { true, false, false, false, false, true }
};

Expand Down