THRIFT-5706: lib/cpp Fix the Security tests on openssl 1.1 and 3.0

This PR fixes the Security tests to build on a clean install of ubuntu 20.04 and ubuntu 22.04 without modifications to the systems openssl configuration. * Enable TLS 1.0 and TLS 1.1 on OpenSSL 1.1 with the seclevel=0 flag * Disable TLS 1.0 and TLS 1.1 on OpenSSL 3.0 While its technically possible to enable it on OpenSSL 3 I think because of all the issues with these old TLS versions dropping support for it is better. This PR builds forth on the work done here: apache#2811
thomasbruggink · Feb 26, 2024 · 06d23d7 · 06d23d7
1 parent 3b1c30c
commit 06d23d7
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 8 deletions.
diff --git a/lib/cpp/test/SecurityFromBufferTest.cpp b/lib/cpp/test/SecurityFromBufferTest.cpp
@@ -199,16 +199,17 @@ BOOST_AUTO_TEST_CASE(ssl_security_matrix) {
   try {
     // matrix of connection success between client and server with different SSLProtocol selections
         static_assert(apache::thrift::transport::LATEST == 5, "Mismatch in assumed number of ssl protocols");
-        bool ossl1 = (OPENSSL_VERSION_NUMBER < 0x30000000L);
+        bool ossl10 = (OPENSSL_VERSION_NUMBER < 0x10100000L);
+        bool ossl11 = (!ossl10 && OPENSSL_VERSION_NUMBER < 0x30000000L);
         bool matrix[apache::thrift::transport::LATEST + 1][apache::thrift::transport::LATEST + 1] =
         {
     //   server    = SSLTLS   SSLv2    SSLv3    TLSv1_0  TLSv1_1  TLSv1_2
     // client
-    /* SSLTLS  */  { true,    false,   false,   ossl1,   ossl1,   true    },
+    /* SSLTLS  */  { true,    false,   false,   ossl10,  ossl10,  true    },
     /* SSLv2   */  { false,   false,   false,   false,   false,   false   },
     /* SSLv3   */  { false,   false,   true,    false,   false,   false   },
-    /* TLSv1_0 */  { ossl1,   false,   false,   ossl1,   false,   false   },
-    /* TLSv1_1 */  { ossl1,   false,   false,   false,   ossl1,   false   },
+    /* TLSv1_0 */  { ossl10,  false,   false,   ossl10,  false,   false   },
+    /* TLSv1_1 */  { ossl10,  false,   false,   false,   ossl10,  false   },
     /* TLSv1_2 */  { true,    false,   false,   false,   false,   true    }
         };
 

diff --git a/lib/cpp/test/SecurityTest.cpp b/lib/cpp/test/SecurityTest.cpp
@@ -221,16 +221,17 @@ BOOST_AUTO_TEST_CASE(ssl_security_matrix)
     {
         // matrix of connection success between client and server with different SSLProtocol selections
         static_assert(apache::thrift::transport::LATEST == 5, "Mismatch in assumed number of ssl protocols");
-        bool ossl1 = (OPENSSL_VERSION_NUMBER < 0x30000000L);
+        bool ossl10 = (OPENSSL_VERSION_NUMBER < 0x10100000L);
+        bool ossl11 = (!ossl10 && OPENSSL_VERSION_NUMBER < 0x30000000L);
         bool matrix[apache::thrift::transport::LATEST + 1][apache::thrift::transport::LATEST + 1] =
         {
     //   server    = SSLTLS   SSLv2    SSLv3    TLSv1_0  TLSv1_1  TLSv1_2
     // client
-    /* SSLTLS  */  { true,    false,   false,   ossl1,   ossl1,   true    },
+    /* SSLTLS  */  { true,    false,   false,   ossl10,  ossl10,  true    },
     /* SSLv2   */  { false,   false,   false,   false,   false,   false   },
     /* SSLv3   */  { false,   false,   true,    false,   false,   false   },
-    /* TLSv1_0 */  { ossl1,   false,   false,   ossl1,   false,   false   },
-    /* TLSv1_1 */  { ossl1,   false,   false,   false,   ossl1,   false   },
+    /* TLSv1_0 */  { ossl10,  false,   false,   ossl10,  false,   false   },
+    /* TLSv1_1 */  { ossl10,  false,   false,   false,   ossl10,  false   },
     /* TLSv1_2 */  { true,    false,   false,   false,   false,   true    }
         };