tls-socket: Allow configuring both minimum and maximum TLS versions
This commit is contained in:
parent
c4576a1f57
commit
a7f2818832
|
@ -106,7 +106,7 @@ static int run_client(host_t *host, identification_t *server,
|
|||
close(fd);
|
||||
return 1;
|
||||
}
|
||||
tls = tls_socket_create(FALSE, server, client, fd, cache,
|
||||
tls = tls_socket_create(FALSE, server, client, fd, cache, TLS_1_0,
|
||||
TLS_1_3, TRUE);
|
||||
if (!tls)
|
||||
{
|
||||
|
@ -164,7 +164,8 @@ static int serve(host_t *host, identification_t *server,
|
|||
}
|
||||
DBG1(DBG_TLS, "%#H connected", host);
|
||||
|
||||
tls = tls_socket_create(TRUE, server, NULL, cfd, cache, TLS_1_2, TRUE);
|
||||
tls = tls_socket_create(TRUE, server, NULL, cfd, cache, TLS_1_0,
|
||||
TLS_1_2, TRUE);
|
||||
if (!tls)
|
||||
{
|
||||
close(fd);
|
||||
|
|
|
@ -877,7 +877,7 @@ static bool soap_init(private_tnc_ifmap_soap_t *this)
|
|||
|
||||
/* open TLS socket */
|
||||
this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd,
|
||||
NULL, TLS_1_2, FALSE);
|
||||
NULL, TLS_1_0, TLS_1_2, FALSE);
|
||||
if (!this->tls)
|
||||
{
|
||||
DBG1(DBG_TNC, "creating TLS socket failed");
|
||||
|
|
|
@ -85,7 +85,7 @@ static bool make_connection(private_pt_tls_client_t *this)
|
|||
}
|
||||
|
||||
this->tls = tls_socket_create(FALSE, this->server, this->client, fd,
|
||||
NULL, TLS_1_2, FALSE);
|
||||
NULL, TLS_1_0, TLS_1_2, FALSE);
|
||||
if (!this->tls)
|
||||
{
|
||||
close(fd);
|
||||
|
|
|
@ -532,7 +532,8 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
|
|||
.destroy = _destroy,
|
||||
},
|
||||
.state = PT_TLS_SERVER_VERSION,
|
||||
.tls = tls_socket_create(TRUE, server, NULL, fd, NULL, TLS_1_2, FALSE),
|
||||
.tls = tls_socket_create(TRUE, server, NULL, fd, NULL, TLS_1_0, TLS_1_2,
|
||||
FALSE),
|
||||
.tnccs = (tls_t*)tnccs,
|
||||
.auth = auth,
|
||||
);
|
||||
|
|
|
@ -298,7 +298,7 @@ static job_requeue_t serve_echo(echo_server_config_t *config)
|
|||
}
|
||||
|
||||
tls = tls_socket_create(TRUE, server, client, cfd, NULL,
|
||||
config->version, TRUE);
|
||||
TLS_1_0, config->version, TRUE);
|
||||
ck_assert(tls != NULL);
|
||||
|
||||
while (TRUE)
|
||||
|
@ -374,7 +374,7 @@ static void run_echo_client(echo_server_config_t *config)
|
|||
ck_assert(connect(fd, host->get_sockaddr(host),
|
||||
*host->get_sockaddr_len(host)) != -1);
|
||||
tls = tls_socket_create(FALSE, server, client, fd, NULL,
|
||||
config->version, TRUE);
|
||||
TLS_1_0, config->version, TRUE);
|
||||
ck_assert(tls != NULL);
|
||||
|
||||
wr = rd = 0;
|
||||
|
|
|
@ -405,8 +405,9 @@ METHOD(tls_socket_t, destroy, void,
|
|||
* See header
|
||||
*/
|
||||
tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
|
||||
identification_t *peer, int fd, tls_cache_t *cache,
|
||||
tls_version_t max_version, bool nullok)
|
||||
identification_t *peer, int fd,
|
||||
tls_cache_t *cache, tls_version_t min_version,
|
||||
tls_version_t max_version, bool nullok)
|
||||
{
|
||||
private_tls_socket_t *this;
|
||||
tls_purpose_t purpose;
|
||||
|
@ -442,12 +443,11 @@ tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
|
|||
|
||||
this->tls = tls_create(is_server, server, peer, purpose,
|
||||
&this->app.application, cache);
|
||||
if (!this->tls)
|
||||
if (!this->tls ||
|
||||
!this->tls->set_version(this->tls, min_version, max_version))
|
||||
{
|
||||
free(this);
|
||||
return NULL;
|
||||
}
|
||||
this->tls->set_version(this->tls, TLS_1_0, max_version);
|
||||
|
||||
return &this->public;
|
||||
}
|
||||
|
|
|
@ -104,12 +104,14 @@ struct tls_socket_t {
|
|||
* @param peer client identity, NULL for no client authentication
|
||||
* @param fd socket to read/write from
|
||||
* @param cache session cache to use, or NULL
|
||||
* @param min_version minimum TLS version to negotiate
|
||||
* @param max_version maximum TLS version to negotiate
|
||||
* @param nullok accept NULL encryption ciphers
|
||||
* @return TLS socket wrapper
|
||||
*/
|
||||
tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
|
||||
identification_t *peer, int fd, tls_cache_t *cache,
|
||||
tls_version_t max_version, bool nullok);
|
||||
identification_t *peer, int fd,
|
||||
tls_cache_t *cache, tls_version_t min_version,
|
||||
tls_version_t max_version, bool nullok);
|
||||
|
||||
#endif /** TLS_SOCKET_H_ @}*/
|
||||
|
|
Loading…
Reference in New Issue