sohami commented on a change in pull request #1388: DRILL-6610: Add support for
Minimum TLS restriction.
URL: https://github.com/apache/drill/pull/1388#discussion_r212041919
##########
File path: contrib/native/client/src/clientlib/channel.hpp
##########
@@ -82,11 +82,31 @@ class UserProperties;
return boost::asio::ssl::context::tlsv11;
} else if (version == "tlsv1") {
return boost::asio::ssl::context::tlsv1;
+ } else if ((version == "tlsv1+") || (version == "tlsv11+") ||
(version == "tlsv12+")) {
+ // SSLv2 and SSLv3 are disabled, so this is the equivalent
of 'tls' only mode.
+ // In boost version 1.64+, they've added support for
context::tls; method.
+ return boost::asio::ssl::context::sslv23;
} else {
return boost::asio::ssl::context::tlsv12;
}
}
+ /// @brief Applies Minimum TLS protocol restrictions.
+ ///
+ /// @param in_ver The protocol version.
+ ///
+ /// @return The SSL context options.
+ static long ApplyMinTLSRestriction(const std::string & in_ver){
+#if defined(IS_SSL_ENABLED)
+ if (in_ver == "tlsv11+") {
+ return SSL_OP_NO_TLSv1;
+ } else if (in_ver == "tlsv12+") {
+ return (SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
+ }
Review comment:
Looks like `SSL_OP_NO_TLSv1` and others are getting deprecate with 1.1.0
openssl. Please see
[here](https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_options.html).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
