[jira] [Commented] (DRILL-6610) Add support for Minimum TLS support

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/DRILL-6610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16589162#comment-16589162
 ] 

ASF GitHub Bot commented on DRILL-6610:
---------------------------------------

sohami commented on a change in pull request #1388: DRILL-6610: Add support for 
Minimum TLS restriction.
URL: https://github.com/apache/drill/pull/1388#discussion_r212043110
 
 

 ##########
 File path: contrib/native/client/src/clientlib/channel.hpp
 ##########
 @@ -82,11 +82,31 @@ class UserProperties;
                     return boost::asio::ssl::context::tlsv11;
                 } else if (version == "tlsv1") {
                     return boost::asio::ssl::context::tlsv1;
+                } else if ((version == "tlsv1+") || (version == "tlsv11+") || 
(version == "tlsv12+")) {
+                    // SSLv2 and SSLv3 are disabled, so this is the equivalent 
of 'tls' only mode.
+                    // In boost version 1.64+, they've added support for 
context::tls; method.
+                    return boost::asio::ssl::context::sslv23;
                 } else {
                     return boost::asio::ssl::context::tlsv12;
                 }
             }
 
+            /// @brief Applies Minimum TLS protocol restrictions.
+            /// 
+            /// @param in_ver               The protocol version.
+            /// 
+            /// @return The SSL context options.
+            static long ApplyMinTLSRestriction(const std::string & in_ver){
+#if defined(IS_SSL_ENABLED)
+                if (in_ver == "tlsv11+") {
+                    return SSL_OP_NO_TLSv1;
+                } else if (in_ver == "tlsv12+") {
+                    return (SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
+                } 
+#endif
+                return 0;
 
 Review comment:
   I think by default we can always return `SSL_OP_NO_SSLv3` even though we are 
setting options to context for no_sslv2 | no_sslv3;

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Add support for Minimum TLS support
> -----------------------------------
>
>                 Key: DRILL-6610
>                 URL: https://issues.apache.org/jira/browse/DRILL-6610
>             Project: Apache Drill
>          Issue Type: Improvement
>          Components: Client - C++
>    Affects Versions: 1.12.0
>            Reporter: Rob Wu
>            Assignee: Rob Wu
>            Priority: Major
>
> Add support for minimum TLS support.
> Currently, the TLSProtocol parameter only supports a specific version of TLS 
> to be used.
>  
> Investigation:
> Setting the default SSL context method to be sslv23 with default sslv2 and 
> sslv3 turned off would allow us to restrict the protocol to be TLS only.
> Additional flags can be applied to further restrict the minimum TLS version:
> For example:
> Minimum TLS 1.0 - Sets NO_SSLv2 and NO_SSLv3
> Minimum TLS 1.1 - Sets NO_SSLv2 and NO SSLv3 and NO_TLSv1
> Minimum TLS 1.2 - Sets NO_SSLv2 and NO SSLv3 and NO_TLSv1 and NO_TLSv1_1



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)