enabled TLSv1.1 and 1.2 support in configuration

pocoproject · Sep 2, 2014 · 1a81dbe · 1a81dbe
1 parent 3f1e2c0
commit 1a81dbe
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 2 deletions.
diff --git a/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h b/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h
@@ -92,6 +92,8 @@ class NetSSL_API SSLManager
 	///            <sessionTimeout>0..n</sessionTimeout>           <!-- server only -->
 	///            <extendedVerification>true|false</extendedVerification>
 	///            <requireTLSv1>true|false</requireTLSv1>
+	///            <requireTLSv1_1>true|false</requireTLSv1_1>
+	///            <requireTLSv1_2>true|false</requireTLSv1_2>
 	///          </server|client>
 	///          <fips>false</fips>
 	///       </openSSL>
@@ -133,6 +135,8 @@ class NetSSL_API SSLManager
 	///    - extendedVerification (boolean): Enable or disable the automatic post-connection
 	///      extended certificate verification.
 	///    - requireTLSv1 (boolean): Require a TLSv1 connection.
+	///    - requireTLSv1_1 (boolean): Require a TLSv1.1 connection.
+	///    - requireTLSv1_2 (boolean): Require a TLSv1.2 connection.
 	///    - fips: Enable or disable OpenSSL FIPS mode. Only supported if the OpenSSL version 
 	///      that this library is built against supports FIPS mode.
 {
@@ -313,6 +317,8 @@ class NetSSL_API SSLManager
 	static const std::string CFG_SESSION_TIMEOUT;
 	static const std::string CFG_EXTENDED_VERIFICATION;
 	static const std::string CFG_REQUIRE_TLSV1;
+	static const std::string CFG_REQUIRE_TLSV1_1;
+	static const std::string CFG_REQUIRE_TLSV1_2;
 
 #ifdef OPENSSL_FIPS
 	static const std::string CFG_FIPS_MODE;

diff --git a/NetSSL_OpenSSL/src/SSLManager.cpp b/NetSSL_OpenSSL/src/SSLManager.cpp
@@ -54,6 +54,8 @@ const std::string SSLManager::CFG_SESSION_CACHE_SIZE("sessionCacheSize");
 const std::string SSLManager::CFG_SESSION_TIMEOUT("sessionTimeout");
 const std::string SSLManager::CFG_EXTENDED_VERIFICATION("extendedVerification");
 const std::string SSLManager::CFG_REQUIRE_TLSV1("requireTLSv1");
+const std::string SSLManager::CFG_REQUIRE_TLSV1_1("requireTLSv1_1");
+const std::string SSLManager::CFG_REQUIRE_TLSV1_2("requireTLSv1_2");
 #ifdef OPENSSL_FIPS
 const std::string SSLManager::CFG_FIPS_MODE("openSSL.fips");
 const bool        SSLManager::VAL_FIPS_MODE(false);
@@ -251,10 +253,34 @@ void SSLManager::initDefaultContext(bool server)
 	std::string cipherList = config.getString(prefix + CFG_CIPHER_LIST, VAL_CIPHER_LIST);
 	cipherList = config.getString(prefix + CFG_CYPHER_LIST, cipherList); // for backwards compatibility
 	bool requireTLSv1 = config.getBool(prefix + CFG_REQUIRE_TLSV1, false);
+	bool requireTLSv1_1 = config.getBool(prefix + CFG_REQUIRE_TLSV1_1, false);
+	bool requireTLSv1_2 = config.getBool(prefix + CFG_REQUIRE_TLSV1_2, false);
+	Context::Usage usage;
+
 	if (server)
-		_ptrDefaultServerContext = new Context(requireTLSv1 ? Context::TLSV1_SERVER_USE : Context::SERVER_USE, privKeyFile, certFile, caLocation, verMode, verDepth, loadDefCA, cipherList);
+	{
+		if (requireTLSv1_2)
+			usage = Context::TLSV1_2_SERVER_USE;
+		else if (requireTLSv1_1)
+			usage = Context::TLSV1_1_SERVER_USE;
+		else if (requireTLSv1)
+			usage = Context::TLSV1_SERVER_USE;
+		else
+			usage = Context::SERVER_USE;
+	}
 	else
-		_ptrDefaultClientContext = new Context(requireTLSv1 ? Context::TLSV1_CLIENT_USE : Context::CLIENT_USE, privKeyFile, certFile, caLocation, verMode, verDepth, loadDefCA, cipherList);
+	{
+		if (requireTLSv1_2)
+			usage = Context::TLSV1_2_CLIENT_USE;
+		else if (requireTLSv1_1)
+			usage = Context::TLSV1_1_CLIENT_USE;
+		else if (requireTLSv1)
+			usage = Context::TLSV1_CLIENT_USE;
+		else
+			usage = Context::CLIENT_USE;
+	}
+
+	_ptrDefaultClientContext = new Context(usage, privKeyFile, certFile, caLocation, verMode, verDepth, loadDefCA, cipherList);
 
 	bool cacheSessions = config.getBool(prefix + CFG_CACHE_SESSIONS, false);
 	if (server)