ssl: Disable SSLv2 and SSLv3, output cipher name in stream status.

sconemad · Oct 16, 2014 · 3b886c3 · 3b886c3
1 parent b1cb85e
commit 3b886c3
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/ssl/SSLChannel.cpp b/ssl/SSLChannel.cpp
@@ -38,12 +38,16 @@ SSLChannel::SSLChannel(SSLModule& mod,
 
   if (client) {
     m_ctx = SSL_CTX_new( SSLv23_client_method() );
+    DEBUG_ASSERT(0 != m_ctx,"SSLChannel() Bad SSL context");
   } else {
     m_ctx = SSL_CTX_new( SSLv23_server_method() );
+    DEBUG_ASSERT(0 != m_ctx,"SSLChannel() Bad SSL context");
     SSL_CTX_set_tlsext_servername_callback(m_ctx, SSLStream::sni_callback);
   }
 
-  DEBUG_ASSERT(0 != m_ctx,"SSLChannel() Bad SSL context");
+  // Disallow old SSL protocols
+  SSL_CTX_set_options(m_ctx, SSL_OP_NO_SSLv2);
+  SSL_CTX_set_options(m_ctx, SSL_OP_NO_SSLv3);
 }
 
 //=========================================================================

diff --git a/ssl/SSLStream.cpp b/ssl/SSLStream.cpp
@@ -239,7 +239,7 @@ scx::Condition SSLStream::connect_ssl(scx::Stream::Event e)
     return scx::Wait;
   }
 
-  SSLStream_DEBUG_LOG("Opened SSL connection using " << SSL_get_cipher(m_ssl));
+  SSLStream_DEBUG_LOG("Opened secure connection using " << SSL_get_cipher(m_ssl));
 
   m_seq = Connected;
   enable_event(scx::Stream::Opening,true);
@@ -260,6 +260,12 @@ std::string SSLStream::stream_status() const
   case Connected: oss << "CONNECTED"; break;
   default: oss << "UNKNOWN!"; break;
   }
+  if (m_ssl) {
+    const SSL_CIPHER* cipher = SSL_get_current_cipher(m_ssl);
+    if (cipher) {
+      oss << " cipher:" << SSL_CIPHER_get_name(cipher);
+    }
+  }
   return oss.str();
 }