Add ssl-ctx-set-min-ssl-version, ssl-ctx-set-max-ssl-version, etc#108
Add ssl-ctx-set-min-ssl-version, ssl-ctx-set-max-ssl-version, etc#108jfmcbrayer wants to merge 1 commit intocl-plus-ssl:masterfrom
Conversation
These functions were added in OpenSSL 1.1.0, and setting the min/max versions through options is now deprecated. This patch adds the functions for setting the minimum and maximum protocol versions, the constants that represent those versions, and additional keyword arguments to make-context.
|
As a note: in the master branch, make-context with the method set to tls-method, and disabled-protocols set to the list of protocols you want "works", in that it produces a working context, but it doesn't actually restrict the protocols. This is with OpenSSL 1.1.1g. It may work correctly in OpenSSL 1.0 or in other compatible libraries... With this patch, it works correctly with OpenSSL 1.1.1g. |
| (ssl-ctx-set-options ctx (apply #'logior (append disabled-protocols options))) | ||
| (ssl-ctx-set-min-proto-version ctx min-ssl-version) | ||
| (ssl-ctx-set-max-proto-version ctx max-ssl-version) | ||
| (ssl-ctx-set-min-proto-version ctx +tls1-2-version+) |
There was a problem hiding this comment.
hardcoded value? is that a mistake?
There was a problem hiding this comment.
Yes, it's something I left in from testing. The first two lines (apply value from args) are correct, the third needs to be removed. I'll do that.
| (verify-mode +ssl-verify-peer+) | ||
| (verify-callback nil verify-callback-supplied-p) | ||
| (cipher-list +default-cipher-list+) | ||
| (pem-password-callback 'pem-password-callback)) |
There was a problem hiding this comment.
My apologies. Emacs did it. I'll undo it.
|
We need to have this functionality working on all OpenSSL versions. Also, TravixCI SBCL tests have failed for your PR: https://travis-ci.org/github/cl-plus-ssl/cl-plus-ssl/builds/700205095?utm_source=github_status&utm_medium=notification I'm not sure if that's because of your changes, or our Travis env has changed (we use roswell, coverall, etc). But we can't merge until this is clarified. |
|
I can add a test, but I'm not sure what to do about OpenSSL versions before 1.1.0, because I think that's where those functions were added. I also have no idea about TravisCI. |
|
When I say it should work in all versions I mean at least merge of this code should not break the old versions. If necessary, the code can branch using (openssl-is-at-least ... ) / (openssl-is-not-even ...) functions. Although the current code doesn't break, because it doesn't try to call any functions not existing in old versions, it only passes new integer constants to as options. BTW, if disabling protocols via the options is deprecated, it should still work? I understand deprecation as still working but maybe dropped in the future. So it is strange it doesn't work for you. A working test for protocol limits could clarify this. |
|
I'll prioritize writing tests over fixing up this PR, because I agree
that it's important to have a test that shows using options to set
protocol versions doesn't work with recent OpenSSL.
I agree with you about 'deprecated'. The current documentation implies
that it works, but it doesn't according to my tests.
|
7da553f to
f1ac20a
Compare
f2b0e3b to
ed25ffc
Compare
58cba6b to
48f88ce
Compare
93d302f to
13d824e
Compare
7f45344 to
d3e3cc9
Compare
These functions were added in OpenSSL 1.1.0, and setting the min/max versions
through options is now deprecated. This patch adds the functions for setting
the minimum and maximum protocol versions, the constants that represent those
versions, and additional keyword arguments to make-context.