From 8869ec56818c5d35ce9b725de64c7265697d3292 Mon Sep 17 00:00:00 2001 From: Damian Jarek Date: Thu, 14 Mar 2019 17:40:41 +0100 Subject: [PATCH] Use secure TLS/SSL versions: TLS1.2 can be used instead, it is available in all currently supported versions of OpenSSL. Signed-off-by: Damian Jarek --- CHANGELOG.md | 1 + .../server-flex/advanced_server_flex.cpp | 2 +- .../async-ssl/http_client_async_ssl.cpp | 6 +- .../client/coro-ssl/http_client_coro_ssl.cpp | 4 +- .../client/sync-ssl/http_client_sync_ssl.cpp | 2 +- .../async-ssl/http_server_async_ssl.cpp | 2 +- .../server/coro-ssl/http_server_coro_ssl.cpp | 2 +- example/http/server/flex/http_server_flex.cpp | 2 +- .../http_server_stackless_ssl.cpp | 6 +- .../server/sync-ssl/http_server_sync_ssl.cpp | 2 +- .../async-ssl/websocket_client_async_ssl.cpp | 6 +- .../coro-ssl/websocket_client_coro_ssl.cpp | 2 +- .../sync-ssl/websocket_client_sync_ssl.cpp | 2 +- .../async-ssl/websocket_server_async_ssl.cpp | 4 +- .../coro-ssl/websocket_server_coro_ssl.cpp | 2 +- .../websocket_server_stackless_ssl.cpp | 8 +-- .../sync-ssl/websocket_server_sync_ssl.cpp | 2 +- include/boost/beast/ssl/ssl_stream.hpp | 56 +++++++++---------- test/beast/websocket/doc_snippets.cpp | 4 +- test/beast/websocket/ssl.cpp | 2 +- test/doc/core_3_timeouts.cpp | 2 +- test/doc/snippets.ipp | 2 +- test/doc/websocket_common.ipp | 2 +- 23 files changed, 62 insertions(+), 61 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f6d1872e..25cda0b3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ Version 233: * Check __ANDROID__ instead +* Use secure TLS/SSL versions -------------------------------------------------------------------------------- diff --git a/example/advanced/server-flex/advanced_server_flex.cpp b/example/advanced/server-flex/advanced_server_flex.cpp index 5bbf64d9..c65d3182 100644 --- a/example/advanced/server-flex/advanced_server_flex.cpp +++ b/example/advanced/server-flex/advanced_server_flex.cpp @@ -971,7 +971,7 @@ int main(int argc, char* argv[]) net::io_context ioc{threads}; // The SSL context is required, and holds certificates - ssl::context ctx{ssl::context::sslv23}; + ssl::context ctx{ssl::context::tlsv12}; // This holds the self-signed certificate used by the server load_server_certificate(ctx); diff --git a/example/http/client/async-ssl/http_client_async_ssl.cpp b/example/http/client/async-ssl/http_client_async_ssl.cpp index 83d69c59..6248c33f 100644 --- a/example/http/client/async-ssl/http_client_async_ssl.cpp +++ b/example/http/client/async-ssl/http_client_async_ssl.cpp @@ -150,7 +150,7 @@ public: if(ec) return fail(ec, "write"); - + // Receive the HTTP response http::async_read(stream_, buffer_, res_, beast::bind_front_handler( @@ -220,11 +220,11 @@ int main(int argc, char** argv) net::io_context ioc; // The SSL context is required, and holds certificates - ssl::context ctx{ssl::context::sslv23_client}; + ssl::context ctx{ssl::context::tlsv12_client}; // This holds the root certificate used for verification load_root_certificates(ctx); - + // Verify the remote server's certificate ctx.set_verify_mode(ssl::verify_peer); diff --git a/example/http/client/coro-ssl/http_client_coro_ssl.cpp b/example/http/client/coro-ssl/http_client_coro_ssl.cpp index d2a16d2b..83ae32da 100644 --- a/example/http/client/coro-ssl/http_client_coro_ssl.cpp +++ b/example/http/client/coro-ssl/http_client_coro_ssl.cpp @@ -153,11 +153,11 @@ int main(int argc, char** argv) net::io_context ioc; // The SSL context is required, and holds certificates - ssl::context ctx{ssl::context::sslv23_client}; + ssl::context ctx{ssl::context::tlsv12_client}; // This holds the root certificate used for verification load_root_certificates(ctx); - + // Verify the remote server's certificate ctx.set_verify_mode(ssl::verify_peer); diff --git a/example/http/client/sync-ssl/http_client_sync_ssl.cpp b/example/http/client/sync-ssl/http_client_sync_ssl.cpp index c38208fc..726c8420 100644 --- a/example/http/client/sync-ssl/http_client_sync_ssl.cpp +++ b/example/http/client/sync-ssl/http_client_sync_ssl.cpp @@ -57,7 +57,7 @@ int main(int argc, char** argv) net::io_context ioc; // The SSL context is required, and holds certificates - ssl::context ctx(ssl::context::sslv23_client); + ssl::context ctx(ssl::context::tlsv12_client); // This holds the root certificate used for verification load_root_certificates(ctx); diff --git a/example/http/server/async-ssl/http_server_async_ssl.cpp b/example/http/server/async-ssl/http_server_async_ssl.cpp index 3fae107d..3bb8a415 100644 --- a/example/http/server/async-ssl/http_server_async_ssl.cpp +++ b/example/http/server/async-ssl/http_server_async_ssl.cpp @@ -521,7 +521,7 @@ int main(int argc, char* argv[]) net::io_context ioc{threads}; // The SSL context is required, and holds certificates - ssl::context ctx{ssl::context::sslv23}; + ssl::context ctx{ssl::context::tlsv12}; // This holds the self-signed certificate used by the server load_server_certificate(ctx); diff --git a/example/http/server/coro-ssl/http_server_coro_ssl.cpp b/example/http/server/coro-ssl/http_server_coro_ssl.cpp index 5d515aad..06f12603 100644 --- a/example/http/server/coro-ssl/http_server_coro_ssl.cpp +++ b/example/http/server/coro-ssl/http_server_coro_ssl.cpp @@ -402,7 +402,7 @@ int main(int argc, char* argv[]) net::io_context ioc{threads}; // The SSL context is required, and holds certificates - ssl::context ctx{ssl::context::sslv23}; + ssl::context ctx{ssl::context::tlsv12}; // This holds the self-signed certificate used by the server load_server_certificate(ctx); diff --git a/example/http/server/flex/http_server_flex.cpp b/example/http/server/flex/http_server_flex.cpp index 560be4dd..c4cac9fd 100644 --- a/example/http/server/flex/http_server_flex.cpp +++ b/example/http/server/flex/http_server_flex.cpp @@ -671,7 +671,7 @@ int main(int argc, char* argv[]) net::io_context ioc{threads}; // The SSL context is required, and holds certificates - ssl::context ctx{ssl::context::sslv23}; + ssl::context ctx{ssl::context::tlsv12}; // This holds the self-signed certificate used by the server load_server_certificate(ctx); diff --git a/example/http/server/stackless-ssl/http_server_stackless_ssl.cpp b/example/http/server/stackless-ssl/http_server_stackless_ssl.cpp index 6fb0db80..c05c66cb 100644 --- a/example/http/server/stackless-ssl/http_server_stackless_ssl.cpp +++ b/example/http/server/stackless-ssl/http_server_stackless_ssl.cpp @@ -308,7 +308,7 @@ public: } #include - + void loop( beast::error_code ec, @@ -465,7 +465,7 @@ public: private: #include - + void loop(beast::error_code ec = {}) { @@ -523,7 +523,7 @@ int main(int argc, char* argv[]) net::io_context ioc{threads}; // The SSL context is required, and holds certificates - ssl::context ctx{ssl::context::sslv23}; + ssl::context ctx{ssl::context::tlsv12}; // This holds the self-signed certificate used by the server load_server_certificate(ctx); diff --git a/example/http/server/sync-ssl/http_server_sync_ssl.cpp b/example/http/server/sync-ssl/http_server_sync_ssl.cpp index 113f0374..4fdd2d76 100644 --- a/example/http/server/sync-ssl/http_server_sync_ssl.cpp +++ b/example/http/server/sync-ssl/http_server_sync_ssl.cpp @@ -325,7 +325,7 @@ int main(int argc, char* argv[]) net::io_context ioc{1}; // The SSL context is required, and holds certificates - ssl::context ctx{ssl::context::sslv23}; + ssl::context ctx{ssl::context::tlsv12}; // This holds the self-signed certificate used by the server load_server_certificate(ctx); diff --git a/example/websocket/client/async-ssl/websocket_client_async_ssl.cpp b/example/websocket/client/async-ssl/websocket_client_async_ssl.cpp index 6062c8d0..7251620a 100644 --- a/example/websocket/client/async-ssl/websocket_client_async_ssl.cpp +++ b/example/websocket/client/async-ssl/websocket_client_async_ssl.cpp @@ -153,7 +153,7 @@ public: { if(ec) return fail(ec, "handshake"); - + // Send the message ws_.async_write( net::buffer(text_), @@ -171,7 +171,7 @@ public: if(ec) return fail(ec, "write"); - + // Read a message into our buffer ws_.async_read( buffer_, @@ -231,7 +231,7 @@ int main(int argc, char** argv) net::io_context ioc; // The SSL context is required, and holds certificates - ssl::context ctx{ssl::context::sslv23_client}; + ssl::context ctx{ssl::context::tlsv12_client}; // This holds the root certificate used for verification load_root_certificates(ctx); diff --git a/example/websocket/client/coro-ssl/websocket_client_coro_ssl.cpp b/example/websocket/client/coro-ssl/websocket_client_coro_ssl.cpp index e7b2cc51..244ae92f 100644 --- a/example/websocket/client/coro-ssl/websocket_client_coro_ssl.cpp +++ b/example/websocket/client/coro-ssl/websocket_client_coro_ssl.cpp @@ -147,7 +147,7 @@ int main(int argc, char** argv) net::io_context ioc; // The SSL context is required, and holds certificates - ssl::context ctx{ssl::context::sslv23_client}; + ssl::context ctx{ssl::context::tlsv12_client}; // This holds the root certificate used for verification load_root_certificates(ctx); diff --git a/example/websocket/client/sync-ssl/websocket_client_sync_ssl.cpp b/example/websocket/client/sync-ssl/websocket_client_sync_ssl.cpp index cce21be9..8291e479 100644 --- a/example/websocket/client/sync-ssl/websocket_client_sync_ssl.cpp +++ b/example/websocket/client/sync-ssl/websocket_client_sync_ssl.cpp @@ -55,7 +55,7 @@ int main(int argc, char** argv) net::io_context ioc; // The SSL context is required, and holds certificates - ssl::context ctx{ssl::context::sslv23_client}; + ssl::context ctx{ssl::context::tlsv12_client}; // This holds the root certificate used for verification load_root_certificates(ctx); diff --git a/example/websocket/server/async-ssl/websocket_server_async_ssl.cpp b/example/websocket/server/async-ssl/websocket_server_async_ssl.cpp index d7ecd4a1..fdc57aed 100644 --- a/example/websocket/server/async-ssl/websocket_server_async_ssl.cpp +++ b/example/websocket/server/async-ssl/websocket_server_async_ssl.cpp @@ -277,9 +277,9 @@ int main(int argc, char* argv[]) // The io_context is required for all I/O net::io_context ioc{threads}; - + // The SSL context is required, and holds certificates - ssl::context ctx{ssl::context::sslv23}; + ssl::context ctx{ssl::context::tlsv12}; // This holds the self-signed certificate used by the server load_server_certificate(ctx); diff --git a/example/websocket/server/coro-ssl/websocket_server_coro_ssl.cpp b/example/websocket/server/coro-ssl/websocket_server_coro_ssl.cpp index c0374fce..03c48e7f 100644 --- a/example/websocket/server/coro-ssl/websocket_server_coro_ssl.cpp +++ b/example/websocket/server/coro-ssl/websocket_server_coro_ssl.cpp @@ -177,7 +177,7 @@ int main(int argc, char* argv[]) net::io_context ioc{threads}; // The SSL context is required, and holds certificates - ssl::context ctx{ssl::context::sslv23}; + ssl::context ctx{ssl::context::tlsv12}; // This holds the self-signed certificate used by the server load_server_certificate(ctx); diff --git a/example/websocket/server/stackless-ssl/websocket_server_stackless_ssl.cpp b/example/websocket/server/stackless-ssl/websocket_server_stackless_ssl.cpp index a390f99c..0ddd0d3a 100644 --- a/example/websocket/server/stackless-ssl/websocket_server_stackless_ssl.cpp +++ b/example/websocket/server/stackless-ssl/websocket_server_stackless_ssl.cpp @@ -69,7 +69,7 @@ public: } #include - + void loop( beast::error_code ec, @@ -228,7 +228,7 @@ public: private: #include - + void loop(beast::error_code ec = {}) { @@ -280,9 +280,9 @@ int main(int argc, char* argv[]) // The io_context is required for all I/O net::io_context ioc{threads}; - + // The SSL context is required, and holds certificates - ssl::context ctx{ssl::context::sslv23}; + ssl::context ctx{ssl::context::tlsv12}; // This holds the self-signed certificate used by the server load_server_certificate(ctx); diff --git a/example/websocket/server/sync-ssl/websocket_server_sync_ssl.cpp b/example/websocket/server/sync-ssl/websocket_server_sync_ssl.cpp index 1795a666..5a7b4dc0 100644 --- a/example/websocket/server/sync-ssl/websocket_server_sync_ssl.cpp +++ b/example/websocket/server/sync-ssl/websocket_server_sync_ssl.cpp @@ -107,7 +107,7 @@ int main(int argc, char* argv[]) net::io_context ioc{1}; // The SSL context is required, and holds certificates - ssl::context ctx{ssl::context::sslv23}; + ssl::context ctx{ssl::context::tlsv12}; // This holds the self-signed certificate used by the server load_server_certificate(ctx); diff --git a/include/boost/beast/ssl/ssl_stream.hpp b/include/boost/beast/ssl/ssl_stream.hpp index cfc37165..389320dd 100644 --- a/include/boost/beast/ssl/ssl_stream.hpp +++ b/include/boost/beast/ssl/ssl_stream.hpp @@ -19,7 +19,7 @@ // VFALCO We include this because anyone who uses ssl will // very likely need to check for ssl::error::stream_truncated -#include +#include #include #include @@ -34,28 +34,28 @@ namespace beast { The stream class template provides asynchronous and blocking stream-oriented functionality using SSL. - + @par Thread Safety @e Distinct @e objects: Safe.@n @e Shared @e objects: Unsafe. The application must also ensure that all asynchronous operations are performed within the same implicit or explicit strand. - + @par Example To use this template with a @ref tcp_stream, you would write: @code net::io_context ioc; - net::ssl::context ctx{net::ssl::context::sslv23}; + net::ssl::context ctx{net::ssl::context::tlsv12}; beast::ssl_stream sock{ioc, ctx}; @endcode In addition to providing an interface identical to `net::ssl::stream`, the wrapper has the following additional properties: - + @li Satisfies @b MoveConstructible - + @li Satisfies @b MoveAssignable - + @li Constructible from a moved socket. @li Uses @ref flat_stream internally, as a performance work-around for a @@ -128,16 +128,16 @@ public: This function may be used to obtain the underlying implementation of the context. This is intended to allow access to context functionality that is not otherwise provided. - + @par Example The native_handle() function returns a pointer of type @c SSL* that is suitable for passing to functions such as @c SSL_get_verify_result and @c SSL_get_peer_certificate: @code boost::beast::ssl_stream ss{ioc, ctx}; - + // ... establish connection and perform handshake ... - + if (X509* cert = SSL_get_peer_certificate(ss.native_handle())) { if (SSL_get_verify_result(ss.native_handle()) == X509_V_OK) @@ -191,11 +191,11 @@ public: This function may be used to configure the peer verification mode used by the stream. The new mode will override the mode inherited from the context. - + @param v A bitmask of peer verification modes. - + @throws boost::system::system_error Thrown on failure. - + @note Calls @c SSL_set_verify. */ void @@ -208,12 +208,12 @@ public: This function may be used to configure the peer verification mode used by the stream. The new mode will override the mode inherited from the context. - + @param v A bitmask of peer verification modes. See `verify_mode` for available values. - + @param ec Set to indicate what error occurred, if any. - + @note Calls @c SSL_set_verify. */ void @@ -227,12 +227,12 @@ public: This function may be used to configure the maximum verification depth allowed by the stream. - + @param depth Maximum depth for the certificate chain verification that shall be allowed. - + @throws boost::system::system_error Thrown on failure. - + @note Calls @c SSL_set_verify_depth. */ void @@ -245,12 +245,12 @@ public: This function may be used to configure the maximum verification depth allowed by the stream. - + @param depth Maximum depth for the certificate chain verification that shall be allowed. - + @param ec Set to indicate what error occurred, if any. - + @note Calls @c SSL_set_verify_depth. */ void @@ -264,7 +264,7 @@ public: This function is used to specify a callback function that will be called by the implementation when it needs to verify a peer certificate. - + @param callback The function object to be used for verifying a certificate. The function signature of the handler must be: @code bool verify_callback( @@ -273,9 +273,9 @@ public: ); @endcode The return value of the callback is true if the certificate has passed verification, false otherwise. - + @throws boost::system::system_error Thrown on failure. - + @note Calls @c SSL_set_verify. */ template @@ -289,7 +289,7 @@ public: This function is used to specify a callback function that will be called by the implementation when it needs to verify a peer certificate. - + @param callback The function object to be used for verifying a certificate. The function signature of the handler must be: @code bool verify_callback( @@ -298,9 +298,9 @@ public: ); @endcode The return value of the callback is true if the certificate has passed verification, false otherwise. - + @param ec Set to indicate what error occurred, if any. - + @note Calls @c SSL_set_verify. */ template diff --git a/test/beast/websocket/doc_snippets.cpp b/test/beast/websocket/doc_snippets.cpp index 4539350a..4e8ae0ea 100644 --- a/test/beast/websocket/doc_snippets.cpp +++ b/test/beast/websocket/doc_snippets.cpp @@ -255,7 +255,7 @@ net::ip::tcp::socket sock{ios}; { //[wss_snippet_2 - net::ssl::context ctx{net::ssl::context::sslv23}; + net::ssl::context ctx{net::ssl::context::tlsv12}; stream> wss{ios, ctx}; //] } @@ -263,7 +263,7 @@ net::ip::tcp::socket sock{ios}; { //[wss_snippet_3 net::ip::tcp::endpoint ep; - net::ssl::context ctx{net::ssl::context::sslv23}; + net::ssl::context ctx{net::ssl::context::tlsv12}; stream> ws{ios, ctx}; // connect the underlying TCP/IP socket diff --git a/test/beast/websocket/ssl.cpp b/test/beast/websocket/ssl.cpp index d810c781..cbb64eea 100644 --- a/test/beast/websocket/ssl.cpp +++ b/test/beast/websocket/ssl.cpp @@ -31,7 +31,7 @@ public: testTeardown() { net::io_context ioc; - net::ssl::context ctx(net::ssl::context::sslv23); + net::ssl::context ctx(net::ssl::context::tlsv12); Socket ss(ioc, ctx); struct handler diff --git a/test/doc/core_3_timeouts.cpp b/test/doc/core_3_timeouts.cpp index 648f0b93..5b7630f0 100644 --- a/test/doc/core_3_timeouts.cpp +++ b/test/doc/core_3_timeouts.cpp @@ -299,7 +299,7 @@ https_get (std::string const& host, std::string const& target, error_code& ec) // This context is used to hold client and server certificates. // We do not perform certificate verification in this example. - net::ssl::context ctx(net::ssl::context::sslv23); + net::ssl::context ctx(net::ssl::context::tlsv12); // This string will hold the body of the HTTP response, if any. std::string result; diff --git a/test/doc/snippets.ipp b/test/doc/snippets.ipp index 51409925..153928d4 100644 --- a/test/doc/snippets.ipp +++ b/test/doc/snippets.ipp @@ -22,5 +22,5 @@ std::thread t{[&](){ ioc.run(); }}; tcp::socket sock(ioc); -ssl::context ctx(ssl::context::sslv23); +ssl::context ctx(ssl::context::tlsv12); diff --git a/test/doc/websocket_common.ipp b/test/doc/websocket_common.ipp index d1ce0cb0..19f5603f 100644 --- a/test/doc/websocket_common.ipp +++ b/test/doc/websocket_common.ipp @@ -16,6 +16,6 @@ using namespace boost::beast::websocket; net::io_context ioc; tcp_stream sock(ioc); -net::ssl::context ctx(net::ssl::context::sslv23); +net::ssl::context ctx(net::ssl::context::tlsv12); //]