diff options
author | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-08-26 00:02:29 +0000 |
---|---|---|
committer | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-08-26 00:02:29 +0000 |
commit | 4f6928cc0493ede41e90b6fa4e1cde570bd17336 (patch) | |
tree | f73d03580d02af6455a388366474cdc98c4e0819 /pki/base/tps/src/httpClient/engine.cpp | |
parent | e90d291d9a737369587711eb6a879d700a3c5d7b (diff) | |
download | pki-4f6928cc0493ede41e90b6fa4e1cde570bd17336.tar.gz pki-4f6928cc0493ede41e90b6fa4e1cde570bd17336.tar.xz pki-4f6928cc0493ede41e90b6fa4e1cde570bd17336.zip |
Bugzilla 730146 - SSL handshake picks non-FIPS ciphers in FIPS mode
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2180 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/tps/src/httpClient/engine.cpp')
-rw-r--r-- | pki/base/tps/src/httpClient/engine.cpp | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/pki/base/tps/src/httpClient/engine.cpp b/pki/base/tps/src/httpClient/engine.cpp index 46efe42d3..621a37244 100644 --- a/pki/base/tps/src/httpClient/engine.cpp +++ b/pki/base/tps/src/httpClient/engine.cpp @@ -182,6 +182,24 @@ int ssl3Suites[] = { 0 }; +int tlsSuites[] = { +// TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, +// TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, +// TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA, + TLS_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, +// TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, +// TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, +// TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA +}; + void disableAllCiphersOnSocket(PRFileDesc* sock) { int i; int numsuites = SSL_NumImplementedCiphers; @@ -199,6 +217,13 @@ void __EXPORT EnableAllSSL3Ciphers(PRFileDesc* sock) { } } +void __EXPORT EnableAllTLSCiphers(PRFileDesc* sock) { + int i =0; + while (tlsSuites[i]) { + SSL_CipherPrefSet(sock, tlsSuites[i++], SSL_ALLOWED); + } +} + PRBool __EXPORT EnableCipher(const char* cipherString) { int ndx; @@ -504,6 +529,18 @@ void nodelay(PRFileDesc* fd) { } +void __EXPORT setDefaultAllTLSCiphers() { + int i =0; + char alg[256]; + while (tlsSuites[i]) { + PR_snprintf((char *)alg, 256, "%x", tlsSuites[i]); + RA::Debug( LL_PER_PDU, + "setDefaultAllTLSCiphers", + alg); + SSL_CipherPrefSetDefault(tlsSuites[i++], PR_TRUE); + } +} + /** * Returns a file descriptor for I/O if the HTTP connection is successful * @param addr PRnetAddr structure which points to the server to connect to @@ -521,6 +558,7 @@ PRFileDesc * Engine::_doConnect(PRNetAddr *addr, PRBool SSLOn, PRFileDesc *sock = NULL; SSL_CipherPrefSetDefault(0xC005 /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */, PR_TRUE); + setDefaultAllTLSCiphers(); tcpsock = PR_OpenTCPSocket(addr->raw.family); @@ -547,6 +585,9 @@ PRFileDesc * Engine::_doConnect(PRNetAddr *addr, PRBool SSLOn, nodelay(tcpsock); if (PR_TRUE == SSLOn) { + RA::Debug( LL_PER_PDU, + "Engine::_doConnect: ", + "SSL is ON" ); sock=SSL_ImportFD(NULL, tcpsock); if (!sock) { //xxx log @@ -635,8 +676,15 @@ PRFileDesc * Engine::_doConnect(PRNetAddr *addr, PRBool SSLOn, return NULL; } + RA::Debug( LL_PER_PDU, + "Engine::_doConnect: ", + "end SSL is ON" ); + //EnableAllTLSCiphers( sock); //EnableAllSSL3Ciphers( sock); } else { + RA::Debug( LL_PER_PDU, + "Engine::_doConnect: ", + "SSL is OFF" ); sock = tcpsock; } |