|
|
|
|
@ -890,7 +890,8 @@ static int NullVerifyCallback(int /*preverify_ok*/, X509_STORE_CTX* /*ctx*/) { |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// Sets the min and max TLS version of |ssl_context| to |min_tls_version| and
|
|
|
|
|
// |max_tls_version|, respectively.
|
|
|
|
|
// |max_tls_version|, respectively. Calling this method is a no-op when using
|
|
|
|
|
// OpenSSL versions < 1.1.
|
|
|
|
|
static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
SSL_CTX* ssl_context, tsi_tls_version min_tls_version, |
|
|
|
|
tsi_tls_version max_tls_version) { |
|
|
|
|
@ -899,9 +900,9 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
"Invalid nullptr argument to |tsi_set_min_and_max_tls_versions|."); |
|
|
|
|
return TSI_INVALID_ARGUMENT; |
|
|
|
|
} |
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000 |
|
|
|
|
// Set the min TLS version of the SSL context.
|
|
|
|
|
switch (min_tls_version) { |
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000 |
|
|
|
|
case tsi_tls_version::TSI_TLS1_2: |
|
|
|
|
SSL_CTX_set_min_proto_version(ssl_context, TLS1_2_VERSION); |
|
|
|
|
break; |
|
|
|
|
@ -909,7 +910,6 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
case tsi_tls_version::TSI_TLS1_3: |
|
|
|
|
SSL_CTX_set_min_proto_version(ssl_context, TLS1_3_VERSION); |
|
|
|
|
break; |
|
|
|
|
#endif |
|
|
|
|
#endif |
|
|
|
|
default: |
|
|
|
|
gpr_log(GPR_INFO, "TLS version is not supported."); |
|
|
|
|
@ -917,7 +917,6 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
} |
|
|
|
|
// Set the max TLS version of the SSL context.
|
|
|
|
|
switch (max_tls_version) { |
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000 |
|
|
|
|
case tsi_tls_version::TSI_TLS1_2: |
|
|
|
|
SSL_CTX_set_max_proto_version(ssl_context, TLS1_2_VERSION); |
|
|
|
|
break; |
|
|
|
|
@ -925,12 +924,12 @@ static tsi_result tsi_set_min_and_max_tls_versions( |
|
|
|
|
case tsi_tls_version::TSI_TLS1_3: |
|
|
|
|
SSL_CTX_set_max_proto_version(ssl_context, TLS1_3_VERSION); |
|
|
|
|
break; |
|
|
|
|
#endif |
|
|
|
|
#endif |
|
|
|
|
default: |
|
|
|
|
gpr_log(GPR_INFO, "TLS version is not supported."); |
|
|
|
|
return TSI_FAILED_PRECONDITION; |
|
|
|
|
} |
|
|
|
|
#endif |
|
|
|
|
return TSI_OK; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@ -1888,14 +1887,10 @@ tsi_result tsi_create_ssl_client_handshaker_factory_with_options( |
|
|
|
|
return TSI_INVALID_ARGUMENT; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000 |
|
|
|
|
ssl_context = SSL_CTX_new(TLS_method()); |
|
|
|
|
result = tsi_set_min_and_max_tls_versions( |
|
|
|
|
ssl_context, options->min_tls_version, options->max_tls_version); |
|
|
|
|
if (result != TSI_OK) return result; |
|
|
|
|
#else |
|
|
|
|
ssl_context = SSL_CTX_new(TLSv1_2_method()); |
|
|
|
|
#endif |
|
|
|
|
if (ssl_context == nullptr) { |
|
|
|
|
gpr_log(GPR_ERROR, "Could not create ssl context."); |
|
|
|
|
return TSI_INVALID_ARGUMENT; |
|
|
|
|
@ -2055,15 +2050,11 @@ tsi_result tsi_create_ssl_server_handshaker_factory_with_options( |
|
|
|
|
|
|
|
|
|
for (i = 0; i < options->num_key_cert_pairs; i++) { |
|
|
|
|
do { |
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000 |
|
|
|
|
impl->ssl_contexts[i] = SSL_CTX_new(TLS_method()); |
|
|
|
|
result = tsi_set_min_and_max_tls_versions(impl->ssl_contexts[i], |
|
|
|
|
options->min_tls_version, |
|
|
|
|
options->max_tls_version); |
|
|
|
|
if (result != TSI_OK) return result; |
|
|
|
|
#else |
|
|
|
|
impl->ssl_contexts[i] = SSL_CTX_new(TLSv1_2_method()); |
|
|
|
|
#endif |
|
|
|
|
if (impl->ssl_contexts[i] == nullptr) { |
|
|
|
|
gpr_log(GPR_ERROR, "Could not create ssl context."); |
|
|
|
|
result = TSI_OUT_OF_RESOURCES; |
|
|
|
|
|
Matthew Stevenson
5 years ago