tyler.durden
/
icinga2
mirror of https://github.com/Icinga/icinga2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Support TLSv1.1 and TLSv1.2 for the cluster transport encryption 

From https://wiki.openssl.org/index.php/SSL/TLS_Client:
SSLv23_method specifies the protocols used and behavior of the handshake.
The method essentially means SSLv2 or above, and includes the TLS protocols.
The protocols are further tuned through SSL/TLS options. By using
SSLv23_method (and removing the SSL protocols with SSL_OP_NO_SSLv2 and
SSL_OP_NO_SSLv3), then you will use TLS v1.0 and above, including TLS v1.2.
You will also use a TLS handshake in the TLS Record.

If you use TLSv1_method, then you will only use TLS v1.0.

fixes #10988
This commit is contained in:
Tobias von der Krone 2016-01-19 21:04:59 +01:00 committed by Michael Friedrich
parent 4ce43b8d02
commit 1c67bf394c
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/base/tlsutility.cpp
View File

@ -83,7 +83,9 @@ boost::shared_ptr<SSL_CTX> MakeSSLContext(const String& pubkey, const String& pr
InitializeOpenSSL(); InitializeOpenSSL();
boost::shared_ptr<SSL_CTX> sslContext = boost::shared_ptr<SSL_CTX>(SSL_CTX_new(TLSv1_method()), SSL_CTX_free); boost::shared_ptr<SSL_CTX> sslContext = boost::shared_ptr<SSL_CTX>(SSL_CTX_new(SSLv23_method()), SSL_CTX_free);
SSL_CTX_set_options(sslContext.get(), SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION);
SSL_CTX_set_mode(sslContext.get(), SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); SSL_CTX_set_mode(sslContext.get(), SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
SSL_CTX_set_session_id_context(sslContext.get(), (const unsigned char *)"Icinga 2", 8); SSL_CTX_set_session_id_context(sslContext.get(), (const unsigned char *)"Icinga 2", 8);