MINFICPP-1005 - Disable <TLSv1.2 for incoming and <TLSv1.0 for outgoi… (#639)
* MINFICPP-1005 - Disable <TLSv1.2 for incoming and <TLSv1.0 for outgoing secure connections
* MINFICPP-1005 - Review fix
Signed-off-by: Marc Parisi <phrocker@apache.org
diff --git a/extensions/civetweb/processors/ListenHTTP.cpp b/extensions/civetweb/processors/ListenHTTP.cpp
index b065230..e9ea1ed 100644
--- a/extensions/civetweb/processors/ListenHTTP.cpp
+++ b/extensions/civetweb/processors/ListenHTTP.cpp
@@ -53,10 +53,10 @@
core::Property ListenHTTP::SSLMinimumVersion(
core::PropertyBuilder::createProperty("SSL Minimum Version")
- -> withDescription("Minimum TLS/SSL version allowed (SSL2, SSL3, TLS1.0, TLS1.1, TLS1.2)")
+ -> withDescription("Minimum TLS/SSL version allowed (TLS1.2)")
->isRequired(false)
- ->withAllowableValues<std::string>({"SSL2", "SSL3", "TLS1.0", "TLS1.1", "TLS1.2"})
- ->withDefaultValue("SSL2")->build());
+ ->withAllowableValues<std::string>({"TLS1.2"})
+ ->withDefaultValue("TLS1.2")->build());
core::Property ListenHTTP::HeadersAsAttributesRegex("HTTP Headers to receive as Attributes (Regex)", "Specifies the Regular Expression that determines the names of HTTP Headers that"
" should be passed along as FlowFile attributes",
@@ -182,21 +182,11 @@
options.emplace_back("yes");
}
- if (sslMinVer == "SSL2") {
- options.emplace_back("ssl_protocol_version");
- options.emplace_back(std::to_string(0));
- } else if (sslMinVer == "SSL3") {
- options.emplace_back("ssl_protocol_version");
- options.emplace_back(std::to_string(1));
- } else if (sslMinVer == "TLS1.0") {
- options.emplace_back("ssl_protocol_version");
- options.emplace_back(std::to_string(2));
- } else if (sslMinVer == "TLS1.1") {
- options.emplace_back("ssl_protocol_version");
- options.emplace_back(std::to_string(3));
- } else {
+ if (sslMinVer == "TLS1.2") {
options.emplace_back("ssl_protocol_version");
options.emplace_back(std::to_string(4));
+ } else {
+ throw minifi::Exception(ExceptionType::PROCESSOR_EXCEPTION, "Invalid SSL Minimum Version specified!");
}
}
diff --git a/extensions/civetweb/tests/ListenHTTPTests.cpp b/extensions/civetweb/tests/ListenHTTPTests.cpp
index 1db2fea..76e9342 100644
--- a/extensions/civetweb/tests/ListenHTTPTests.cpp
+++ b/extensions/civetweb/tests/ListenHTTPTests.cpp
@@ -507,7 +507,6 @@
TEST_CASE_METHOD(ListenHTTPTestsFixture, "HTTPS minimum SSL version", "[https]") {
plan->setProperty(listen_http, "SSL Certificate", utils::file::FileUtils::concat_path(utils::file::FileUtils::get_executable_dir(), "resources/server.pem"));
plan->setProperty(listen_http, "SSL Certificate Authority", utils::file::FileUtils::concat_path(utils::file::FileUtils::get_executable_dir(), "resources/goodCA.crt"));
- plan->setProperty(listen_http, "SSL Minimum Version", "TLS1.1");
SECTION("GET") {
method = "GET";
@@ -530,7 +529,7 @@
if (method == "POST") {
client->setPostFields(payload);
}
- REQUIRE(client->setSpecificSSLVersion(utils::SSLVersion::TLSv1_0));
+ REQUIRE(client->setSpecificSSLVersion(utils::SSLVersion::TLSv1_1));
test_connect(false /*should_succeed*/);
}
diff --git a/extensions/http-curl/client/HTTPClient.cpp b/extensions/http-curl/client/HTTPClient.cpp
index edfc59e..562376d 100644
--- a/extensions/http-curl/client/HTTPClient.cpp
+++ b/extensions/http-curl/client/HTTPClient.cpp
@@ -184,6 +184,7 @@
#endif
}
+/* If not set, the default will be TLS 1.0, see https://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html */
bool HTTPClient::setMinimumSSLVersion(SSLVersion minimum_version) {
CURLcode ret = CURLE_UNKNOWN_OPTION;
switch (minimum_version) {
diff --git a/extensions/http-curl/protocols/RESTReceiver.cpp b/extensions/http-curl/protocols/RESTReceiver.cpp
index babc983..ae1ebf6 100644
--- a/extensions/http-curl/protocols/RESTReceiver.cpp
+++ b/extensions/http-curl/protocols/RESTReceiver.cpp
@@ -80,7 +80,7 @@
std::string my_port = port;
my_port += "s";
callback.log_message = log_message;
- const char *options[] = { "listening_ports", port.c_str(), "ssl_certificate", ca_cert.c_str(), "ssl_protocol_version", "0", "ssl_cipher_list", "ALL",
+ const char *options[] = { "listening_ports", port.c_str(), "ssl_certificate", ca_cert.c_str(), "ssl_protocol_version", "4", "ssl_cipher_list", "ALL",
"ssl_verify_peer", "no", "num_threads", "1", 0 };
std::vector<std::string> cpp_options;
diff --git a/extensions/http-curl/tests/TestServer.h b/extensions/http-curl/tests/TestServer.h
index 0e9b260..2b667fc 100644
--- a/extensions/http-curl/tests/TestServer.h
+++ b/extensions/http-curl/tests/TestServer.h
@@ -39,7 +39,7 @@
CivetServer * start_webserver(std::string &port, std::string &rooturi, CivetHandler *handler, struct mg_callbacks *callbacks, std::string &cert, std::string &ca_cert) {
const char *options[] = { "document_root", ".", "listening_ports", port.c_str(), "error_log_file",
- "error.log", "ssl_certificate", ca_cert.c_str(), "ssl_protocol_version", "0", "ssl_cipher_list",
+ "error.log", "ssl_certificate", ca_cert.c_str(), "ssl_protocol_version", "4", "ssl_cipher_list",
"ALL", "request_timeout_ms", "10000", "enable_auth_domain_check", "no", "ssl_verify_peer", "no", 0 };
// ECDH+AESGCM+AES256:!aNULL:!MD5:!DSS
std::vector<std::string> cpp_options;
