Home » U++ Library support » U++ Core » Any good reason why SSL support is hardcoded to SSLv3 usage?
| Any good reason why SSL support is hardcoded to SSLv3 usage? [message #43813] |
Fri, 24 October 2014 17:57  |
|
|
Hi,
I just made little test with HttpRequest and found that I could not connect to any of our secure servers.
SSLv3 was deprecated 15 years ago, and is now proven vulnerable to the poodle attack.
TcpSocket::SSLImp::Start() is hardcoded to use SSLv3:
if(!context.Create(socket.mode == CONNECT ? const_cast<SSL_METHOD *>(SSLv3_client_method())
: const_cast<SSL_METHOD *>(SSLv3_server_method()))) {
SetSSLError("Start: SSL context.");
return false;
}
Changing the methods to TLSv1_2 allowed my little test to connect with our servers:
if(!context.Create(socket.mode == CONNECT ? const_cast<SSL_METHOD *>(TLSv1_2_client_method())
: const_cast<SSL_METHOD *>(TLSv1_2_server_method()))) {
SetSSLError("Start: SSL context.");
return false;
}
In my case it works with TLSv1, TLSv1_1 and TLSv1_2.
Are there any plans on making the protocol selectable or not?
I can try to make a solution, adding a member variable like "SSL_METHOD *sslMethod;" and use it if it is not null otherwise fallback to current code.
There was another report on a similar request earlier this year:
http:// www.ultimatepp.org/forums/index.php?t=msg&th=8408&go to=42367&#msg_42367
|
|
|
|
Current Time: Sun Apr 27 19:57:35 CEST 2025
Total time taken to generate the page: 0.00671 seconds
|
Members
Pages
Help
Register
Login
Home
