From ebc6a5ad2f93c33df268b54ea0b57ff3ab037478 Mon Sep 17 00:00:00 2001
From: Clifford Jansen <cliffjansen@apache.org>
Date: Tue, 28 Oct 2014 19:47:41 +0000
Subject: QPID-6187: Disable SSL v3 for Windows SChannel

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1634961 13f79535-47bb-0310-9956-ffa450edef68
---
 qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp | 30 ++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

(limited to 'qpid/cpp/src')

diff --git a/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp b/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp
index 079627372b..29f673c156 100644
--- a/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp
+++ b/qpid/cpp/src/qpid/sys/windows/SslAsynchIO.cpp
@@ -458,7 +458,22 @@ void SslAsynchIO::idle(qpid::sys::AsynchIO&) {
     }
 }
 
-  /**************************************************/
+/**************************************************/
+
+namespace {
+
+bool unsafeNegotiatedTlsVersion(CtxtHandle &ctxtHandle) {
+    // See if SChannel ultimately negotiated <= SSL3, perhaps due to
+    // global registry settings.
+    SecPkgContext_ConnectionInfo info;
+    ::QueryContextAttributes(&ctxtHandle, SECPKG_ATTR_CONNECTION_INFO, &info);
+    // Ascending bit patterns denote newer SSL/TLS protocol versions
+    return (info.dwProtocol < SP_PROT_TLS1_SERVER) ? true : false;
+}
+
+} // namespace
+
+/**************************************************/
 
 ClientSslAsynchIO::ClientSslAsynchIO(const std::string& brokerHost,
                                      const qpid::sys::Socket& s,
@@ -589,6 +604,13 @@ void ClientSslAsynchIO::negotiateStep(BufferBase* buff) {
     }
     // Nothing to send back to the server...
     aio->queueReadBuffer(sendbuff);
+
+    if (status == SEC_E_OK && unsafeNegotiatedTlsVersion(ctxtHandle)) {
+        // Refuse a connection that negotiates to less than TLS 1.0.
+        QPID_LOG(notice, "client SSL negotiation to unsafe protocol version.");
+        status = SEC_E_UNSUPPORTED_FUNCTION;
+    }
+
     // SEC_I_CONTEXT_EXPIRED means session stop complete; SEC_E_OK can be
     // either session stop or negotiation done (session up).
     if (status == SEC_E_OK || status == SEC_I_CONTEXT_EXPIRED)
@@ -691,6 +713,12 @@ void ServerSslAsynchIO::negotiateStep(BufferBase* buff) {
         // Nothing to send back to the server...
         aio->queueReadBuffer(sendbuff);
 
+    if (status == SEC_E_OK && unsafeNegotiatedTlsVersion(ctxtHandle)) {
+        // Refuse a connection that negotiates to less than TLS 1.0.
+        QPID_LOG(notice, "server SSL negotiation to unsafe protocol version.");
+        status = SEC_E_UNSUPPORTED_FUNCTION;
+    }
+
     // SEC_I_CONTEXT_EXPIRED means session stop complete; SEC_E_OK can be
     // either session stop or negotiation done (session up).
     if (status == SEC_E_OK || status == SEC_I_CONTEXT_EXPIRED) {
-- 
cgit v1.2.1