[omniORB-dev] Feature Proposal: Support selecting the TLS protocol version

Weweler, Yves-Noel Y.Weweler at insiders-technologies.de
Tue Jan 2 13:27:26 UTC 2024 

Hi,

We have certain requirements that force us to ensure that we can force specific TLS protocol versions.
First I tried doing this using an openssl configuration file. However, I noticed that within src/lib/omniORB/orbcore/ssl/sslContext.cc the TLS version configuration is overwritten.
```
void
sslContext::set_supported_versions() {
  SSL_CTX_set_options(pd_ctx,
                      SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
                      SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
}
```
Do you have any suggestions on how to force specific protocol versions?


Alternatively, I would like to propose that we add additional configuration to omniorb that behaves similar to `cipher_list`.
Essentially, I would like to be able to set the protocol version using the orb specific configurations as well as using the python interface.
According to the openssl wiki setting the version using options is deprecated. Hence, I suggest we adopt the min and max approach of configuration.

  *   https://wiki.openssl.org/index.php/List_of_SSL_OP_Flags
These options are deprecated as of 1.1.0, use SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version() instead.

Sadly, my understanding of the omniorb codebase is rather limited at the moment, hence writing appropriate tests and getting all locations correct is currently out of reach for me.
Nevertheless, I prepared a small patch as a sketch for my proposal. (I never compiled it and it does not yet cover Python. Just to show my idea!)

Do you think that my approach is worth implementing?

Best regards,
Yves-Noel Weweler

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.omniorb-support.com/pipermail/omniorb-dev/attachments/20240102/32debf87/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tls_version_selection_draft.patch
Type: application/octet-stream
Size: 10456 bytes
Desc: tls_version_selection_draft.patch
URL: <https://www.omniorb-support.com/pipermail/omniorb-dev/attachments/20240102/32debf87/attachment.obj>

More information about the omniORB-dev mailing list