[omniORB] Feature Proposal: Support selecting the TLS protocol version
Duncan Grisby
duncan at grisby.org
Tue Jan 2 14:02:13 UTC 2024
On Tue, 2024-01-02 at 13:18 +0000, Weweler, Yves-Noel via omniORB-list
wrote:
> We have certain requirements that force us to ensure that we can
> force specific TLS protocol versions.
> First I tried doing this using an openssl configuration file.
> However, I noticed that within
> src/lib/omniORB/orbcore/ssl/sslContext.cc the TLS version
> configuration is overwritten.
> ```
> void
> sslContext::set_supported_versions() {
> SSL_CTX_set_options(pd_ctx,
> SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
> SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
> }
> ```
> Do you have any suggestions on how to force specific protocol
> versions?
That sslContext::set_supported_versions method is a virtual function
specifically so you can override it in a subclass. That is the current
way to handle what you are trying to do.
Allowing it to be set in the omniORB configuration would be no bad
thing, but it has to be done in a backward-compatible way for existing
code that is overriding set_supported_versions.
Regards,
Duncan.
--
-- Duncan Grisby --
-- duncan at grisby.org --
-- http://www.grisby.org --
More information about the omniORB-list
mailing list