[omniORB] Feature Proposal: Support selecting the TLS protocol version

[Weweler, Yves-Noel]

Hi,

when overriding this in a subclass how would be make it available to control from Python?
Currently I do not see any class that overrides or uses set_supported_versions. (Apparat from the context itself)

Regards,
Yves-Noel

-----Ursprüngliche Nachricht-----
Von: Duncan Grisby <duncan at grisby.org> 
Gesendet: Dienstag, 2. Januar 2024 15:02
An: Weweler, Yves-Noel <Y.Weweler at insiders-technologies.de>; omniorb-list at omniorb.net
Betreff: Re: [omniORB] Feature Proposal: Support selecting the TLS protocol version

On Tue, 2024-01-02 at 13:18 +0000, Weweler, Yves-Noel via omniORB-list
wrote:

> We have certain requirements that force us to ensure that we can force 
> specific TLS protocol versions.
> First I tried doing this using an openssl configuration file.
> However, I noticed that within
> src/lib/omniORB/orbcore/ssl/sslContext.cc the TLS version 
> configuration is overwritten.
> ```
> void
> sslContext::set_supported_versions() {
>   SSL_CTX_set_options(pd_ctx,
>                       SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
>                       SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1); } ``` Do 
> you have any suggestions on how to force specific protocol versions?

That sslContext::set_supported_versions method is a virtual function specifically so you can override it in a subclass. That is the current way to handle what you are trying to do.

Allowing it to be set in the omniORB configuration would be no bad thing, but it has to be done in a backward-compatible way for existing code that is overriding set_supported_versions.

Regards,

Duncan.


--
 -- Duncan Grisby --
  -- duncan at grisby.org --
   -- https://protection.retarus.com/v1?u=http%3A%2F%2Fwww.grisby.org&c=3s0vLm9&r=3n8flkrOZ0WipO8EzuDIFr&k=7s1&s=G6wyHC2JV9pn0PNCFNtpwtl5Vbu6MXx3rrex6FvbOcq --