Disable TLS 1.0 and 1.1 by default (#102)

Author: an-tao

trantor/net/TcpClient.cc

@@ -199,11 +199,11 @@ void TcpClient::removeConnection(const TcpConnectionPtr &conn)
     }
 }
 
-void TcpClient::enableSSL()
+void TcpClient::enableSSL(bool useOldTLS)
 {
 #ifdef USE_OPENSSL
     /* Create a new OpenSSL context */
-    sslCtxPtr_ = newSSLContext();
+    sslCtxPtr_ = newSSLContext(useOldTLS);
 #else
     LOG_FATAL << "OpenSSL is not found in your system!";
     abort();

trantor/net/TcpClient.h

@@ -177,9 +177,12 @@ class TcpClient : NonCopyable
 
     /**
      * @brief Enable SSL encryption.
-     *
+     * @param useOldTLS If true, the TLS 1.0 and 1.1 are supported by the
+     * client.
+     * @note It's well known that TLS 1.0 and 1.1 are not considered secure in
+     * 2020. And it's a good practice to only use TLS 1.2 and above.
      */
-    void enableSSL();
+    void enableSSL(bool useOldTLS = false);
 
   private:
     /// Not thread safe, but in loop

trantor/net/TcpConnection.h

@@ -26,7 +26,8 @@ namespace trantor
 {
 class SSLContext;
 std::shared_ptr<SSLContext> newSSLServerContext(const std::string &certPath,
-                                                const std::string &keyPath);
+                                                const std::string &keyPath,
+                                                bool useOldTLS = false);
 /**
  * @brief This class represents a TCP connection.
  *
@@ -225,13 +226,14 @@ class TcpConnection
      * @param callback The callback is called when the SSL connection is
      * established.
      */
-    virtual void startClientEncryption(std::function<void()> callback) = 0;
+    virtual void startClientEncryption(std::function<void()> callback,
+                                       bool useOldTLS = false) = 0;
 
     /**
      * @brief Start the SSL encryption on the connection (as a server).
      *
      * @param ctx The SSL context.
-     * @param callback The callback is called when the SSL connection is is
+     * @param callback The callback is called when the SSL connection is
      * established.
      */
     virtual void startServerEncryption(const std::shared_ptr<SSLContext> &ctx,

trantor/net/TcpServer.cc

@@ -1,7 +1,7 @@
 /**
  *
- *  TcpServer.cc
- *  An Tao
+ *  @file TcpServer.cc
+ *  @author An Tao
  *
  *  Copyright 2018, An Tao.  All rights reserved.
  *  https://github.com/an-tao/trantor
@@ -185,11 +185,12 @@ const trantor::InetAddress &TcpServer::address() const
 }
 
 void TcpServer::enableSSL(const std::string &certPath,
-                          const std::string &keyPath)
+                          const std::string &keyPath,
+                          bool useOldTLS)
 {
 #ifdef USE_OPENSSL
     /* Create a new OpenSSL context */
-    sslCtxPtr_ = newSSLServerContext(certPath, keyPath);
+    sslCtxPtr_ = newSSLServerContext(certPath, keyPath, useOldTLS);
 #else
     LOG_FATAL << "OpenSSL is not found in your system!";
     abort();

trantor/net/TcpServer.h

@@ -199,8 +199,14 @@ class TcpServer : NonCopyable
      *
      * @param certPath The path of the certificate file.
      * @param keyPath The path of the private key file.
+     * @param useOldTLS If true, the TLS 1.0 and 1.1 are supported by the
+     * server.
+     * @note It's well known that TLS 1.0 and 1.1 are not considered secure in
+     * 2020. And it's a good practice to only use TLS 1.2 and above.
      */
-    void enableSSL(const std::string &certPath, const std::string &keyPath);
+    void enableSSL(const std::string &certPath,
+                   const std::string &keyPath,
+                   bool useOldTLS = false);
 
   private:
     EventLoop *loop_;

trantor/net/inner/TcpConnectionImpl.cc

@@ -1,7 +1,7 @@
 /**
  *
- *  TcpConnectionImpl.cc
- *  An Tao
+ *  @file TcpConnectionImpl.cc
+ *  @author An Tao
  *
  *  Public header file in trantor lib.
  *
@@ -57,9 +57,32 @@ void initOpenSSL()
 class SSLContext
 {
   public:
-    SSLContext()
+    explicit SSLContext(bool useOldTLS)
     {
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+        ctxPtr_ = SSL_CTX_new(TLS_method());
+        if (!useOldTLS)
+            SSL_CTX_set_min_proto_version(ctxPtr_, TLS1_2_VERSION);
+        else
+        {
+            LOG_WARN << "TLS 1.0/1.1 are enabled. They are considered "
+                        "obsolete, insecure standards and should only be "
+                        "used for legacy purpose.";
+        }
+#else
         ctxPtr_ = SSL_CTX_new(SSLv23_method());
+        if (!useOldTLS)
+        {
+            SSL_CTX_set_options(ctxPtr_, SSL_OP_NO_TLSv1);
+            SSL_CTX_set_options(ctxPtr_, SSL_OP_NO_TLSv1_1);
+        }
+        else
+        {
+            LOG_WARN << "TLS 1.0/1.1 are enabled. They are considered "
+                        "obsolete, insecure standards and should only be "
+                        "used for legacy purpose.";
+        }
+#endif
     }
     ~SSLContext()
     {
@@ -100,15 +123,16 @@ class SSLConn
     SSL *SSL_;
 };
 
-std::shared_ptr<SSLContext> newSSLContext()
+std::shared_ptr<SSLContext> newSSLContext(bool useOldTLS)
 {  // init OpenSSL
     initOpenSSL();
-    return std::make_shared<SSLContext>();
+    return std::make_shared<SSLContext>(useOldTLS);
 }
 std::shared_ptr<SSLContext> newSSLServerContext(const std::string &certPath,
-                                                const std::string &keyPath)
+                                                const std::string &keyPath,
+                                                bool useOldTLS)
 {
-    auto ctx = newSSLContext();
+    auto ctx = newSSLContext(useOldTLS);
     auto r = SSL_CTX_use_certificate_chain_file(ctx->get(), certPath.c_str());
     if (!r)
     {
@@ -148,7 +172,8 @@ std::shared_ptr<SSLContext> newSSLServerContext(const std::string &certPath,
 namespace trantor
 {
 std::shared_ptr<SSLContext> newSSLServerContext(const std::string &certPath,
-                                                const std::string &keyPath)
+                                                const std::string &keyPath,
+                                                bool useOldTLS)
 {
     LOG_FATAL << "OpenSSL is not found in your system!";
     abort();
@@ -184,7 +209,8 @@ TcpConnectionImpl::~TcpConnectionImpl()
 }
 #ifdef USE_OPENSSL
 void TcpConnectionImpl::startClientEncryptionInLoop(
-    std::function<void()> &&callback)
+    std::function<void()> &&callback,
+    bool useOldTLS)
 {
     loop_->assertInLoopThread();
     if (isEncrypted_)
@@ -194,7 +220,7 @@ void TcpConnectionImpl::startClientEncryptionInLoop(
     }
     sslEncryptionPtr_ = std::make_unique<SSLEncryption>();
     sslEncryptionPtr_->upgradeCallback_ = std::move(callback);
-    sslEncryptionPtr_->sslCtxPtr_ = newSSLContext();
+    sslEncryptionPtr_->sslCtxPtr_ = newSSLContext(useOldTLS);
     sslEncryptionPtr_->sslPtr_ =
         std::make_unique<SSLConn>(sslEncryptionPtr_->sslCtxPtr_->get());
     isEncrypted_ = true;
@@ -258,21 +284,24 @@ void TcpConnectionImpl::startServerEncryption(
 
 #endif
 }
-void TcpConnectionImpl::startClientEncryption(std::function<void()> callback)
+void TcpConnectionImpl::startClientEncryption(std::function<void()> callback,
+                                              bool useOldTLS)
 {
 #ifndef USE_OPENSSL
     LOG_FATAL << "OpenSSL is not found in your system!";
     abort();
 #else
     if (loop_->isInLoopThread())
     {
-        startClientEncryptionInLoop(std::move(callback));
+        startClientEncryptionInLoop(std::move(callback), useOldTLS);
     }
     else
     {
         loop_->queueInLoop([thisPtr = shared_from_this(),
-                            callback = std::move(callback)]() mutable {
-            thisPtr->startClientEncryptionInLoop(std::move(callback));
+                            callback = std::move(callback),
+                            useOldTLS]() mutable {
+            thisPtr->startClientEncryptionInLoop(std::move(callback),
+                                                 useOldTLS);
         });
     }
 #endif

trantor/net/inner/TcpConnectionImpl.h

@@ -1,7 +1,7 @@
 /**
  *
- *  TcpConnectionImpl.h
- *  An Tao
+ *  @file TcpConnectionImpl.h
+ *  @author An Tao
  *
  *  Public header file in trantor lib.
  *
@@ -37,9 +37,10 @@ enum class SSLStatus
 class SSLContext;
 class SSLConn;
 
-std::shared_ptr<SSLContext> newSSLContext();
+std::shared_ptr<SSLContext> newSSLContext(bool useOldTLS);
 std::shared_ptr<SSLContext> newSSLServerContext(const std::string &certPath,
-                                                const std::string &keyPath);
+                                                const std::string &keyPath,
+                                                bool useOldTLS);
 // void initServerSSLContext(const std::shared_ptr<SSLContext> &ctx,
 //                           const std::string &certPath,
 //                           const std::string &keyPath);
@@ -167,7 +168,8 @@ class TcpConnectionImpl : public TcpConnection,
     {
         return bytesReceived_;
     }
-    virtual void startClientEncryption(std::function<void()> callback) override;
+    virtual void startClientEncryption(std::function<void()> callback,
+                                       bool useOldTLS = false) override;
     virtual void startServerEncryption(const std::shared_ptr<SSLContext> &ctx,
                                        std::function<void()> callback) override;
     virtual bool isSSLConnection() const override
@@ -305,7 +307,8 @@ class TcpConnectionImpl : public TcpConnection,
         std::function<void()> upgradeCallback_;
     };
     std::unique_ptr<SSLEncryption> sslEncryptionPtr_;
-    void startClientEncryptionInLoop(std::function<void()> &&callback);
+    void startClientEncryptionInLoop(std::function<void()> &&callback,
+                                     bool useOldTLS);
     void startServerEncryptionInLoop(const std::shared_ptr<SSLContext> &ctx,
                                      std::function<void()> &&callback);
 #endif