summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKevin Smith <git@kismith.co.uk>2014-08-27 14:16:15 (GMT)
committerKevin Smith <kevin.smith@isode.com>2015-06-10 20:29:05 (GMT)
commitb2093a372874aefb4f56f66a70a96f78d6cbbaec (patch)
treeab779a4cc7950339d2c2cb0261ae6a08df84c645 /Swiften/Client
parentb6b0695643f932827add43b9de0e09ed74eb6799 (diff)
downloadswift-b2093a372874aefb4f56f66a70a96f78d6cbbaec.zip
swift-b2093a372874aefb4f56f66a70a96f78d6cbbaec.tar.bz2
Add ability to limit SChannel to TLS 1.0
Some servers have very restrictive TLS stacks that respond badly to a bug in the SChannel TLS implementation, meaning that TLS has to be limited to 1.0. Add ClientOptions.tlsOptions. This is a method of passing options into the TLS stack. It's currently only used for the TLS 1.0 workaround in SChannel, but we might reasonably expose other options in the future, such as limiting cypher suites. Disables use of SSLv3 for SChannel Also updates the coding style in SchannelContext a bit. Test-Information: Compiles on both OS X and Windows(SChannel). OS X doesn't show the new option. Windows shows it, and remembers it between logins. Not tested against a server requiring 1.0 only, but a previous hack with the same approach was tested. Change-Id: I1e7854d43811fd173f21f98d4dc3915fc7a4b322
Diffstat (limited to 'Swiften/Client')
-rw-r--r--Swiften/Client/ClientOptions.h7
-rw-r--r--Swiften/Client/CoreClient.cpp5
2 files changed, 10 insertions, 2 deletions
diff --git a/Swiften/Client/ClientOptions.h b/Swiften/Client/ClientOptions.h
index 4aac609..25393e4 100644
--- a/Swiften/Client/ClientOptions.h
+++ b/Swiften/Client/ClientOptions.h
@@ -11,6 +11,8 @@
#include <Swiften/Base/API.h>
#include <Swiften/Base/URL.h>
#include <Swiften/Base/SafeString.h>
+#include <Swiften/TLS/TLSOptions.h>
+
namespace Swift {
class HTTPTrafficFilter;
@@ -145,5 +147,10 @@ namespace Swift {
* proxy initialization to be customized.
*/
boost::shared_ptr<HTTPTrafficFilter> httpTrafficFilter;
+
+ /**
+ * Options passed to the TLS stack
+ */
+ TLSOptions tlsOptions;
};
}
diff --git a/Swiften/Client/CoreClient.cpp b/Swiften/Client/CoreClient.cpp
index 842488d..c91e5c5 100644
--- a/Swiften/Client/CoreClient.cpp
+++ b/Swiften/Client/CoreClient.cpp
@@ -138,7 +138,8 @@ void CoreClient::connect(const ClientOptions& o) {
host,
options.boshHTTPConnectProxyURL,
options.boshHTTPConnectProxyAuthID,
- options.boshHTTPConnectProxyAuthPassword));
+ options.boshHTTPConnectProxyAuthPassword,
+ options.tlsOptions));
sessionStream_->onDataRead.connect(boost::bind(&CoreClient::handleDataRead, this, _1));
sessionStream_->onDataWritten.connect(boost::bind(&CoreClient::handleDataWritten, this, _1));
bindSessionToStream();
@@ -189,7 +190,7 @@ void CoreClient::handleConnectorFinished(boost::shared_ptr<Connection> connectio
connection_ = connection;
assert(!sessionStream_);
- sessionStream_ = boost::make_shared<BasicSessionStream>(ClientStreamType, connection_, getPayloadParserFactories(), getPayloadSerializers(), networkFactories->getTLSContextFactory(), networkFactories->getTimerFactory(), networkFactories->getXMLParserFactory());
+ sessionStream_ = boost::make_shared<BasicSessionStream>(ClientStreamType, connection_, getPayloadParserFactories(), getPayloadSerializers(), networkFactories->getTLSContextFactory(), networkFactories->getTimerFactory(), networkFactories->getXMLParserFactory(), options.tlsOptions);
if (certificate_ && !certificate_->isNull()) {
sessionStream_->setTLSCertificate(certificate_);
}