From: Francis Dupont <fdupont@isc.org>
Date: Sat, 13 Mar 2021 11:58:57 +0000 (+0100)
Subject: [#1748] Add generic TLS method detection and TLS 1.2 fallback
X-Git-Tag: Kea-1.9.6~148
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ce47d790662f4889d8be3e7ee8d59990eaea8f88;p=thirdparty%2Fkea.git

[#1748] Add generic TLS method detection and TLS 1.2 fallback
---

diff --git a/m4macros/ax_crypto.m4 b/m4macros/ax_crypto.m4
index 0e98bcc670..bb70e6db3d 100644
--- a/m4macros/ax_crypto.m4
+++ b/m4macros/ax_crypto.m4
@@ -360,6 +360,15 @@ EOF
     dnl Check boost ASIO SSL
     AC_CHECK_HEADERS([boost/asio/ssl.hpp],,
         [AC_MSG_ERROR([Missing required boost ssl header file])])
+    dnl Check if the generic TLS method is available
+    AC_MSG_CHECKING([Generic TLS method])
+    AC_COMPILE_IFELSE(
+        [AC_LANG_PROGRAM([#include <boost/asio/ssl.hpp>],
+                         [auto ctx(boost::asio::ssl::context::tls);])],
+        [AC_MSG_RESULT(yes)
+         AC_DEFINE([HAVE_GENERIC_TLS_METHOD], [1],
+         [Define to 1 if boost::asio::ssl::context::tls is available])],
+        [AC_MSG_RESULT(no)])
     LIBS=${LIBS_SAVED}
     CPPFLAGS=${CPPFLAGS_SAVED}
 fi
diff --git a/src/lib/asiolink/openssl_tls.cc b/src/lib/asiolink/openssl_tls.cc
index e23e4de998..320ee86738 100644
--- a/src/lib/asiolink/openssl_tls.cc
+++ b/src/lib/asiolink/openssl_tls.cc
@@ -25,9 +25,16 @@ using namespace isc::cryptolink;
 namespace isc {
 namespace asiolink {
 
+// Enforce TLS 1.2 when the generic TLS method is not available (i.e.
+// the boost version is older than 1.64.0).
 TlsContext::TlsContext(TlsRole role)
     : TlsContextBase(role), cert_required_(true),
-      context_(context::method::tls) {
+#ifdef HAVE_GENERIC_TLS_METHOD
+      context_(context::method::tls)
+#else
+      context_(context::method::tlsv12)
+#endif
+{
     // Not leave the verify mode to OpenSSL default.
     setCertRequired(true);
 }
diff --git a/src/lib/asiolink/testutils/openssl_sample_client.cc b/src/lib/asiolink/testutils/openssl_sample_client.cc
index d882703d06..590ad088fb 100644
--- a/src/lib/asiolink/testutils/openssl_sample_client.cc
+++ b/src/lib/asiolink/testutils/openssl_sample_client.cc
@@ -156,7 +156,11 @@ int main(int argc, char* argv[])
     tcp::resolver resolver(io_context);
     auto endpoints = resolver.resolve(argv[1], argv[2]);
 
+#ifdef HAVE_GENERIC_TLS_METHOD
     boost::asio::ssl::context ctx(boost::asio::ssl::context::tls);
+#else
+    boost::asio::ssl::context ctx(boost::asio::ssl::context::tlsv12);
+#endif
     ctx.load_verify_file(CA_("kea-ca.crt"));
     ctx.use_certificate_chain_file(CA_("kea-client.crt"));
     ctx.use_private_key_file(CA_("kea-client.key"),
diff --git a/src/lib/asiolink/testutils/openssl_sample_server.cc b/src/lib/asiolink/testutils/openssl_sample_server.cc
index 5641b01087..d9f027673f 100644
--- a/src/lib/asiolink/testutils/openssl_sample_server.cc
+++ b/src/lib/asiolink/testutils/openssl_sample_server.cc
@@ -106,7 +106,11 @@ public:
     : io_context_(io_context),
       acceptor_(io_context,
           boost::asio::ip::tcp::endpoint(boost::asio::ip::tcp::v4(), port)),
+#ifdef HAVE_GENERIC_TLS_METHOD
       context_(boost::asio::ssl::context::tls)
+#else
+      context_(boost::asio::ssl::context::tlsv12)
+#endif
   {
     //context_.set_options(
     //    boost::asio::ssl::context::default_workarounds