X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=xmltooling%2Fsoap%2Fimpl%2FCURLSOAPTransport.cpp;h=c05184f05cc3c143306d64ca07c32d3e53616671;hb=6f80ef82fc120408b0b242d35f77dd92213ba318;hp=08a45538dc80faf9fea7ce5513c0b6963ecb890e;hpb=ba80fe4167b68359c8f6c90d1f9cd55465b4c0c7;p=shibboleth%2Fcpp-xmltooling.git diff --git a/xmltooling/soap/impl/CURLSOAPTransport.cpp b/xmltooling/soap/impl/CURLSOAPTransport.cpp index 08a4553..c05184f 100644 --- a/xmltooling/soap/impl/CURLSOAPTransport.cpp +++ b/xmltooling/soap/impl/CURLSOAPTransport.cpp @@ -50,7 +50,7 @@ namespace xmltooling { { public: CURLPool() : m_size(0), m_lock(Mutex::create()), - m_log(Category::getInstance(XMLTOOLING_LOGCAT".SOAPTransport.CURL")) {} + m_log(Category::getInstance(XMLTOOLING_LOGCAT ".SOAPTransport.CURL")) {} ~CURLPool(); CURL* get(const SOAPTransport::Address& addr); @@ -76,7 +76,7 @@ namespace xmltooling { #ifndef XMLTOOLING_NO_XMLSEC m_cred(nullptr), m_trustEngine(nullptr), m_peerResolver(nullptr), m_mandatory(false), #endif - m_openssl_ops(SSL_OP_ALL|SSL_OP_NO_SSLv2), m_ssl_callback(nullptr), m_ssl_userptr(nullptr), + m_openssl_ops(SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3), m_ssl_callback(nullptr), m_ssl_userptr(nullptr), m_chunked(true), m_authenticated(false), m_cacheTag(nullptr) { m_handle = g_CURLPool->get(addr); curl_easy_setopt(m_handle,CURLOPT_URL,addr.m_endpoint); @@ -315,7 +315,7 @@ CURL* CURLPool::get(const SOAPTransport::Address& addr) curl_easy_setopt(handle,CURLOPT_FAILONERROR,1); // This may (but probably won't) help with < 7.20 bug in DNS caching. curl_easy_setopt(handle,CURLOPT_DNS_CACHE_TIMEOUT,120); - curl_easy_setopt(handle,CURLOPT_SSL_CIPHER_LIST,"ALL:!aNULL:!LOW:!EXPORT:!SSLv2"); + curl_easy_setopt(handle,CURLOPT_SSL_CIPHER_LIST,"ALL:!aNULL:!LOW:!EXPORT:!RC4:!SSLv2"); // Verification of the peer is via TrustEngine only. curl_easy_setopt(handle,CURLOPT_SSL_VERIFYPEER,0); curl_easy_setopt(handle,CURLOPT_CAINFO,nullptr); @@ -481,8 +481,8 @@ void CURLSOAPTransport::send(istream* in) #ifdef _DEBUG xmltooling::NDC ndc("send"); #endif - Category& log=Category::getInstance(XMLTOOLING_LOGCAT".SOAPTransport.CURL"); - Category& log_curl=Category::getInstance(XMLTOOLING_LOGCAT".libcurl"); + Category& log=Category::getInstance(XMLTOOLING_LOGCAT ".SOAPTransport.CURL"); + Category& log_curl=Category::getInstance(XMLTOOLING_LOGCAT ".libcurl"); // For this implementation, it's sufficient to check for https as a sign of transport security. if (m_mandatory && !isConfidential()) @@ -647,7 +647,7 @@ int xmltooling::curl_debug_hook(CURL* handle, curl_infotype type, char* data, si #ifndef XMLTOOLING_NO_XMLSEC int xmltooling::verify_callback(X509_STORE_CTX* x509_ctx, void* arg) { - Category& log=Category::getInstance(XMLTOOLING_LOGCAT".SOAPTransport.CURL"); + Category& log=Category::getInstance(XMLTOOLING_LOGCAT ".SOAPTransport.CURL"); log.debug("invoking custom X.509 verify callback"); #if (OPENSSL_VERSION_NUMBER >= 0x00907000L) CURLSOAPTransport* ctx = reinterpret_cast(arg); @@ -709,9 +709,9 @@ CURLcode xmltooling::xml_ssl_ctx_callback(CURL* curl, SSL_CTX* ssl_ctx, void* us { CURLSOAPTransport* conf = reinterpret_cast(userptr); - // Default flags manually disable SSLv2 so we're not dependent on libcurl to do it. - // Also disable the ticket option where implemented, since this breaks a variety - // of servers. Newer libcurl also does this for us. + // Default flags manually disable SSLv2 and SSLv3 so we're not dependent on libcurl + // to do it. Also disable the ticket option where implemented, since this breaks a + // variety of servers. Newer libcurl also does this for us. #ifdef SSL_OP_NO_TICKET SSL_CTX_set_options(ssl_ctx, conf->m_openssl_ops|SSL_OP_NO_TICKET); #else