zeroc-ice · pepone · Apr 5, 2024 · Apr 4, 2024 · Apr 4, 2024 · Apr 4, 2024
diff --git a/config/PropertyNames.xml b/config/PropertyNames.xml
@@ -571,9 +571,6 @@ generated from the section label.
         <property name="Password" />
         <property name="PasswordCallback" />
         <property name="PasswordRetryMax" />
-        <property name="Protocols" />
-        <property name="ProtocolVersionMax" />
-        <property name="ProtocolVersionMin" />
         <property name="Random" />
         <property name="RevocationCheck" />
         <property name="RevocationCheckCacheOnly" />

diff --git a/cpp/src/Ice/PropertyNames.cpp b/cpp/src/Ice/PropertyNames.cpp
@@ -1,7 +1,7 @@
 //
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
-// Generated by makeprops.py from file ../config/PropertyNames.xml, Mon Apr  1 13:34:00 2024
+// Generated by makeprops.py from file ./config/PropertyNames.xml, Thu Apr  4 16:59:06 2024
 
 // IMPORTANT: Do not edit this file -- any edits made here will be lost!
 
@@ -1069,9 +1069,6 @@ const IceInternal::Property IceSSLPropsData[] = {
     IceInternal::Property("IceSSL.Password", false, 0),
     IceInternal::Property("IceSSL.PasswordCallback", false, 0),
     IceInternal::Property("IceSSL.PasswordRetryMax", false, 0),
-    IceInternal::Property("IceSSL.Protocols", false, 0),
-    IceInternal::Property("IceSSL.ProtocolVersionMax", false, 0),
-    IceInternal::Property("IceSSL.ProtocolVersionMin", false, 0),
     IceInternal::Property("IceSSL.Random", false, 0),
     IceInternal::Property("IceSSL.RevocationCheck", false, 0),
     IceInternal::Property("IceSSL.RevocationCheckCacheOnly", false, 0),

diff --git a/cpp/src/Ice/PropertyNames.h b/cpp/src/Ice/PropertyNames.h
@@ -1,7 +1,7 @@
 //
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
-// Generated by makeprops.py from file ../config/PropertyNames.xml, Mon Apr  1 13:34:00 2024
+// Generated by makeprops.py from file ./config/PropertyNames.xml, Thu Apr  4 16:59:06 2024
 
 // IMPORTANT: Do not edit this file -- any edits made here will be lost!
 

diff --git a/cpp/src/IceSSL/OpenSSLEngine.cpp b/cpp/src/IceSSL/OpenSSLEngine.cpp
@@ -251,16 +251,12 @@ OpenSSL::SSLEngine::initialize()
 #if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3_METHOD)
         defaultProtocols.push_back("tls1_3");
 #endif
-
-        const int protocols =
-            parseProtocols(properties->getPropertyAsListWithDefault(propPrefix + "Protocols", defaultProtocols));
-
         //
         // Create an SSL context if the application hasn't supplied one.
         //
         if (!_ctx)
         {
-            _ctx = SSL_CTX_new(getMethod(protocols));
+            _ctx = SSL_CTX_new(getMethod());
             if (!_ctx)
             {
                 throw PluginInitializationException(
@@ -769,14 +765,6 @@ OpenSSL::SSLEngine::initialize()
             reinterpret_cast<unsigned char*>(this),
             static_cast<unsigned int>(sizeof(this)));
 
-        //
-        // Select protocols.
-        //
-        if (protocols != 0)
-        {
-            setOptions(protocols);
-        }
-
         //
         // Establish the cipher list.
         //
@@ -876,127 +864,9 @@ OpenSSL::SSLEngine::dhParams(int keyLength)
 }
 #endif
 
-int
-OpenSSL::SSLEngine::parseProtocols(const StringSeq& protocols) const
-{
-    int v = 0;
-
-    for (Ice::StringSeq::const_iterator p = protocols.begin(); p != protocols.end(); ++p)
-    {
-        string prot = IceUtilInternal::toUpper(*p);
-        if (prot == "SSL3" || prot == "SSLV3")
-        {
-#if defined(OPENSSL_NO_SSL3_METHOD) || !defined(SSL3_VERSION)
-            throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: OpenSSL was build without SSLv3 support");
-#else
-            v |= SSLv3;
-#endif
-        }
-        else if (prot == "TLS" || prot == "TLS1" || prot == "TLSV1" || prot == "TLS1_0" || prot == "TLSV1_0")
-        {
-#if defined(OPENSSL_NO_TLS1_METHOD) || !defined(TLS1_VERSION)
-            throw PluginInitializationException(
-                __FILE__,
-                __LINE__,
-                "IceSSL: OpenSSL was build without TLS 1.0 support");
-#else
-            v |= TLSv1_0;
-#endif
-        }
-        else if (prot == "TLS1_1" || prot == "TLSV1_1")
-        {
-#if defined(OPENSSL_NO_TLS1_1_METHOD) || !defined(TLS1_1_VERSION)
-            throw PluginInitializationException(
-                __FILE__,
-                __LINE__,
-                "IceSSL: OpenSSL was build without TLS 1.1 support");
-#else
-            v |= TLSv1_1;
-#endif
-        }
-        else if (prot == "TLS1_2" || prot == "TLSV1_2")
-        {
-#if defined(OPENSSL_NO_TLS1_2_METHOD) || !defined(TLS1_2_VERSION)
-            throw PluginInitializationException(
-                __FILE__,
-                __LINE__,
-                "IceSSL: OpenSSL was build without TLS 1.2 support");
-#else
-            v |= TLSv1_2;
-#endif
-        }
-        else if (prot == "TLS1_3" || prot == "TLSV1_3")
-        {
-#if defined(OPENSSL_NO_TLS1_3_METHOD) || !defined(TLS1_3_VERSION)
-            throw PluginInitializationException(
-                __FILE__,
-                __LINE__,
-                "IceSSL: OpenSSL was build without TLS 1.3 support");
-#else
-            v |= TLSv1_3;
-#endif
-        }
-        else
-        {
-            throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unrecognized protocol `" + *p + "'");
-        }
-    }
-
-    return v;
-}
-
 SSL_METHOD*
-OpenSSL::SSLEngine::getMethod(int /*protocols*/)
+OpenSSL::SSLEngine::getMethod()
 {
     SSL_METHOD* meth = const_cast<SSL_METHOD*>(TLS_method());
     return meth;
 }
-
-void
-OpenSSL::SSLEngine::setOptions(int protocols)
-{
-    long opts = SSL_OP_NO_SSLv2; // SSLv2 is not supported.
-
-#ifdef SSL_OP_NO_SSLv3
-    if (!(protocols & SSLv3))
-    {
-        opts |= SSL_OP_NO_SSLv3;
-    }
-#endif
-
-#ifdef SSL_OP_NO_TLSv1
-    if (!(protocols & TLSv1_0))
-    {
-        opts |= SSL_OP_NO_TLSv1;
-    }
-#endif
-
-#ifdef SSL_OP_NO_TLSv1_1
-    if (!(protocols & TLSv1_1))
-    {
-        opts |= SSL_OP_NO_TLSv1_1;
-        //
-        // The value of SSL_OP_NO_TLSv1_1 changed between 1.0.1a and 1.0.1b.
-        //
-        if (SSL_OP_NO_TLSv1_1 == 0x00000400L)
-        {
-            opts |= 0x10000000L; // New value of SSL_OP_NO_TLSv1_1.
-        }
-    }
-#endif
-
-#ifdef SSL_OP_NO_TLSv1_2
-    if (!(protocols & TLSv1_2))
-    {
-        opts |= SSL_OP_NO_TLSv1_2;
-    }
-#endif
-
-#ifdef SSL_OP_NO_TLSv1_3
-    if (!(protocols & TLSv1_3))
-    {
-        opts |= SSL_OP_NO_TLSv1_3;
-    }
-#endif
-    SSL_CTX_set_options(_ctx, opts);
-}
diff --git a/cpp/src/IceSSL/OpenSSLEngine.h b/cpp/src/IceSSL/OpenSSLEngine.h
@@ -37,17 +37,7 @@ namespace IceSSL
 
         private:
             void cleanup();
-            SSL_METHOD* getMethod(int);
-            void setOptions(int);
-            enum Protocols
-            {
-                SSLv3 = 1,
-                TLSv1_0 = 2,
-                TLSv1_1 = 4,
-                TLSv1_2 = 8,
-                TLSv1_3 = 16
-            };
-            int parseProtocols(const Ice::StringSeq&) const;
+            SSL_METHOD* getMethod();
 
             SSL_CTX* _ctx;
 

diff --git a/cpp/src/IceSSL/SChannelEngine.cpp b/cpp/src/IceSSL/SChannelEngine.cpp
@@ -403,44 +403,6 @@ namespace
         }
     }
 
-    DWORD
-    parseProtocols(const StringSeq& protocols)
-    {
-        DWORD v = 0;
-
-        for (Ice::StringSeq::const_iterator p = protocols.begin(); p != protocols.end(); ++p)
-        {
-            string prot = IceUtilInternal::toUpper(*p);
-
-            if (prot == "SSL3" || prot == "SSLV3")
-            {
-                v |= SP_PROT_SSL3;
-            }
-            else if (prot == "TLS" || prot == "TLS1" || prot == "TLSV1" || prot == "TLS1_0" || prot == "TLSV1_0")
-            {
-                v |= SP_PROT_TLS1;
-            }
-            else if (prot == "TLS1_1" || prot == "TLSV1_1")
-            {
-                v |= SP_PROT_TLS1_1;
-            }
-            else if (prot == "TLS1_2" || prot == "TLSV1_2")
-            {
-                v |= SP_PROT_TLS1_2;
-            }
-            else if (prot == "TLS1_3" || prot == "TLSV1_2")
-            {
-                v |= SP_PROT_TLS1_3;
-            }
-            else
-            {
-                throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unrecognized protocol `" + *p + "'");
-            }
-        }
-
-        return v;
-    }
-
     const ALG_ID supportedCiphers[] = {CALG_3DES, CALG_AES_128, CALG_AES_256, CALG_DES, CALG_RC2, CALG_RC4};
     const int supportedCiphersSize = sizeof(supportedCiphers) / sizeof(ALG_ID);
 
@@ -616,17 +578,6 @@ SChannel::SSLEngine::initialize()
     const string prefix = "IceSSL.";
     const PropertiesPtr properties = communicator()->getProperties();
 
-    //
-    // Protocols selects which protocols to enable, by default we only enable TLS1.0
-    // TLS1.1 and TLS1.2 to avoid security issues with SSLv3
-    //
-    vector<string> defaultProtocols;
-    defaultProtocols.push_back("tls1_0");
-    defaultProtocols.push_back("tls1_1");
-    defaultProtocols.push_back("tls1_2");
-    const_cast<DWORD&>(_protocols) =
-        parseProtocols(properties->getPropertyAsListWithDefault(prefix + "Protocols", defaultProtocols));
-
     const_cast<bool&>(_strongCrypto) = properties->getPropertyAsIntWithDefault(prefix + "SchannelStrongCrypto", 0) > 0;
 
     //
@@ -1199,8 +1150,6 @@ SChannel::SSLEngine::newCredentialsHandle(bool incoming)
         cred.paCred = &_allCerts[0];
     }
 
-    cred.grbitEnabledProtocols = _protocols;
-
     if (incoming)
     {
         //

diff --git a/cpp/src/IceSSL/SChannelEngine.h b/cpp/src/IceSSL/SChannelEngine.h
@@ -59,7 +59,6 @@ namespace IceSSL
 
             std::vector<PCCERT_CONTEXT> _allCerts;
             std::vector<PCCERT_CONTEXT> _importedCerts;
-            DWORD _protocols;
 
             std::vector<HCERTSTORE> _stores;
             HCERTSTORE _rootStore;

diff --git a/cpp/src/IceSSL/SecureTransportEngine.cpp b/cpp/src/IceSSL/SecureTransportEngine.cpp
@@ -738,43 +738,12 @@ namespace
     }
 
     map<string, SSLCipherSuite> CiphersHelper::ciphers() { return _ciphers; }
-
-    SSLProtocol parseProtocol(const string& p)
-    {
-        const string prot = IceUtilInternal::toUpper(p);
-        if (prot == "SSL3" || prot == "SSLV3")
-        {
-            return kSSLProtocol3;
-        }
-        else if (prot == "TLS" || prot == "TLS1" || prot == "TLSV1" || prot == "TLS1_0" || prot == "TLSV1_0")
-        {
-            return kTLSProtocol1;
-        }
-        else if (prot == "TLS1_1" || prot == "TLSV1_1")
-        {
-            return kTLSProtocol11;
-        }
-        else if (prot == "TLS1_2" || prot == "TLSV1_2")
-        {
-            return kTLSProtocol12;
-        }
-        else if (prot == "TLS1_3" || prot == "TLSV1_3")
-        {
-            return kTLSProtocol13;
-        }
-        else
-        {
-            throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unrecognized protocol `" + p + "'");
-        }
-    }
 }
 
 IceSSL::SecureTransport::SSLEngine::SSLEngine(const Ice::CommunicatorPtr& communicator)
     : IceSSL::SSLEngine(communicator),
       _certificateAuthorities(0),
-      _chain(0),
-      _protocolVersionMax(kSSLProtocolUnknown),
-      _protocolVersionMin(kSSLProtocolUnknown)
+      _chain(0)
 {
 }
 
@@ -976,24 +945,6 @@ IceSSL::SecureTransport::SSLEngine::initialize()
         }
         getLogger()->trace(securityTraceCategory(), os.str());
     }
-
-    //
-    // Parse protocols
-    //
-    const string protocolVersionMax = properties->getProperty("IceSSL.ProtocolVersionMax");
-    if (!protocolVersionMax.empty())
-    {
-        _protocolVersionMax = parseProtocol(protocolVersionMax);
-    }
-
-    //
-    // The default min protocol version is set to TLS1.0 to avoid security issues with SSLv3
-    //
-    const string protocolVersionMin = properties->getPropertyWithDefault("IceSSL.ProtocolVersionMin", "tls1_0");
-    if (!protocolVersionMin.empty())
-    {
-        _protocolVersionMin = parseProtocol(protocolVersionMin);
-    }
     _initialized = true;
 }
 
@@ -1096,28 +1047,6 @@ IceSSL::SecureTransport::SSLEngine::newContext(bool incoming)
             "IceSSL: error while setting SSL option:\n" + sslErrorToString(err));
     }
 
-    if (_protocolVersionMax != kSSLProtocolUnknown)
-    {
-        if ((err = SSLSetProtocolVersionMax(ssl, _protocolVersionMax)))
-        {
-            throw SecurityException(
-                __FILE__,
-                __LINE__,
-                "IceSSL: error while setting SSL protocol version max:\n" + sslErrorToString(err));
-        }
-    }
-
-    if (_protocolVersionMin != kSSLProtocolUnknown)
-    {
-        if ((err = SSLSetProtocolVersionMin(ssl, _protocolVersionMin)))
-        {
-            throw SecurityException(
-                __FILE__,
-                __LINE__,
-                "IceSSL: error while setting SSL protocol version min:\n" + sslErrorToString(err));
-        }
-    }
-
     return ssl;
 }