THRIFT-5706: lib/cpp Fix the Security tests on openssl 1.1 and 3.0 This PR fixes the Security tests to build on a clean install of ubuntu 20.04 and ubuntu 22.04 without modifications to the systems openssl configuration. * Enable TLS 1.0 and TLS 1.1 on OpenSSL 1.1 with the seclevel=0 flag * Disable TLS 1.0 and TLS 1.1 on OpenSSL 3.0 While its technically possible to enable it on OpenSSL 3 I think because of all the issues with these old TLS versions dropping support for it is better. This PR builds forth on the work done here: https://github.com/apache/thrift/pull/2811 Tested with the ubuntu 20.04 (OpenSSL 1.1) and 22.04 (OpenSSL 3.0) docker containers. All lib/cpp tests succeed in both.

commit: 8148f2ff9740c11417b7e2d2800c07129be2092d [log] [tgz]
author: Thomas <thomasbruggink@hotmail.com> Mon Feb 26 21:45:05 2024 +0900
committer: Thomas <thomasbruggink@hotmail.com> Mon Feb 26 22:32:18 2024 +0900
tree: 980da9960391133668ea1629c0cc9b2efca717ee
parent: da2ef3486ba5c0f27e470f010590b14d330f799a [diff]
diff --git a/lib/cpp/test/SecurityFromBufferTest.cpp b/lib/cpp/test/SecurityFromBufferTest.cpp
index 65ec8b6..c4f5c8e 100644
--- a/lib/cpp/test/SecurityFromBufferTest.cpp
+++ b/lib/cpp/test/SecurityFromBufferTest.cpp

@@ -109,7 +109,13 @@
       shared_ptr<TSSLServerSocket> pServerSocket;
 
       pServerSocketFactory.reset(new TSSLSocketFactory(static_cast<apache::thrift::transport::SSLProtocol>(protocol)));
-      pServerSocketFactory->ciphers("ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
+      #if OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x30000000L
+          // OpenSSL 1.1.0 introduced @SECLEVEL. Modern distributions limit TLS 1.0/1.1
+          // to @SECLEVEL=0 or 1, so specify it to test all combinations.
+          pServerSocketFactory->ciphers("ALL:!ADH:!LOW:!EXP:!MD5:@SECLEVEL=0");
+      #else
+          pServerSocketFactory->ciphers("ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
+      #endif
       pServerSocketFactory->loadCertificateFromBuffer(certString("server.crt").c_str());
       pServerSocketFactory->loadPrivateKeyFromBuffer(certString("server.key").c_str());
       pServerSocketFactory->server(true);
@@ -155,6 +161,11 @@
       try {
         pClientSocketFactory.reset(new TSSLSocketFactory(static_cast<apache::thrift::transport::SSLProtocol>(protocol)));
         pClientSocketFactory->authenticate(true);
+        #if OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x30000000L
+            // OpenSSL 1.1.0 introduced @SECLEVEL. Modern distributions limit TLS 1.0/1.1
+            // to @SECLEVEL=0 or 1, so specify it to test all combinations.
+            pClientSocketFactory->ciphers("ALL:!ADH:!LOW:!EXP:!MD5:@SECLEVEL=0");
+        #endif
         pClientSocketFactory->loadCertificateFromBuffer(certString("client.crt").c_str());
         pClientSocketFactory->loadPrivateKeyFromBuffer(certString("client.key").c_str());
         pClientSocketFactory->loadTrustedCertificatesFromBuffer(certString("CA.pem").c_str());
@@ -199,16 +210,16 @@
   try {
     // matrix of connection success between client and server with different SSLProtocol selections
         static_assert(apache::thrift::transport::LATEST == 5, "Mismatch in assumed number of ssl protocols");
-        bool ossl1 = (OPENSSL_VERSION_NUMBER < 0x30000000L);
+        bool ossl1x = (OPENSSL_VERSION_NUMBER < 0x30000000L);
         bool matrix[apache::thrift::transport::LATEST + 1][apache::thrift::transport::LATEST + 1] =
         {
     //   server    = SSLTLS   SSLv2    SSLv3    TLSv1_0  TLSv1_1  TLSv1_2
     // client
-    /* SSLTLS  */  { true,    false,   false,   ossl1,   ossl1,   true    },
+    /* SSLTLS  */  { true,    false,   false,   ossl1x,  ossl1x,  true    },
     /* SSLv2   */  { false,   false,   false,   false,   false,   false   },
     /* SSLv3   */  { false,   false,   true,    false,   false,   false   },
-    /* TLSv1_0 */  { ossl1,   false,   false,   ossl1,   false,   false   },
-    /* TLSv1_1 */  { ossl1,   false,   false,   false,   ossl1,   false   },
+    /* TLSv1_0 */  { ossl1x,  false,   false,   ossl1x,  false,   false   },
+    /* TLSv1_1 */  { ossl1x,  false,   false,   false,   ossl1x,  false   },
     /* TLSv1_2 */  { true,    false,   false,   false,   false,   true    }
         };
 

diff --git a/lib/cpp/test/SecurityTest.cpp b/lib/cpp/test/SecurityTest.cpp
index 06ee8fe..4c6c732 100644
--- a/lib/cpp/test/SecurityTest.cpp
+++ b/lib/cpp/test/SecurityTest.cpp

@@ -108,7 +108,13 @@
             shared_ptr<TSSLServerSocket> pServerSocket;
 
             pServerSocketFactory.reset(new TSSLSocketFactory(static_cast<apache::thrift::transport::SSLProtocol>(protocol)));
-            pServerSocketFactory->ciphers("ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
+            #if OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x30000000L
+                // OpenSSL 1.1.0 introduced @SECLEVEL. Modern distributions limit TLS 1.0/1.1
+                // to @SECLEVEL=0 or 1, so specify it to test all combinations.
+                pServerSocketFactory->ciphers("ALL:!ADH:!LOW:!EXP:!MD5:@SECLEVEL=0:@STRENGTH");
+            #else
+                pServerSocketFactory->ciphers("ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
+            #endif
             pServerSocketFactory->loadCertificate(certFile("server.crt").string().c_str());
             pServerSocketFactory->loadPrivateKey(certFile("server.key").string().c_str());
             pServerSocketFactory->server(true);
@@ -162,6 +168,11 @@
             {
                 pClientSocketFactory.reset(new TSSLSocketFactory(static_cast<apache::thrift::transport::SSLProtocol>(protocol)));
                 pClientSocketFactory->authenticate(true);
+                #if OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x30000000L
+                    // OpenSSL 1.1.0 introduced @SECLEVEL. Modern distributions limit TLS 1.0/1.1
+                    // to @SECLEVEL=0 or 1, so specify it to test all combinations.
+                    pClientSocketFactory->ciphers("ALL:!ADH:!LOW:!EXP:!MD5:@SECLEVEL=0");
+                #endif
                 pClientSocketFactory->loadCertificate(certFile("client.crt").string().c_str());
                 pClientSocketFactory->loadPrivateKey(certFile("client.key").string().c_str());
                 pClientSocketFactory->loadTrustedCertificates(certFile("CA.pem").string().c_str());
@@ -221,16 +232,16 @@
     {
         // matrix of connection success between client and server with different SSLProtocol selections
         static_assert(apache::thrift::transport::LATEST == 5, "Mismatch in assumed number of ssl protocols");
-        bool ossl1 = (OPENSSL_VERSION_NUMBER < 0x30000000L);
+        bool ossl1x = (OPENSSL_VERSION_NUMBER < 0x30000000L);
         bool matrix[apache::thrift::transport::LATEST + 1][apache::thrift::transport::LATEST + 1] =
         {
     //   server    = SSLTLS   SSLv2    SSLv3    TLSv1_0  TLSv1_1  TLSv1_2
     // client
-    /* SSLTLS  */  { true,    false,   false,   ossl1,   ossl1,   true    },
+    /* SSLTLS  */  { true,    false,   false,   ossl1x,  ossl1x,  true    },
     /* SSLv2   */  { false,   false,   false,   false,   false,   false   },
     /* SSLv3   */  { false,   false,   true,    false,   false,   false   },
-    /* TLSv1_0 */  { ossl1,   false,   false,   ossl1,   false,   false   },
-    /* TLSv1_1 */  { ossl1,   false,   false,   false,   ossl1,   false   },
+    /* TLSv1_0 */  { ossl1x,  false,   false,   ossl1x,  false,   false   },
+    /* TLSv1_1 */  { ossl1x,  false,   false,   false,   ossl1x,  false   },
     /* TLSv1_2 */  { true,    false,   false,   false,   false,   true    }
         };
commit	8148f2ff9740c11417b7e2d2800c07129be2092d	[log] [tgz]
author	Thomas <thomasbruggink@hotmail.com>	Mon Feb 26 21:45:05 2024 +0900
committer	Thomas <thomasbruggink@hotmail.com>	Mon Feb 26 22:32:18 2024 +0900
tree	980da9960391133668ea1629c0cc9b2efca717ee
parent	da2ef3486ba5c0f27e470f010590b14d330f799a [diff]