github/azure-sdk-for-cpp
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Enforce TLS 1.2 for libcurl and winHttp (#3460)

Browse Source 
* Enforce TLS 1.2 for libcurl and winHttp

* docs

* missing rename
This commit is contained in:
Victor Vazquez 2022-03-22 14:27:28 -07:00 committed by GitHub
parent 774077630a
commit d7536a2c25
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/HttpTransportAdapter.md
View File

@ -41,6 +41,10 @@ Multiple HTTP transport adapters can be built as part of the project. This is to
Another example is if you want to create your own HTTP transport adapter. In this case, you can build your own HTTP transport adapter and test it by comparing it to the behavior of the libcurl HTTP transport adapter.
## TLS 1.2
The transport adapters from the Azure SDK (libcurl and winHTTP) enforces the use of Transport Layer Security version 1.2. If you need to use an older version, please do it by creating a fork to update the source code. Or consider creating a [custom transport adapter](#building-a-custom-http-transport-adapter) implementation within your application source code.
## Using the HTTP Transport Adapter
The HTTP transport adapter is set up during service client initialization, for example, when creating an Azure Storage client. The HTTP transport adapter can be specified at client initialization via the client options argument. The example below shows how to use the default HTTP transport adapter when constructing an SDK client:

4
sdk/core/azure-core/CHANGELOG.md
View File

@ -7,6 +7,10 @@
- When a `RequestFailedException` exception is thrown, the `what()` method now includes information about the HTTP request which failed.
- Adding option `WinHttpTransportOptions.IgnoreUnknownServerCert`. It can be used to disable verifying server certificate for the `WinHttpTransport`.
### Breaking Changes
- Enforce TLS 1.2 or greater for `CurlTransport` and `WinHttpTransport`.
### Other Changes
- Improve output message for `Azure::Core::Http::TransportException`.

8
sdk/core/azure-core/src/http/curl/curl.cpp
View File

@ -1423,6 +1423,14 @@ std::unique_ptr<CurlNetworkConnection> CurlConnectionPool::ExtractOrCreateCurlCo
+ ". Failed to set libcurl HTTP/1.1" + ". " + std::string(curl_easy_strerror(result)));
}
// Make libcurl to support only TLS v1.2 or later
if (!SetLibcurlOption(newHandle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2, &result))
{
throw Azure::Core::Http::TransportException(
_detail::DefaultFailedToGetNewConnectionTemplate + hostDisplayName
+ ". Failed enforcing TLS v1.2 or greater. " + std::string(curl_easy_strerror(result)));
}
auto performResult = curl_easy_perform(newHandle);
if (performResult != CURLE_OK)
{

11
sdk/core/azure-core/src/http/winhttp/win_http_transport.cpp
View File

@ -267,6 +267,17 @@ void WinHttpTransport::CreateSessionHandle(std::unique_ptr<_detail::HandleManage
&tcp_false_start,
sizeof(tcp_false_start));
#endif
// Enforce TLS version 1.2
auto tlsOption = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;
if (!WinHttpSetOption(
handleManager->m_sessionHandle,
WINHTTP_OPTION_SECURE_PROTOCOLS,
&tlsOption,
sizeof(tlsOption)))
{
GetErrorAndThrow("Error while enforcing TLS 1.2 for connection request.");
}
}
void WinHttpTransport::CreateConnectionHandle(