From d7536a2c25875c01f6b3aa9a7566d89b31ab63e0 Mon Sep 17 00:00:00 2001 From: Victor Vazquez Date: Tue, 22 Mar 2022 14:27:28 -0700 Subject: [PATCH] Enforce TLS 1.2 for libcurl and winHttp (#3460) * Enforce TLS 1.2 for libcurl and winHttp * docs * missing rename --- doc/HttpTransportAdapter.md | 4 ++++ sdk/core/azure-core/CHANGELOG.md | 4 ++++ sdk/core/azure-core/src/http/curl/curl.cpp | 8 ++++++++ .../src/http/winhttp/win_http_transport.cpp | 11 +++++++++++ 4 files changed, 27 insertions(+) diff --git a/doc/HttpTransportAdapter.md b/doc/HttpTransportAdapter.md index 2691f7fb7..de7d3a8cd 100644 --- a/doc/HttpTransportAdapter.md +++ b/doc/HttpTransportAdapter.md @@ -41,6 +41,10 @@ Multiple HTTP transport adapters can be built as part of the project. This is to Another example is if you want to create your own HTTP transport adapter. In this case, you can build your own HTTP transport adapter and test it by comparing it to the behavior of the libcurl HTTP transport adapter. +## TLS 1.2 + +The transport adapters from the Azure SDK (libcurl and winHTTP) enforces the use of Transport Layer Security version 1.2. If you need to use an older version, please do it by creating a fork to update the source code. Or consider creating a [custom transport adapter](#building-a-custom-http-transport-adapter) implementation within your application source code. + ## Using the HTTP Transport Adapter The HTTP transport adapter is set up during service client initialization, for example, when creating an Azure Storage client. The HTTP transport adapter can be specified at client initialization via the client options argument. The example below shows how to use the default HTTP transport adapter when constructing an SDK client: diff --git a/sdk/core/azure-core/CHANGELOG.md b/sdk/core/azure-core/CHANGELOG.md index e83562afe..5604cde90 100644 --- a/sdk/core/azure-core/CHANGELOG.md +++ b/sdk/core/azure-core/CHANGELOG.md @@ -7,6 +7,10 @@ - When a `RequestFailedException` exception is thrown, the `what()` method now includes information about the HTTP request which failed. - Adding option `WinHttpTransportOptions.IgnoreUnknownServerCert`. It can be used to disable verifying server certificate for the `WinHttpTransport`. +### Breaking Changes + +- Enforce TLS 1.2 or greater for `CurlTransport` and `WinHttpTransport`. + ### Other Changes - Improve output message for `Azure::Core::Http::TransportException`. diff --git a/sdk/core/azure-core/src/http/curl/curl.cpp b/sdk/core/azure-core/src/http/curl/curl.cpp index ade2629e5..0eff96409 100644 --- a/sdk/core/azure-core/src/http/curl/curl.cpp +++ b/sdk/core/azure-core/src/http/curl/curl.cpp @@ -1423,6 +1423,14 @@ std::unique_ptr CurlConnectionPool::ExtractOrCreateCurlCo + ". Failed to set libcurl HTTP/1.1" + ". " + std::string(curl_easy_strerror(result))); } + // Make libcurl to support only TLS v1.2 or later + if (!SetLibcurlOption(newHandle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2, &result)) + { + throw Azure::Core::Http::TransportException( + _detail::DefaultFailedToGetNewConnectionTemplate + hostDisplayName + + ". Failed enforcing TLS v1.2 or greater. " + std::string(curl_easy_strerror(result))); + } + auto performResult = curl_easy_perform(newHandle); if (performResult != CURLE_OK) { diff --git a/sdk/core/azure-core/src/http/winhttp/win_http_transport.cpp b/sdk/core/azure-core/src/http/winhttp/win_http_transport.cpp index ffeff1787..a21878a24 100644 --- a/sdk/core/azure-core/src/http/winhttp/win_http_transport.cpp +++ b/sdk/core/azure-core/src/http/winhttp/win_http_transport.cpp @@ -267,6 +267,17 @@ void WinHttpTransport::CreateSessionHandle(std::unique_ptr<_detail::HandleManage &tcp_false_start, sizeof(tcp_false_start)); #endif + + // Enforce TLS version 1.2 + auto tlsOption = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2; + if (!WinHttpSetOption( + handleManager->m_sessionHandle, + WINHTTP_OPTION_SECURE_PROTOCOLS, + &tlsOption, + sizeof(tlsOption))) + { + GetErrorAndThrow("Error while enforcing TLS 1.2 for connection request."); + } } void WinHttpTransport::CreateConnectionHandle(