我有一个处理soap请求的服务器。它使用gSOAP 2.8.14。目前它只允许TLSv1连接。我需要强制它只允许TLSv1.2连接。
if (soap_ssl_server_context(&soap,
SOAP_SSL_REQUIRE_SERVER_AUTHENTICATION | SOAP_SSL_REQUIRE_CLIENT_AUTHENTICATION | SOAP_TLSv1,
keyfile, // keyfile: required when server must authenticate to clients
keyfilepass, // password to read the key file
NULL, // optional cacert file to store trusted certificates
capath, // optional capath to directory with trusted certificates
dhfile, // DH file name or DH key len bits
NULL, // if randfile!=NULL: use a file with random data
serverId // server identification for SSL session cache
))
{
printf("SSL Failed to initialize.\n");
soap_print_fault(&soap, stderr);
return;
}
根据gSOAP changelog,在gSOAP 2.8.24中添加了TLSv1.1和TLSv1.2的标志。因此,我已将我的gSOAP更新为最新版本(2.8.27)。如stdsoap2.h中的gSOAP源代码所述,要仅使用TLSv1.2,我需要使用SOAP_TLSv1_2标志:
#define SOAP_TLSv1 0x0000 /* enable TLS v1.0/1.1/1.2 only (default) */
#define SOAP_SSLv3_TLSv1 0x0040 /* enable SSL v3 and TLS v1.0/1.1/1.2 */
#define SOAP_SSLv3 0x0080 /* only SSL v3 */
#define SOAP_TLSv1_0 0x0100 /* only TLS v1.0 */
#define SOAP_TLSv1_1 0x0200 /* only TLS v1.1 */
#define SOAP_TLSv1_2 0x0400 /* only TLS v1.2 */
我已在SOAP_TLSv1函数中将SOAP_TLSv1_2替换为soap_ssl_server_context。
if (soap_ssl_server_context(&soap,
SOAP_SSL_REQUIRE_SERVER_AUTHENTICATION | SOAP_SSL_REQUIRE_CLIENT_AUTHENTICATION | SOAP_TLSv1_2,
...))
{
printf("SSL Failed to initialize.\n");
soap_print_fault(&soap, stderr);
return;
}
但在测试期间,我发现服务器仍然接受通过TLSv1的请求。
所以,我的问题是如何强制服务器仅通过TLSv1.2处理soap请求?
答案 0 :(得分:1)
要仅使用gSOAP强制TLS限制为TLSv1.2,您需要:
使用gsoap 2.8.27使用选项SOAP_TLSv1_2设置soap_ssl_client_context()和soap_ssl_server_context()。我在http://www.genivia.com/tutorials.html