Stop using deprecated functions (#643)

* Stop using deperecated functions * Exclude the unwanted protocols from the SSL_CTX * Require openssl 1.1.1 now, tls_method is then available Subsequently remove sslv3 support by requiring minimum tls1 in the SSL_CTX * Check for minimum version 1.1.1 Disable SSL if not found and warn about it
intel · Jun 27, 2024 · 8c7d1cf · 8c7d1cf
1 parent cc5d6e2
commit 8c7d1cf
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 4 deletions.
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
@@ -1,10 +1,13 @@
 # SPDX-License-Identifier: BSD-3-Clause
 # Copyright (c) 2022, Intel Corporation
 
+include(FindOpenSSL)
 
 # All pcm-* executables
 set(PROJECT_NAMES pcm pcm-numa pcm-latency pcm-power pcm-msr pcm-memory pcm-tsx pcm-pcie pcm-core pcm-iio pcm-lspci pcm-pcicfg pcm-mmio pcm-tpmi pcm-raw pcm-accel)
 
+set(MINIMUM_OPENSSL_VERSION 1.1.1)
+
 file(GLOB COMMON_SOURCES pcm-accel-common.cpp msr.cpp cpucounters.cpp pci.cpp mmio.cpp tpmi.cpp pmt.cpp bw.cpp utils.cpp topology.cpp debug.cpp threadpool.cpp uncore_pmu_discovery.cpp)
 
 if (APPLE)
@@ -147,9 +150,14 @@ foreach(PROJECT_NAME ${PROJECT_NAMES})
       else()
         message(STATUS "Compiling with SSL support, requires libssl-dev or openssl-devel or libopenssl-devel or libopenssl-dev package installed")
         message(STATUS "To disable SSL support, use -DNO_SSL=1 option")
-        find_package(OpenSSL REQUIRED)
-        target_compile_options(${PROJECT_NAME} PRIVATE "-DUSE_SSL")
-        set(LIBS ${LIBS} OpenSSL::SSL OpenSSL::Crypto)
+        find_package(OpenSSL ${MINIMUM_OPENSSL_VERSION} QUIET)
+        if(OPENSSL_FOUND)
+          message(STATUS "OpenSSL version ${OPENSSL_VERSION} >= ${MINIMUM_OPENSSL_VERSION}, OpenSSL support enabled")
+          target_compile_options(${PROJECT_NAME} PRIVATE "-DUSE_SSL")
+          set(LIBS ${LIBS} OpenSSL::SSL OpenSSL::Crypto)
+        else()
+          message(STATUS "OpenSSL support has been disabled, the version is less than ${MINIMUM_OPENSSL_VERSION}")
+        endif()
       endif()
       file(READ pcm-sensor-server.service.in SENSOR_SERVICE_IN)
       string(REPLACE "@@CMAKE_INSTALL_SBINDIR@@" "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_SBINDIR}" SENSOR_SERVICE "${SENSOR_SERVICE_IN}")

diff --git a/src/pcm-sensor-server.cpp b/src/pcm-sensor-server.cpp
@@ -2886,9 +2886,13 @@ class HTTPSServer : public HTTPServer {
         // SSL too old on development machine, not available yet FIXME
         //OPENSSL_config(nullptr);
 
-        sslCTX_ = SSL_CTX_new( SSLv23_method() );
+        // We require 1.1.1 now so TLS_method is available but still 
+        // make sure minimum protocol is TSL1_VERSION below
+        sslCTX_ = SSL_CTX_new( TLS_method() );
         if ( nullptr == sslCTX_ )
             throw std::runtime_error( "Cannot create an SSL context" );
+        if( SSL_CTX_set_min_proto_version( sslCTX_, TLS1_VERSION ) != 1 )
+            throw std::runtime_error( "Cannot set minimum protocol to TSL1_VERSION" );
         if ( SSL_CTX_use_certificate_file( sslCTX_, certificateFile_.c_str(), SSL_FILETYPE_PEM ) <= 0 )
             throw std::runtime_error( "Cannot use certificate file" );
         if ( SSL_CTX_use_PrivateKey_file( sslCTX_, privateKeyFile_.c_str(), SSL_FILETYPE_PEM ) <= 0 )