CODEWITHSUNDEEP
gsoaptls1.2
Michael
Michael

Reputation: 21

How to enforce the server to use only TLSv1.2?

I have a server that processes the soap requests. It uses gSOAP 2.8.14. Currently it allows only TLSv1 connections. I need to enforced it to allow only TLSv1.2 connection.

if (soap_ssl_server_context(&soap,
     SOAP_SSL_REQUIRE_SERVER_AUTHENTICATION | SOAP_SSL_REQUIRE_CLIENT_AUTHENTICATION | SOAP_TLSv1,
     keyfile,      // keyfile: required when server must authenticate to clients
     keyfilepass,  // password to read the key file
     NULL,         // optional cacert file to store trusted certificates
     capath,       // optional capath to directory with trusted certificates
     dhfile,       // DH file name or DH key len bits 
     NULL,         // if randfile!=NULL: use a file with random data
     serverId      // server identification for SSL session cache
     ))
  { 
     printf("SSL Failed to initialize.\n");
     soap_print_fault(&soap, stderr); 
     return;
  }

According to gSOAP changelog, flags for TLSv1.1 and TLSv1.2 were added in gSOAP 2.8.24. So, I've updated my gSOAP to the latest available version (2.8.27). As described in gSOAP source in stdsoap2.h, to use only TLSv1.2 I need to use SOAP_TLSv1_2 flag:

#define SOAP_TLSv1              0x0000  /* enable TLS v1.0/1.1/1.2 only (default) */
#define SOAP_SSLv3_TLSv1        0x0040  /* enable SSL v3 and TLS v1.0/1.1/1.2 */
#define SOAP_SSLv3              0x0080  /* only SSL v3 */
#define SOAP_TLSv1_0            0x0100  /* only TLS v1.0 */
#define SOAP_TLSv1_1            0x0200  /* only TLS v1.1 */
#define SOAP_TLSv1_2            0x0400  /* only TLS v1.2 */

I've replaced SOAP_TLSv1 by SOAP_TLSv1_2 in my soap_ssl_server_context function.

if (soap_ssl_server_context(&soap,
         SOAP_SSL_REQUIRE_SERVER_AUTHENTICATION | SOAP_SSL_REQUIRE_CLIENT_AUTHENTICATION | SOAP_TLSv1_2,
         ...))
      { 
         printf("SSL Failed to initialize.\n");
         soap_print_fault(&soap, stderr); 
         return;
      }

But during testing I've found that server still accept requests over TLSv1.

So, my question is how to force the sever to process soap requests only over TLSv1.2?

Upvotes: 1

Views: 3463

Answers (1)

Dr. Alex RE
Dr. Alex RE

Reputation: 1698

To force TLS restriction to TLSv1.2 only with gSOAP, you will need:

  • OpenSSL 1.0.1 or later (otherwise you may default back to SSLv3/TLS);
  • it is recommended to upgrade to gSOAP version 2.8.27 or later.

With gsoap 2.8.27 use option SOAP_TLSv1_2 to set the soap_ssl_client_context() and soap_ssl_server_context().

Upvotes: 2

Related Questions