datastax · absurdfarce · Apr 20, 2022 · Mar 24, 2022 · Mar 25, 2022 · Mar 28, 2022
diff --git a/include/cassandra.h b/include/cassandra.h
@@ -629,6 +629,12 @@ typedef enum CassSslVerifyFlags_ {
   CASS_SSL_VERIFY_PEER_IDENTITY_DNS = 0x04
 } CassSslVerifyFlags;
 
+typedef enum CassSslTlsVersion_ {
+  CASS_SSL_VERSION_TLS1   = 0x00,
+  CASS_SSL_VERSION_TLS1_1 = 0x01,
+  CASS_SSL_VERSION_TLS1_2 = 0x02,
+} CassSslTlsVersion;
+
 typedef enum CassProtocolVersion_ {
   CASS_PROTOCOL_VERSION_V1    = 0x01, /**< Deprecated */
   CASS_PROTOCOL_VERSION_V2    = 0x02, /**< Deprecated */
@@ -4687,6 +4693,20 @@ cass_ssl_set_private_key_n(CassSsl* ssl,
                            const char* password,
                            size_t password_length);
 
+/**
+ * Set minimum supported client-side protocol version. This will prevent the
+ * connection using protocol versions earlier than the specified one. Useful
+ * for preventing TLS downgrade attacks.
+ *
+ * @public @memberof CassSsl
+ *
+ * @param[in] ssl
+ * @param[in] min_version
+ * @return CASS_OK if successful, otherwise an error occurred.
+ */
+CASS_EXPORT CassError
+cass_ssl_set_min_protocol_version(CassSsl* ssl, CassSslTlsVersion min_version);
+
 /***********************************************************************************
  *
  * Authenticator

diff --git a/src/ssl.cpp b/src/ssl.cpp
@@ -65,6 +65,10 @@ CassError cass_ssl_set_private_key_n(CassSsl* ssl, const char* key, size_t key_l
   return ssl->set_private_key(key, key_length, password, password_length);
 }
 
+CassError cass_ssl_set_min_protocol_version(CassSsl* ssl, CassSslTlsVersion min_version) {
+  return ssl->set_min_protocol_version(min_version);
+}
+
 } // extern "C"
 
 template <class T>

diff --git a/src/ssl.hpp b/src/ssl.hpp
@@ -87,6 +87,7 @@ class SslContext : public RefCounted<SslContext> {
   virtual CassError set_cert(const char* cert, size_t cert_length) = 0;
   virtual CassError set_private_key(const char* key, size_t key_length, const char* password,
                                     size_t password_length) = 0;
+  virtual CassError set_min_protocol_version(CassSslTlsVersion min_version) = 0;
 
 protected:
   int verify_flags_;

diff --git a/src/ssl/ssl_no_impl.cpp b/src/ssl/ssl_no_impl.cpp
@@ -44,4 +44,8 @@ CassError NoSslContext::set_private_key(const char* key, size_t key_length, cons
   return CASS_ERROR_LIB_NOT_IMPLEMENTED;
 }
 
+CassError NoSslContext::set_min_protocol_version(CassSslTlsVersion min_version) {
+  return CASS_ERROR_LIB_NOT_IMPLEMENTED;
+}
+
 SslContext::Ptr NoSslContextFactory::create() { return SslContext::Ptr(new NoSslContext()); }
diff --git a/src/ssl/ssl_no_impl.hpp b/src/ssl/ssl_no_impl.hpp
@@ -40,6 +40,7 @@ class NoSslContext : public SslContext {
   virtual CassError set_cert(const char* cert, size_t cert_length);
   virtual CassError set_private_key(const char* key, size_t key_length, const char* password,
                                     size_t password_length);
+  virtual CassError set_min_protocol_version(CassSslTlsVersion min_version);
 };
 
 class NoSslContextFactory : public SslContextFactoryBase<NoSslContextFactory> {

diff --git a/src/ssl/ssl_openssl_impl.cpp b/src/ssl/ssl_openssl_impl.cpp
@@ -41,12 +41,14 @@
     !defined(LIBRESSL_VERSION_NUMBER) // Required as OPENSSL_VERSION_NUMBER for LibreSSL is defined
                                       // as 2.0.0
 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+#define SSL_CAN_SET_MIN_VERSION
 #define SSL_CLIENT_METHOD TLS_client_method
 #else
 #define SSL_CLIENT_METHOD SSLv23_client_method
 #endif
 #else
 #if (LIBRESSL_VERSION_NUMBER >= 0x20302000L)
+#define SSL_CAN_SET_MIN_VERSION
 #define SSL_CLIENT_METHOD TLS_client_method
 #else
 #define SSL_CLIENT_METHOD SSLv23_client_method
@@ -611,6 +613,48 @@ CassError OpenSslContext::set_private_key(const char* key, size_t key_length, co
   return CASS_OK;
 }
 
+CassError OpenSslContext::set_min_protocol_version(CassSslTlsVersion min_version) {
+#ifdef SSL_CAN_SET_MIN_VERSION
+  int method;
+  switch (min_version) {
+    case CassSslTlsVersion::CASS_SSL_VERSION_TLS1:
+      method = TLS1_VERSION;
+      break;
+    case CassSslTlsVersion::CASS_SSL_VERSION_TLS1_1:
+      method = TLS1_1_VERSION;
+      break;
+    case CassSslTlsVersion::CASS_SSL_VERSION_TLS1_2:
+      method = TLS1_2_VERSION;
+      break;
+    default:
+      // unsupported version
+      return CASS_ERROR_LIB_BAD_PARAMS;
+  }
+  SSL_CTX_set_min_proto_version(ssl_ctx_, method);
+  return CASS_OK;
+#else
+  // If we don't have the `set_min_proto_version` function then we do this via
+  // the (deprecated in later versions) options function.
+  int options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+  switch (min_version) {
+    case CassSslTlsVersion::CASS_SSL_VERSION_TLS1:
+      break;
+    case CassSslTlsVersion::CASS_SSL_VERSION_TLS1_1:
+      options |= SSL_OP_NO_TLSv1;
+      break;
+    case CassSslTlsVersion::CASS_SSL_VERSION_TLS1_2:
+      options |= SSL_OP_NO_TLSv1;
+      options |= SSL_OP_NO_TLSv1_1;
+      break;
+    default:
+      // unsupported version
+      return CASS_ERROR_LIB_BAD_PARAMS;
+  }
+  SSL_CTX_set_options(ssl_ctx_, options);
+  return CASS_OK;
+#endif
+}
+
 SslContext::Ptr OpenSslContextFactory::create() { return SslContext::Ptr(new OpenSslContext()); }
 
 namespace openssl {

diff --git a/src/ssl/ssl_openssl_impl.hpp b/src/ssl/ssl_openssl_impl.hpp
@@ -61,6 +61,7 @@ class OpenSslContext : public SslContext {
   virtual CassError set_cert(const char* cert, size_t cert_length);
   virtual CassError set_private_key(const char* key, size_t key_length, const char* password,
                                     size_t password_length);
+  virtual CassError set_min_protocol_version(CassSslTlsVersion min_version);
 
 private:
   SSL_CTX* ssl_ctx_;