From 32a60edf6816b5edde64a77a627a129cdb4da7fc Mon Sep 17 00:00:00 2001 From: Roel Standaert Date: Thu, 26 Jul 2018 12:55:50 +0200 Subject: [PATCH] Several changes: - Disabled TLS v. 1.0 and 1.1 - idle timeout: release notes, doc fixes --- ReleaseNotes.html | 11 +++++++++++ src/Wt/Http/Client.C | 10 +++++++++- src/Wt/WApplication.h | 11 +++++++++-- src/http/Server.C | 6 ++++++ wt_config.xml.in | 4 ++-- 5 files changed, 37 insertions(+), 5 deletions(-) diff --git a/ReleaseNotes.html b/ReleaseNotes.html index 6c89e426d6..5d76250993 100644 --- a/ReleaseNotes.html +++ b/ReleaseNotes.html @@ -102,6 +102,14 @@

Path parameters

A feature example demonstrating this was added in examples/feature/urlparams.

+

Idle timeout

+ +

Added an <idle-timeout> option to the configuration (wt_config.xml). If set, +WApplication::idleTimeout() will be triggered after the configured number of seconds.

+ +

This is intended to prevent unauthorized people from using an active session from a +device that's been abandoned by the user.

+

WFileDropWidget

Added the ability to set a @@ -124,6 +132,9 @@

Miscellaneous improvements

Added insertTab, itemAt and currentItem to WTabWidget +
  • + Disabled TLS v. 1.0 and 1.1 support +

    • Release 4.0.3 (April 12, 2018)

    diff --git a/src/Wt/Http/Client.C b/src/Wt/Http/Client.C index 6bb21a9587..dfc3b90734 100644 --- a/src/Wt/Http/Client.C +++ b/src/Wt/Http/Client.C @@ -937,7 +937,15 @@ bool Client::request(Http::Method method, const std::string& url, asio::ssl::context context (*ioService, asio::ssl::context::sslv23); #endif - long sslOptions = asio::ssl::context::no_sslv2 | asio::ssl::context::no_sslv3; + long sslOptions = asio::ssl::context::no_sslv2 | + asio::ssl::context::no_sslv3 | + asio::ssl::context::no_tlsv1; + +#if (defined(WT_ASIO_IS_BOOST_ASIO) && BOOST_VERSION >= 105800) || \ + defined(WT_ASIO_IS_STANDALONE_ASIO) + sslOptions |= asio::ssl::context::no_tlsv1_1; +#endif + context.set_options(sslOptions); diff --git a/src/Wt/WApplication.h b/src/Wt/WApplication.h index c9459bcc6b..26ed923d59 100644 --- a/src/Wt/WApplication.h +++ b/src/Wt/WApplication.h @@ -2112,8 +2112,15 @@ class WT_API WApplication : public WObject /*! \brief Idle timeout handler * + * \if cpp * If idle-timeout is set in the configuration, this method is called when * the user seems idle for the number of seconds set in idle-timeout. + * \elseif java + * If idle timeout is set in the configuration + * ({@link Configuration#setIdleTimeout(int)}), this + * method is called when the user seems idle for the number of seconds set as the + * idle timeout. + * \endif * * This feature can be useful in security sensitive applications * to prevent unauthorized users from taking over the session @@ -2166,6 +2173,8 @@ class WT_API WApplication : public WObject * }; * \endcode * + * \endif + * * \note The events currently counted as user activity are: * - mousedown * - mouseup @@ -2176,8 +2185,6 @@ class WT_API WApplication : public WObject * - touchend * - pointerdown * - pointerup - * - * \endif */ virtual void idleTimeout(); diff --git a/src/http/Server.C b/src/http/Server.C index ad16591fd3..9ac34071ed 100644 --- a/src/http/Server.C +++ b/src/http/Server.C @@ -211,6 +211,12 @@ void Server::start() if (!config_.sslEnableV3()) sslOptions |= asio::ssl::context::no_sslv3; + sslOptions |= asio::ssl::context::no_tlsv1; +#if (defined(WT_ASIO_IS_BOOST_ASIO) && BOOST_VERSION >= 105800) || \ + defined(WT_ASIO_IS_STANDALONE_ASIO) + sslOptions |= asio::ssl::context::no_tlsv1_1; +#endif + ssl_context_.set_options(sslOptions); if (config_.sslClientVerification() == "none") { diff --git a/wt_config.xml.in b/wt_config.xml.in index 22b05df876..6a71aef21a 100644 --- a/wt_config.xml.in +++ b/wt_config.xml.in @@ -109,9 +109,9 @@