You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by tr...@apache.org on 2017/12/21 15:36:02 UTC
qpid-dispatch git commit: DISPATCH-884 - PR from gmurthy - Add
support for configured SSL protocols. This closes #233
Repository: qpid-dispatch
Updated Branches:
refs/heads/master 3bf8cfe9c -> 44ee33fc8
DISPATCH-884 - PR from gmurthy - Add support for configured SSL protocols.
This closes #233
Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/44ee33fc
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/44ee33fc
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/44ee33fc
Branch: refs/heads/master
Commit: 44ee33fc864758177cdada83bcde145f6c1964b5
Parents: 3bf8cfe
Author: Ted Ross <tr...@redhat.com>
Authored: Thu Dec 21 10:33:42 2017 -0500
Committer: Ted Ross <tr...@redhat.com>
Committed: Thu Dec 21 10:33:42 2017 -0500
----------------------------------------------------------------------
include/qpid/dispatch/server.h | 8 ++++++-
python/qpid_dispatch/management/qdrouter.json | 7 +++++-
src/connection_manager.c | 28 +++++++++++++++-------
src/http-libwebsockets.c | 2 +-
src/server.c | 23 ++++++++++++++----
tests/system_tests_sasl_plain.py | 1 +
6 files changed, 53 insertions(+), 16 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/44ee33fc/include/qpid/dispatch/server.h
----------------------------------------------------------------------
diff --git a/include/qpid/dispatch/server.h b/include/qpid/dispatch/server.h
index bd51fa6..2766950 100644
--- a/include/qpid/dispatch/server.h
+++ b/include/qpid/dispatch/server.h
@@ -303,7 +303,13 @@ typedef struct qd_server_config_t {
/**
* Specifies the enabled ciphers so the SSL Ciphers can be hardened.
*/
- char *ciphers;
+ char *ssl_ciphers;
+
+ /**
+ * This list is a space separated string of the allowed TLS protocols. The current possibilities are TLSv1 TLSv1.1 TLSv1.2.
+ * For example, if you want to permit only TLSv.1.1 and TLSv1.2, your value for the protocols would be TLSv1.1 TLSv1.2. If this attribute is not set, then all the TLS protocols are allowed.
+ */
+ char *ssl_protocols;
/**
* Allow the connection to be redirected by the peer (via CLOSE->Redirect). This is
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/44ee33fc/python/qpid_dispatch/management/qdrouter.json
----------------------------------------------------------------------
diff --git a/python/qpid_dispatch/management/qdrouter.json b/python/qpid_dispatch/management/qdrouter.json
index abfb33d..af428be 100644
--- a/python/qpid_dispatch/management/qdrouter.json
+++ b/python/qpid_dispatch/management/qdrouter.json
@@ -515,7 +515,12 @@
"type": "string",
"description": "Specifies the enabled ciphers so the SSL Ciphers can be hardened. In other words, use this field to disable weak ciphers. The ciphers are specified in the format understood by the OpenSSL library. For example, ciphers can be set to ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; -- The full list of allowed ciphers can be viewed using the openssl ciphers command",
"create": true
- },
+ },
+ "protocols": {
+ "type": "string",
+ "description": "The TLS protocols that this sslProfile can use. You can specify a list of one or more of TLSv1, TLSv1.1, or TLSv1.2. To specify multiple protocols, separate the protocols with a space. For example, to permit the sslProfile to use TLS v1.1 and TLS v1.2 only, you would set the value to TLSv1.1 TLSv1.2. If you do not specify a value, the sslProfile uses the TLS protocol specified by the system-wide configuration.",
+ "create": true
+ },
"certDb": {
"type": "path",
"description": "The absolute path to the database that contains the public certificates of trusted certificate authorities (CA).",
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/44ee33fc/src/connection_manager.c
----------------------------------------------------------------------
diff --git a/src/connection_manager.c b/src/connection_manager.c
index b764fff..97d1dee 100644
--- a/src/connection_manager.c
+++ b/src/connection_manager.c
@@ -44,7 +44,8 @@ struct qd_config_ssl_profile_t {
char *ssl_display_name_file;
char *ssl_certificate_file;
char *ssl_private_key_file;
- char *ciphers;
+ char *ssl_ciphers;
+ char *ssl_protocols;
};
DEQ_DECLARE(qd_config_ssl_profile_t, qd_config_ssl_profile_list_t);
@@ -141,7 +142,8 @@ void qd_server_config_free(qd_server_config_t *cf)
if (cf->ssl_certificate_file) free(cf->ssl_certificate_file);
if (cf->ssl_private_key_file) free(cf->ssl_private_key_file);
- if (cf->ciphers) free(cf->ciphers);
+ if (cf->ssl_ciphers) free(cf->ssl_ciphers);
+ if (cf->ssl_protocols) free(cf->ssl_protocols);
if (cf->ssl_password) free(cf->ssl_password);
if (cf->ssl_trusted_certificate_db) free(cf->ssl_trusted_certificate_db);
if (cf->ssl_trusted_certificates) free(cf->ssl_trusted_certificates);
@@ -386,7 +388,8 @@ static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *conf
if (ssl_profile) {
config->ssl_certificate_file = SSTRDUP(ssl_profile->ssl_certificate_file);
config->ssl_private_key_file = SSTRDUP(ssl_profile->ssl_private_key_file);
- config->ciphers = SSTRDUP(ssl_profile->ciphers);
+ config->ssl_ciphers = SSTRDUP(ssl_profile->ssl_ciphers);
+ config->ssl_protocols = SSTRDUP(ssl_profile->ssl_protocols);
config->ssl_password = SSTRDUP(ssl_profile->ssl_password);
config->ssl_trusted_certificate_db = SSTRDUP(ssl_profile->ssl_trusted_certificate_db);
config->ssl_trusted_certificates = SSTRDUP(ssl_profile->ssl_trusted_certificates);
@@ -425,11 +428,16 @@ static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *conf
}
}
}
- if (auth_ssl_profile->ciphers) {
- if (pn_ssl_domain_set_ciphers(config->auth_ssl_conf, auth_ssl_profile->ciphers)) {
+ if (auth_ssl_profile->ssl_ciphers) {
+ if (pn_ssl_domain_set_ciphers(config->auth_ssl_conf, auth_ssl_profile->ssl_ciphers)) {
return qd_error(QD_ERROR_RUNTIME, "Cannot set ciphers. The ciphers string might be invalid. Use openssl ciphers -v <ciphers> to validate");
}
}
+ if (auth_ssl_profile->ssl_protocols) {
+ if (pn_ssl_domain_set_protocols(config->auth_ssl_conf, auth_ssl_profile->ssl_protocols)) {
+ return qd_error(QD_ERROR_RUNTIME, "Cannot set protocols. The protocols string might be invalid. This list is a space separated string of the allowed TLS protocols (TLSv1 TLSv1.1 TLSv1.2)");
+ }
+ }
}
} else {
@@ -471,7 +479,8 @@ static bool config_ssl_profile_free(qd_connection_manager_t *cm, qd_config_ssl_p
free(ssl_profile->ssl_display_name_file);
free(ssl_profile->ssl_certificate_file);
free(ssl_profile->ssl_private_key_file);
- free(ssl_profile->ciphers);
+ free(ssl_profile->ssl_ciphers);
+ free(ssl_profile->ssl_protocols);
free(ssl_profile);
return true;
@@ -534,10 +543,11 @@ qd_config_ssl_profile_t *qd_dispatch_configure_ssl_profile(qd_dispatch_t *qd, qd
}
free(password_file);
}
- ssl_profile->ciphers = qd_entity_opt_string(entity, "ciphers", 0); CHECK();
- ssl_profile->ssl_trusted_certificate_db = qd_entity_opt_string(entity, "certDb", 0); CHECK();
+ ssl_profile->ssl_ciphers = qd_entity_opt_string(entity, "ciphers", 0); CHECK();
+ ssl_profile->ssl_protocols = qd_entity_opt_string(entity, "protocols", 0); CHECK();
+ ssl_profile->ssl_trusted_certificate_db = qd_entity_opt_string(entity, "certDb", 0); CHECK();
ssl_profile->ssl_trusted_certificates = qd_entity_opt_string(entity, "trustedCerts", 0); CHECK();
- ssl_profile->ssl_uid_format = qd_entity_opt_string(entity, "uidFormat", 0); CHECK();
+ ssl_profile->ssl_uid_format = qd_entity_opt_string(entity, "uidFormat", 0); CHECK();
ssl_profile->ssl_display_name_file = qd_entity_opt_string(entity, "displayNameFile", 0); CHECK();
//
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/44ee33fc/src/http-libwebsockets.c
----------------------------------------------------------------------
diff --git a/src/http-libwebsockets.c b/src/http-libwebsockets.c
index ec6c47e..0b71997 100644
--- a/src/http-libwebsockets.c
+++ b/src/http-libwebsockets.c
@@ -296,7 +296,7 @@ static void listener_start(qd_http_listener_t *hl, qd_http_server_t *hs) {
info.ssl_private_key_filepath = config->ssl_private_key_file;
info.ssl_private_key_password = config->ssl_password;
info.ssl_ca_filepath = config->ssl_trusted_certificates;
- info.ssl_cipher_list = config->ciphers;
+ info.ssl_cipher_list = config->ssl_ciphers;
info.options |=
LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT |
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/44ee33fc/src/server.c
----------------------------------------------------------------------
diff --git a/src/server.c b/src/server.c
index 71e8b90..c990dbd 100644
--- a/src/server.c
+++ b/src/server.c
@@ -380,13 +380,20 @@ static qd_error_t listener_setup_ssl(qd_connection_t *ctx, const qd_server_confi
}
}
- if (config->ciphers) {
- if (pn_ssl_domain_set_ciphers(domain, config->ciphers)) {
+ if (config->ssl_ciphers) {
+ if (pn_ssl_domain_set_ciphers(domain, config->ssl_ciphers)) {
pn_ssl_domain_free(domain);
return qd_error(QD_ERROR_RUNTIME, "Cannot set ciphers. The ciphers string might be invalid. Use openssl ciphers -v <ciphers> to validate");
}
}
+ if (config->ssl_protocols) {
+ if (pn_ssl_domain_set_protocols(domain, config->ssl_protocols)) {
+ pn_ssl_domain_free(domain);
+ return qd_error(QD_ERROR_RUNTIME, "Cannot set protocols. The protocols string might be invalid. This list is a space separated string of the allowed TLS protocols (TLSv1 TLSv1.1 TLSv1.2)");
+ }
+ }
+
const char *trusted = config->ssl_trusted_certificate_db;
if (config->ssl_trusted_certificates)
trusted = config->ssl_trusted_certificates;
@@ -1052,14 +1059,22 @@ static void setup_ssl_sasl_and_open(qd_connection_t *ctx)
}
}
- if (config->ciphers) {
- if (pn_ssl_domain_set_ciphers(domain, config->ciphers)) {
+ if (config->ssl_ciphers) {
+ if (pn_ssl_domain_set_ciphers(domain, config->ssl_ciphers)) {
qd_log(ct->server->log_source, QD_LOG_ERROR,
"SSL cipher configuration failed for %s:%s",
config->host, config->port);
}
}
+ if (config->ssl_protocols) {
+ if (pn_ssl_domain_set_protocols(domain, config->ssl_protocols)) {
+ qd_log(ct->server->log_source, QD_LOG_ERROR,
+ "Permitted TLS protocols configuration failed %s:%s",
+ config->host, config->port);
+ }
+ }
+
//If ssl is enabled and verify_host_name is true, instruct proton to verify peer name
if (config->verify_host_name) {
if (pn_ssl_domain_set_peer_authentication(domain, PN_SSL_VERIFY_PEER_NAME, NULL)) {
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/44ee33fc/tests/system_tests_sasl_plain.py
----------------------------------------------------------------------
diff --git a/tests/system_tests_sasl_plain.py b/tests/system_tests_sasl_plain.py
index 05e591f..766a0a8 100644
--- a/tests/system_tests_sasl_plain.py
+++ b/tests/system_tests_sasl_plain.py
@@ -227,6 +227,7 @@ class RouterTestPlainSaslOverSsl(RouterTestPlainSaslCommon):
'certFile': cls.ssl_file('server-certificate.pem'),
'keyFile': cls.ssl_file('server-private-key.pem'),
'ciphers': 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS',
+ 'protocols': 'TLSv1.1 TLSv1.2',
'password': 'server-password'}),
('router', {'workerThreads': 1,
'id': 'QDR.X',
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org