You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by ig...@apache.org on 2011/07/18 20:17:36 UTC
svn commit: r1147994 - in /trafficserver/traffic/trunk:
contrib/perl/AdminClient/lib/Apache/TS/AdminClient.pm
iocore/net/P_SSLConfig.h iocore/net/SSLConfig.cc iocore/net/SSLNet.cc
mgmt/RecordsConfig.cc proxy/config/records.config.default.in
Author: igalic
Date: Mon Jul 18 18:17:35 2011
New Revision: 1147994
URL: http://svn.apache.org/viewvc?rev=1147994&view=rev
Log:
TS-730 Allow for the SSL Cipher Suite to be configured:
CONFIG proxy.config.ssl.server.cipher_suite STRING RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!aNULL:!EXP:!LOW:!MD5:!SSLV2:!NULL
Our default here is trying to balance between strong and fast.
Additionally add an option whether to honor the server presented or the client's order:
CONFIG proxy.config.ssl.server.honor_cipher_suite INT 0
This option is disabled by default in order to be a little less disruptive ;)
For better performance, set it to 1, without changing the ciipher_suite.
Also: Minor code-cleanup in iocore/net/SSLNet.cc
Modified:
trafficserver/traffic/trunk/contrib/perl/AdminClient/lib/Apache/TS/AdminClient.pm
trafficserver/traffic/trunk/iocore/net/P_SSLConfig.h
trafficserver/traffic/trunk/iocore/net/SSLConfig.cc
trafficserver/traffic/trunk/iocore/net/SSLNet.cc
trafficserver/traffic/trunk/mgmt/RecordsConfig.cc
trafficserver/traffic/trunk/proxy/config/records.config.default.in
Modified: trafficserver/traffic/trunk/contrib/perl/AdminClient/lib/Apache/TS/AdminClient.pm
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/contrib/perl/AdminClient/lib/Apache/TS/AdminClient.pm?rev=1147994&r1=1147993&r2=1147994&view=diff
==============================================================================
--- trafficserver/traffic/trunk/contrib/perl/AdminClient/lib/Apache/TS/AdminClient.pm (original)
+++ trafficserver/traffic/trunk/contrib/perl/AdminClient/lib/Apache/TS/AdminClient.pm Mon Jul 18 18:17:35 2011
@@ -698,6 +698,8 @@ The Apache Traffic Server Administration
proxy.config.ssl.server.cert_chain.filename
proxy.config.ssl.server.cert.filename
proxy.config.ssl.server.cert.path
+ proxy.config.ssl.server.cipher_suite
+ proxy.config.ssl.server.honor_cipher_order
proxy.config.ssl.server.multicert.filename
proxy.config.ssl.server_port
proxy.config.ssl.server.private_key.filename
Modified: trafficserver/traffic/trunk/iocore/net/P_SSLConfig.h
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/iocore/net/P_SSLConfig.h?rev=1147994&r1=1147993&r2=1147994&view=diff
==============================================================================
--- trafficserver/traffic/trunk/iocore/net/P_SSLConfig.h (original)
+++ trafficserver/traffic/trunk/iocore/net/P_SSLConfig.h Mon Jul 18 18:17:35 2011
@@ -106,6 +106,7 @@ private:
char *cswiftAccelLibPath;
char *atallaAccelLibPath;
char *broadcomAccelLibPath;
+ char *cipherSuite;
int clientCertLevel;
int verify_depth;
int ssl_accept_port_number;
Modified: trafficserver/traffic/trunk/iocore/net/SSLConfig.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/iocore/net/SSLConfig.cc?rev=1147994&r1=1147993&r2=1147994&view=diff
==============================================================================
--- trafficserver/traffic/trunk/iocore/net/SSLConfig.cc (original)
+++ trafficserver/traffic/trunk/iocore/net/SSLConfig.cc Mon Jul 18 18:17:35 2011
@@ -53,6 +53,7 @@ SslConfigParams::SslConfigParams()
CACertFilename = CACertPath =
clientCertPath = clientKeyPath =
clientCACertFilename = clientCACertPath =
+ cipherSuite =
serverKeyPathOnly = ncipherAccelLibPath = cswiftAccelLibPath = atallaAccelLibPath = broadcomAccelLibPath = NULL;
clientCertLevel = client_verify_depth = verify_depth = clientVerify = sslAccelerator = 0;
@@ -137,6 +138,10 @@ SslConfigParams::cleanup()
xfree(broadcomAccelLibPath);
broadcomAccelLibPath = NULL;
}
+ if (cipherSuite) {
+ xfree(cipherSuite);
+ cipherSuite = NULL;
+ }
clientCertLevel = client_verify_depth = verify_depth = clientVerify = sslAccelerator = 0;
ssl_accept_port_number = -1;
@@ -176,7 +181,10 @@ SslConfigParams::initialize()
ssl_mode &= SSL_TERM_MODE_BOTH;
termMode = (SSL_TERMINATION_MODE) ssl_mode;
+ IOCORE_ReadConfigStringAlloc(cipherSuite, "proxy.config.ssl.server.cipher_suite");
+
/* if ssl is enabled and we require an accelerator */
+ /* XXX: This code does not work */
if ((termMode & SSL_TERM_MODE_BOTH) && (ssl_accelerator_required & SSL_ACCELERATOR_REQ_BOTH)) {
if (system(NULL)) {
ret_val = system("bin/openssl_accelerated >/dev/null 2>&1");
@@ -245,16 +253,21 @@ SslConfigParams::initialize()
i++;
}
#endif
- int prot;
- IOCORE_ReadConfigInteger(prot, "proxy.config.ssl.SSLv2");
- if (!prot)
+ int options;
+ IOCORE_ReadConfigInteger(options, "proxy.config.ssl.SSLv2");
+ if (!options)
ssl_ctx_options |= SSL_OP_NO_SSLv2;
- IOCORE_ReadConfigInteger(prot, "proxy.config.ssl.SSLv3");
- if (!prot)
+ IOCORE_ReadConfigInteger(options, "proxy.config.ssl.SSLv3");
+ if (!options)
ssl_ctx_options |= SSL_OP_NO_SSLv3;
- IOCORE_ReadConfigInteger(prot, "proxy.config.ssl.TLSv1");
- if (!prot)
+ IOCORE_ReadConfigInteger(options, "proxy.config.ssl.TLSv1");
+ if (!options)
ssl_ctx_options |= SSL_OP_NO_TLSv1;
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+ IOCORE_ReadConfigInteger(options, "proxy.config.ssl.server.honor_cipher_suite");
+ if (!options)
+ ssl_ctx_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+#endif
IOCORE_ReadConfigString(serverCertFilename, "proxy.config.ssl.server.cert.filename", PATH_NAME_MAX);
IOCORE_ReadConfigString(serverCertRelativePath, "proxy.config.ssl.server.cert.path", PATH_NAME_MAX);
Modified: trafficserver/traffic/trunk/iocore/net/SSLNet.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/iocore/net/SSLNet.cc?rev=1147994&r1=1147993&r2=1147994&view=diff
==============================================================================
--- trafficserver/traffic/trunk/iocore/net/SSLNet.cc (original)
+++ trafficserver/traffic/trunk/iocore/net/SSLNet.cc Mon Jul 18 18:17:35 2011
@@ -339,25 +339,25 @@ SSLNetProcessor::initSSLServerCTX(SslCon
if (defaultEnabled) {
if (SSL_CTX_use_certificate_file(lCtx, param->serverCertPath, SSL_FILETYPE_PEM) <= 0) {
logSSLError("Cannot use server certificate file");
- return (-2);
+ return -2;
}
if (param->serverKeyPath != NULL) {
if (SSL_CTX_use_PrivateKey_file(lCtx, param->serverKeyPath, SSL_FILETYPE_PEM) <= 0) {
logSSLError("Cannot use server private key file");
- return (-3);
+ return -3;
}
} else // assume key is contained in the cert file.
{
if (SSL_CTX_use_PrivateKey_file(lCtx, param->serverCertPath, SSL_FILETYPE_PEM) <= 0) {
logSSLError("Cannot use server private key file");
- return (-3);
+ return -3;
}
}
if (param->serverCertChainPath) {
if (SSL_CTX_add_extra_chain_cert_file(lCtx, param->serverCertChainPath) <= 0) {
logSSLError("Cannot use server certificate chain file");
- return (-2);
+ return -2;
}
}
} else {
@@ -368,20 +368,20 @@ SSLNetProcessor::initSSLServerCTX(SslCon
ink_strlcat(completeServerCertPath, serverCertPtr, completeServerCertPathSize);
if (SSL_CTX_use_certificate_file(lCtx, completeServerCertPath, SSL_FILETYPE_PEM) <= 0) {
logSSLError("Cannot use server certificate file");
- return (-2);
+ return -2;
}
if (serverKeyPtr == NULL) // assume private key is contained in cert obtained from multicert file.
{
if (SSL_CTX_use_PrivateKey_file(lCtx, completeServerCertPath, SSL_FILETYPE_PEM) <= 0) {
logSSLError("Cannot use server private key file");
- return (-3);
+ return -3;
}
} else {
if (param->getServerKeyPathOnly() != NULL) {
if (SSL_CTX_use_PrivateKey_file(lCtx, serverKeyPtr, SSL_FILETYPE_PEM) <= 0) {
logSSLError("Cannot use server private key file");
- return (-3);
+ return -3;
}
} else {
logSSLError("Empty ssl private key path in records.config.");
@@ -394,7 +394,7 @@ SSLNetProcessor::initSSLServerCTX(SslCon
if (!SSL_CTX_check_private_key(lCtx)) {
logSSLError("Server private key does not match the certificate public key");
- return (-4);
+ return -4;
}
@@ -404,7 +404,7 @@ SSLNetProcessor::initSSLServerCTX(SslCon
if ((!SSL_CTX_load_verify_locations(lCtx, param->CACertFilename, param->CACertPath)) ||
(!SSL_CTX_set_default_verify_paths(lCtx))) {
logSSLError("CA Certificate file or CA Certificate path invalid");
- return (-5);
+ return -5;
}
}
@@ -426,7 +426,15 @@ SSLNetProcessor::initSSLServerCTX(SslCon
SSL_CTX_set_client_CA_list(lCtx, SSL_load_client_CA_file(param->CACertFilename));
}
- return (0);
+
+
+ if (param->cipherSuite != NULL) {
+ if (!SSL_CTX_set_cipher_list(lCtx, param->cipherSuite)) {
+ logSSLError("Invalid Cipher Suite in records.config");
+ return -6;
+ }
+ }
+ return 0;
}
Modified: trafficserver/traffic/trunk/mgmt/RecordsConfig.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/mgmt/RecordsConfig.cc?rev=1147994&r1=1147993&r2=1147994&view=diff
==============================================================================
--- trafficserver/traffic/trunk/mgmt/RecordsConfig.cc (original)
+++ trafficserver/traffic/trunk/mgmt/RecordsConfig.cc Mon Jul 18 18:17:35 2011
@@ -1310,6 +1310,10 @@ RecordElement RecordsConfig[] = {
,
{RECT_CONFIG, "proxy.config.ssl.broadcom.lib.path", RECD_STRING, "/usr/lib", RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}
,
+ {RECT_CONFIG, "proxy.config.ssl.server.cipher_suite", RECD_STRING, "RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!aNULL:!EXP:!LOW:!MD5:!SSLV2:!NULL", RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}
+ ,
+ {RECT_CONFIG, "proxy.config.ssl.server.honor_cipher_order", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+ ,
{RECT_CONFIG, "proxy.config.ssl.server_port", RECD_INT, "443", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-65535]", RECA_NULL}
,
{RECT_CONFIG, "proxy.config.ssl.client.certification_level", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-2]", RECA_NULL}
Modified: trafficserver/traffic/trunk/proxy/config/records.config.default.in
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/proxy/config/records.config.default.in?rev=1147994&r1=1147993&r2=1147994&view=diff
==============================================================================
--- trafficserver/traffic/trunk/proxy/config/records.config.default.in (original)
+++ trafficserver/traffic/trunk/proxy/config/records.config.default.in Mon Jul 18 18:17:35 2011
@@ -475,6 +475,12 @@ CONFIG proxy.config.ssl.number.threads I
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 1
CONFIG proxy.config.ssl.TLSv1 INT 1
+ # The following two variables control the Cipher Suite traffic Server
+ # uses for HTTPS connnections and whether to prefer the client
+ # selected (default) or the server selected
+ # Our default SSL Cipher Suite tries to be reasonably fast and strong.
+CONFIG proxy.config.ssl.server.cipher_suite STRING RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!aNULL:!EXP:!LOW:!MD5:!SSLV2:!NULL
+CONFIG proxy.config.ssl.server.honor_cipher suite INT 0
CONFIG proxy.config.ssl.server_port INT 443
# Client certification level should be:
# 0 no client certificates