You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2018/08/31 16:18:34 UTC
[trafficserver] branch 8.0.x updated: Add configs for TLSv1.3
ciphersuites
This is an automated email from the ASF dual-hosted git repository.
bcall pushed a commit to branch 8.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/8.0.x by this push:
new bc0cf93 Add configs for TLSv1.3 ciphersuites
bc0cf93 is described below
commit bc0cf931739480217e036f994bc5660c9d6f75d1
Author: Masaori Koshiba <ma...@apache.org>
AuthorDate: Mon Jul 30 14:34:15 2018 +0900
Add configs for TLSv1.3 ciphersuites
(cherry picked from commit 5072db2a637e353a3a79a37f87556952147ad689)
---
build/crypto.m4 | 15 +++++++++++++++
configure.ac | 3 +++
doc/admin-guide/files/records.config.en.rst | 21 ++++++++++++++++++++-
iocore/net/P_SSLConfig.h | 3 +++
iocore/net/SSLClientUtils.cc | 9 +++++++++
iocore/net/SSLConfig.cc | 10 +++++++++-
iocore/net/SSLUtils.cc | 10 ++++++++++
lib/ts/ink_config.h.in | 1 +
mgmt/RecordsConfig.cc | 12 ++++++++++++
9 files changed, 82 insertions(+), 2 deletions(-)
diff --git a/build/crypto.m4 b/build/crypto.m4
index cbb1b53..e3ac31b 100644
--- a/build/crypto.m4
+++ b/build/crypto.m4
@@ -226,3 +226,18 @@ AC_DEFUN([TS_CHECK_CRYPTO_OCSP], [
TS_ARG_ENABLE_VAR([use], [tls-ocsp])
AC_SUBST(use_tls_ocsp)
])
+
+AC_DEFUN([TS_CHECK_CRYPTO_SET_CIPHERSUITES], [
+ _set_ciphersuites_saved_LIBS=$LIBS
+
+ TS_ADDTO(LIBS, [$OPENSSL_LIBS])
+ AC_CHECK_HEADERS(openssl/ssl.h)
+ AC_CHECK_FUNCS(SSL_CTX_set_ciphersuites, [enable_tls_set_ciphersuites=yes], [enable_tls_set_ciphersuites=no])
+
+ LIBS=$_set_ciphersuites_saved_LIBS
+
+ AC_MSG_CHECKING(whether to enable TLSv1.3 ciphersuites configuration is supported)
+ AC_MSG_RESULT([$enable_tls_set_ciphersuites])
+ TS_ARG_ENABLE_VAR([use], [tls-set-ciphersuites])
+ AC_SUBST(use_tls_set_ciphersuites)
+])
diff --git a/configure.ac b/configure.ac
index 3992869..9ec51e0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1194,6 +1194,9 @@ TS_CHECK_CRYPTO_DH_GET_2048_256
# Check for OCSP
TS_CHECK_CRYPTO_OCSP
+# Check for SSL_CTX_set_ciphersuites call
+TS_CHECK_CRYPTO_SET_CIPHERSUITES
+
saved_LIBS="$LIBS"
TS_ADDTO([LIBS], ["$OPENSSL_LIBS"])
diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst
index f0a3867..a2f0ee3 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3030,7 +3030,7 @@ SSL Termination
algorithms provided by OpenSSL which |TS| will use for SSL connections. For
the list of algorithms and instructions on constructing an appropriately
formatting cipher_suite string, see
- `OpenSSL Ciphers <https://www.openssl.org/docs/manmaster/apps/ciphers.html>`_.
+ `OpenSSL Ciphers <https://www.openssl.org/docs/manmaster/man1/ciphers.html>`_.
The current default, included in the ``records.config.default`` example
configuration is:
@@ -3041,6 +3041,25 @@ SSL Termination
Configures the cipher_suite which |TS| will use for SSL connections to origin or next hop.
+.. ts:cv:: CONFIG proxy.config.ssl.server.TLSv1_3.cipher_suites STRING <See notes>
+
+ Configures the pair of the AEAD algorithm and hash algorithm to be
+ used with HKDF provided by OpenSSL which |TS| will use for TLSv1.3
+ connections. For the list of algorithms and instructions, see
+ The ``-ciphersuites`` section of `OpenSSL Ciphers <https://www.openssl.org/docs/man1.1.1/man1/ciphers.html>`_.
+
+ The current default value with OpenSSL is:
+
+ TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+
+ This configuration works with OpenSSL v1.1.1 and above.
+
+.. ts:cv:: CONFIG proxy.config.ssl.client.TLSv1_3.cipher_suites STRING <See notes under proxy.config.ssl.server.tls.cipher_suites>
+
+ Configures the cipher_suites which |TS| will use for TLSv1.3
+ connections to origin or next hop. This configuration works
+ with OpenSSL v1.1.1 and above.
+
.. ts:cv:: CONFIG proxy.config.ssl.TLSv1 INT 1
Enables (``1``) or disables (``0``) TLSv1.
diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index 8e9346d..f4cde7a 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -87,6 +87,9 @@ struct SSLConfigParams : public ConfigInfo {
long ssl_ctx_options;
long ssl_client_ctx_options;
+ char *server_tls13_cipher_suites;
+ char *client_tls13_cipher_suites;
+
static int ssl_maxrecord;
static bool ssl_allow_client_renegotiation;
diff --git a/iocore/net/SSLClientUtils.cc b/iocore/net/SSLClientUtils.cc
index 139ba06..bb478df 100644
--- a/iocore/net/SSLClientUtils.cc
+++ b/iocore/net/SSLClientUtils.cc
@@ -137,6 +137,15 @@ SSLInitClientContext(const SSLConfigParams *params)
}
}
+#if TS_USE_TLS_SET_CIPHERSUITES
+ if (params->client_tls13_cipher_suites != nullptr) {
+ if (!SSL_CTX_set_ciphersuites(client_ctx, params->client_tls13_cipher_suites)) {
+ SSLError("invalid tls client cipher suites in records.config");
+ goto fail;
+ }
+ }
+#endif
+
// if no path is given for the client private key,
// assume it is contained in the client certificate file.
clientKeyPtr = params->clientKeyPath;
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 106044e..4b87f05 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -94,7 +94,9 @@ SSLConfigParams::reset()
serverCertPathOnly = serverCertChainFilename = configFilePath = serverCACertFilename = serverCACertPath = clientCertPath =
clientKeyPath = clientCACertFilename = clientCACertPath = cipherSuite = client_cipherSuite = dhparamsFile = serverKeyPathOnly =
nullptr;
- client_ctx = nullptr;
+ server_tls13_cipher_suites = nullptr;
+ client_tls13_cipher_suites = nullptr;
+ client_ctx = nullptr;
clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0;
ssl_ctx_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
ssl_client_ctx_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
@@ -125,6 +127,9 @@ SSLConfigParams::cleanup()
dhparamsFile = (char *)ats_free_null(dhparamsFile);
ssl_wire_trace_ip = (IpAddr *)ats_free_null(ssl_wire_trace_ip);
+ server_tls13_cipher_suites = (char *)ats_free_null(server_tls13_cipher_suites);
+ client_tls13_cipher_suites = (char *)ats_free_null(client_tls13_cipher_suites);
+
freeCTXmap();
SSLReleaseContext(client_ctx);
reset();
@@ -178,6 +183,9 @@ SSLConfigParams::initialize()
REC_ReadConfigInt32(clientCertLevel, "proxy.config.ssl.client.certification_level");
REC_ReadConfigStringAlloc(cipherSuite, "proxy.config.ssl.server.cipher_suite");
REC_ReadConfigStringAlloc(client_cipherSuite, "proxy.config.ssl.client.cipher_suite");
+ REC_ReadConfigStringAlloc(server_tls13_cipher_suites, "proxy.config.ssl.server.TLSv1_3.cipher_suites");
+ REC_ReadConfigStringAlloc(client_tls13_cipher_suites, "proxy.config.ssl.client.TLSv1_3.cipher_suites");
+
dhparamsFile = ats_stringdup(RecConfigReadConfigPath("proxy.config.ssl.server.dhparams_file"));
int options;
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 71b71a3..562e826 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -1842,6 +1842,16 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config *sslMu
goto fail;
}
}
+
+#if TS_USE_TLS_SET_CIPHERSUITES
+ if (params->server_tls13_cipher_suites != nullptr) {
+ if (!SSL_CTX_set_ciphersuites(ctx, params->server_tls13_cipher_suites)) {
+ SSLError("invalid tls server cipher suites in records.config");
+ goto fail;
+ }
+ }
+#endif
+
if (!ssl_context_enable_dhe(params->dhparamsFile, ctx)) {
goto fail;
}
diff --git a/lib/ts/ink_config.h.in b/lib/ts/ink_config.h.in
index f4b491b..e125296 100644
--- a/lib/ts/ink_config.h.in
+++ b/lib/ts/ink_config.h.in
@@ -76,6 +76,7 @@
#define TS_USE_SET_RBIO @use_set_rbio@
#define TS_USE_GET_DH_2048_256 @use_dh_get_2048_256@
#define TS_USE_TLS_ECKEY @use_tls_eckey@
+#define TS_USE_TLS_SET_CIPHERSUITES @use_tls_set_ciphersuites@
#define TS_USE_LINUX_NATIVE_AIO @use_linux_native_aio@
#define TS_USE_REMOTE_UNWINDING @use_remote_unwinding@
#define TS_USE_SSLV3_CLIENT @use_sslv3_client@
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 26ff75d..77dffae 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1188,6 +1188,18 @@ static const RecordElement RecordsConfig[] =
{RECT_CONFIG, "proxy.config.ssl.ocsp.update_period", RECD_INT, "60", RECU_DYNAMIC, RR_NULL, RECC_NULL, "^[0-9]+$", RECA_NULL}
,
+ //##############################################################################
+ //#
+ //# Congifuration for TLSv1.3 and above
+ //#
+ //##############################################################################
+ // The default value (nullptr) means the default value of TLS stack will be used.
+ // - e.g. OpenSSL : "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
+ {RECT_CONFIG, "proxy.config.ssl.server.TLSv1_3.cipher_suites", RECD_STRING, nullptr, RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
+ ,
+ {RECT_CONFIG, "proxy.config.ssl.client.TLSv1_3.cipher_suites", RECD_STRING, nullptr, RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
+ ,
+
//############################################################################
//#
//# WCCP