You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2018/08/31 16:18:34 UTC

[trafficserver] branch 8.0.x updated: Add configs for TLSv1.3 ciphersuites

This is an automated email from the ASF dual-hosted git repository.

bcall pushed a commit to branch 8.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/8.0.x by this push:
     new bc0cf93  Add configs for TLSv1.3 ciphersuites
bc0cf93 is described below

commit bc0cf931739480217e036f994bc5660c9d6f75d1
Author: Masaori Koshiba <ma...@apache.org>
AuthorDate: Mon Jul 30 14:34:15 2018 +0900

    Add configs for TLSv1.3 ciphersuites
    
    (cherry picked from commit 5072db2a637e353a3a79a37f87556952147ad689)
---
 build/crypto.m4                             | 15 +++++++++++++++
 configure.ac                                |  3 +++
 doc/admin-guide/files/records.config.en.rst | 21 ++++++++++++++++++++-
 iocore/net/P_SSLConfig.h                    |  3 +++
 iocore/net/SSLClientUtils.cc                |  9 +++++++++
 iocore/net/SSLConfig.cc                     | 10 +++++++++-
 iocore/net/SSLUtils.cc                      | 10 ++++++++++
 lib/ts/ink_config.h.in                      |  1 +
 mgmt/RecordsConfig.cc                       | 12 ++++++++++++
 9 files changed, 82 insertions(+), 2 deletions(-)

diff --git a/build/crypto.m4 b/build/crypto.m4
index cbb1b53..e3ac31b 100644
--- a/build/crypto.m4
+++ b/build/crypto.m4
@@ -226,3 +226,18 @@ AC_DEFUN([TS_CHECK_CRYPTO_OCSP], [
   TS_ARG_ENABLE_VAR([use], [tls-ocsp])
   AC_SUBST(use_tls_ocsp)
 ])
+
+AC_DEFUN([TS_CHECK_CRYPTO_SET_CIPHERSUITES], [
+  _set_ciphersuites_saved_LIBS=$LIBS
+
+  TS_ADDTO(LIBS, [$OPENSSL_LIBS])
+  AC_CHECK_HEADERS(openssl/ssl.h)
+  AC_CHECK_FUNCS(SSL_CTX_set_ciphersuites, [enable_tls_set_ciphersuites=yes], [enable_tls_set_ciphersuites=no])
+
+  LIBS=$_set_ciphersuites_saved_LIBS
+
+  AC_MSG_CHECKING(whether to enable TLSv1.3 ciphersuites configuration is supported)
+  AC_MSG_RESULT([$enable_tls_set_ciphersuites])
+  TS_ARG_ENABLE_VAR([use], [tls-set-ciphersuites])
+  AC_SUBST(use_tls_set_ciphersuites)
+])
diff --git a/configure.ac b/configure.ac
index 3992869..9ec51e0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1194,6 +1194,9 @@ TS_CHECK_CRYPTO_DH_GET_2048_256
 # Check for OCSP
 TS_CHECK_CRYPTO_OCSP
 
+# Check for SSL_CTX_set_ciphersuites call
+TS_CHECK_CRYPTO_SET_CIPHERSUITES
+
 saved_LIBS="$LIBS"
 TS_ADDTO([LIBS], ["$OPENSSL_LIBS"])
 
diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst
index f0a3867..a2f0ee3 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3030,7 +3030,7 @@ SSL Termination
    algorithms provided by OpenSSL which |TS| will use for SSL connections. For
    the list of algorithms and instructions on constructing an appropriately
    formatting cipher_suite string, see
-   `OpenSSL Ciphers <https://www.openssl.org/docs/manmaster/apps/ciphers.html>`_.
+   `OpenSSL Ciphers <https://www.openssl.org/docs/manmaster/man1/ciphers.html>`_.
 
    The current default, included in the ``records.config.default`` example
    configuration is:
@@ -3041,6 +3041,25 @@ SSL Termination
 
    Configures the cipher_suite which |TS| will use for SSL connections to origin or next hop.
 
+.. ts:cv:: CONFIG proxy.config.ssl.server.TLSv1_3.cipher_suites STRING <See notes>
+
+   Configures the pair of the AEAD algorithm and hash algorithm to be
+   used with HKDF provided by OpenSSL which |TS| will use for TLSv1.3
+   connections. For the list of algorithms and instructions, see
+   The ``-ciphersuites`` section of `OpenSSL Ciphers <https://www.openssl.org/docs/man1.1.1/man1/ciphers.html>`_.
+
+   The current default value with OpenSSL is:
+
+   TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
+
+   This configuration works with OpenSSL v1.1.1 and above.
+
+.. ts:cv:: CONFIG proxy.config.ssl.client.TLSv1_3.cipher_suites STRING <See notes under proxy.config.ssl.server.tls.cipher_suites>
+
+   Configures the cipher_suites which |TS| will use for TLSv1.3
+   connections to origin or next hop. This configuration works
+   with OpenSSL v1.1.1 and above.
+
 .. ts:cv:: CONFIG proxy.config.ssl.TLSv1 INT 1
 
    Enables (``1``) or disables (``0``) TLSv1.
diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index 8e9346d..f4cde7a 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -87,6 +87,9 @@ struct SSLConfigParams : public ConfigInfo {
   long ssl_ctx_options;
   long ssl_client_ctx_options;
 
+  char *server_tls13_cipher_suites;
+  char *client_tls13_cipher_suites;
+
   static int ssl_maxrecord;
   static bool ssl_allow_client_renegotiation;
 
diff --git a/iocore/net/SSLClientUtils.cc b/iocore/net/SSLClientUtils.cc
index 139ba06..bb478df 100644
--- a/iocore/net/SSLClientUtils.cc
+++ b/iocore/net/SSLClientUtils.cc
@@ -137,6 +137,15 @@ SSLInitClientContext(const SSLConfigParams *params)
     }
   }
 
+#if TS_USE_TLS_SET_CIPHERSUITES
+  if (params->client_tls13_cipher_suites != nullptr) {
+    if (!SSL_CTX_set_ciphersuites(client_ctx, params->client_tls13_cipher_suites)) {
+      SSLError("invalid tls client cipher suites in records.config");
+      goto fail;
+    }
+  }
+#endif
+
   // if no path is given for the client private key,
   // assume it is contained in the client certificate file.
   clientKeyPtr = params->clientKeyPath;
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 106044e..4b87f05 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -94,7 +94,9 @@ SSLConfigParams::reset()
   serverCertPathOnly = serverCertChainFilename = configFilePath = serverCACertFilename = serverCACertPath = clientCertPath =
     clientKeyPath = clientCACertFilename = clientCACertPath = cipherSuite = client_cipherSuite = dhparamsFile = serverKeyPathOnly =
       nullptr;
-  client_ctx      = nullptr;
+  server_tls13_cipher_suites = nullptr;
+  client_tls13_cipher_suites = nullptr;
+  client_ctx                 = nullptr;
   clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0;
   ssl_ctx_options                                                     = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
   ssl_client_ctx_options                                              = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
@@ -125,6 +127,9 @@ SSLConfigParams::cleanup()
   dhparamsFile            = (char *)ats_free_null(dhparamsFile);
   ssl_wire_trace_ip       = (IpAddr *)ats_free_null(ssl_wire_trace_ip);
 
+  server_tls13_cipher_suites = (char *)ats_free_null(server_tls13_cipher_suites);
+  client_tls13_cipher_suites = (char *)ats_free_null(client_tls13_cipher_suites);
+
   freeCTXmap();
   SSLReleaseContext(client_ctx);
   reset();
@@ -178,6 +183,9 @@ SSLConfigParams::initialize()
   REC_ReadConfigInt32(clientCertLevel, "proxy.config.ssl.client.certification_level");
   REC_ReadConfigStringAlloc(cipherSuite, "proxy.config.ssl.server.cipher_suite");
   REC_ReadConfigStringAlloc(client_cipherSuite, "proxy.config.ssl.client.cipher_suite");
+  REC_ReadConfigStringAlloc(server_tls13_cipher_suites, "proxy.config.ssl.server.TLSv1_3.cipher_suites");
+  REC_ReadConfigStringAlloc(client_tls13_cipher_suites, "proxy.config.ssl.client.TLSv1_3.cipher_suites");
+
   dhparamsFile = ats_stringdup(RecConfigReadConfigPath("proxy.config.ssl.server.dhparams_file"));
 
   int options;
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 71b71a3..562e826 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -1842,6 +1842,16 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config *sslMu
       goto fail;
     }
   }
+
+#if TS_USE_TLS_SET_CIPHERSUITES
+  if (params->server_tls13_cipher_suites != nullptr) {
+    if (!SSL_CTX_set_ciphersuites(ctx, params->server_tls13_cipher_suites)) {
+      SSLError("invalid tls server cipher suites in records.config");
+      goto fail;
+    }
+  }
+#endif
+
   if (!ssl_context_enable_dhe(params->dhparamsFile, ctx)) {
     goto fail;
   }
diff --git a/lib/ts/ink_config.h.in b/lib/ts/ink_config.h.in
index f4b491b..e125296 100644
--- a/lib/ts/ink_config.h.in
+++ b/lib/ts/ink_config.h.in
@@ -76,6 +76,7 @@
 #define TS_USE_SET_RBIO @use_set_rbio@
 #define TS_USE_GET_DH_2048_256 @use_dh_get_2048_256@
 #define TS_USE_TLS_ECKEY @use_tls_eckey@
+#define TS_USE_TLS_SET_CIPHERSUITES @use_tls_set_ciphersuites@
 #define TS_USE_LINUX_NATIVE_AIO @use_linux_native_aio@
 #define TS_USE_REMOTE_UNWINDING @use_remote_unwinding@
 #define TS_USE_SSLV3_CLIENT @use_sslv3_client@
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 26ff75d..77dffae 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1188,6 +1188,18 @@ static const RecordElement RecordsConfig[] =
   {RECT_CONFIG, "proxy.config.ssl.ocsp.update_period", RECD_INT, "60", RECU_DYNAMIC, RR_NULL, RECC_NULL, "^[0-9]+$", RECA_NULL}
   ,
 
+  //##############################################################################
+  //#
+  //# Congifuration for TLSv1.3 and above
+  //#
+  //##############################################################################
+  // The default value (nullptr) means the default value of TLS stack will be used.
+  // - e.g. OpenSSL : "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
+  {RECT_CONFIG, "proxy.config.ssl.server.TLSv1_3.cipher_suites", RECD_STRING, nullptr, RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
+  ,
+  {RECT_CONFIG, "proxy.config.ssl.client.TLSv1_3.cipher_suites", RECD_STRING, nullptr, RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
+  ,
+
   //############################################################################
   //#
   //# WCCP