You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2014/07/18 22:04:26 UTC
git commit: TS-2924: Configurable client's ssl protocols and cipher
suite
Repository: trafficserver
Updated Branches:
refs/heads/master b0c07ef6f -> 6ac0e198e
TS-2924: Configurable client's ssl protocols and cipher suite
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/6ac0e198
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/6ac0e198
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/6ac0e198
Branch: refs/heads/master
Commit: 6ac0e198ee31f2e6aac1e0e17f6253c9a06dd118
Parents: b0c07ef
Author: Wei Sun <su...@yahoo-inc.com>
Authored: Fri Jul 18 13:01:33 2014 -0700
Committer: Bryan Call <bc...@apache.org>
Committed: Fri Jul 18 13:02:28 2014 -0700
----------------------------------------------------------------------
CHANGES | 2 ++
iocore/net/P_SSLConfig.h | 2 ++
iocore/net/SSLConfig.cc | 23 +++++++++++++++++++++++
iocore/net/SSLUtils.cc | 10 ++++++++++
mgmt/RecordsConfig.cc | 15 +++++++++++++++
5 files changed, 52 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/6ac0e198/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index c7a260b..7685abe 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
-*- coding: utf-8 -*-
Changes with Apache Traffic Server 5.1.0
+ *) [TS-2924] Configurable client's ssl protocols and cipher suite
+
*) [TS-2915] SEGV occurs when POST request was posted without Expect: 100-continue header
*) [TS-2940] Fix varargs corruption when logging fatal errors.
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/6ac0e198/iocore/net/P_SSLConfig.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index 6408de3..31a6242 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -64,6 +64,7 @@ struct SSLConfigParams : public ConfigInfo
char * serverCACertPath;
char * configFilePath;
char * cipherSuite;
+ char * client_cipherSuite;
int clientCertLevel;
int verify_depth;
int ssl_session_cache; // SSL_SESSION_CACHE_MODE
@@ -77,6 +78,7 @@ struct SSLConfigParams : public ConfigInfo
int clientVerify;
int client_verify_depth;
long ssl_ctx_options;
+ long ssl_client_ctx_protocols;
static int ssl_maxrecord;
static bool ssl_allow_client_renegotiation;
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/6ac0e198/iocore/net/SSLConfig.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index d795fad..25c2875 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -59,11 +59,13 @@ SSLConfigParams::SSLConfigParams()
clientCACertFilename =
clientCACertPath =
cipherSuite =
+ client_cipherSuite =
serverKeyPathOnly = NULL;
clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0;
ssl_ctx_options = 0;
+ ssl_client_ctx_protocols = 0;
ssl_session_cache = SSL_SESSION_CACHE_MODE_SERVER;
ssl_session_cache_size = 1024*20;
ssl_session_cache_timeout = 0;
@@ -88,6 +90,7 @@ SSLConfigParams::cleanup()
ats_free_null(serverCertPathOnly);
ats_free_null(serverKeyPathOnly);
ats_free_null(cipherSuite);
+ ats_free_null(client_cipherSuite);
clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0;
}
@@ -141,8 +144,10 @@ SSLConfigParams::initialize()
REC_ReadConfigInt32(clientCertLevel, "proxy.config.ssl.client.certification_level");
REC_ReadConfigStringAlloc(cipherSuite, "proxy.config.ssl.server.cipher_suite");
+ REC_ReadConfigStringAlloc(client_cipherSuite, "proxy.config.ssl.client.cipher_suite");
int options;
+ int client_ssl_options;
REC_ReadConfigInteger(options, "proxy.config.ssl.SSLv2");
if (!options)
ssl_ctx_options |= SSL_OP_NO_SSLv2;
@@ -153,16 +158,34 @@ SSLConfigParams::initialize()
if (!options)
ssl_ctx_options |= SSL_OP_NO_TLSv1;
+ REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.SSLv2");
+ if (!client_ssl_options)
+ ssl_client_ctx_protocols |= SSL_OP_NO_SSLv2;
+ REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.SSLv3");
+ if (!client_ssl_options)
+ ssl_client_ctx_protocols |= SSL_OP_NO_SSLv3;
+ REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.TLSv1");
+ if (!client_ssl_options)
+ ssl_client_ctx_protocols |= SSL_OP_NO_TLSv1;
+
// These are not available in all versions of OpenSSL (e.g. CentOS6). Also see http://s.apache.org/TS-2355.
#ifdef SSL_OP_NO_TLSv1_1
REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_1");
if (!options)
ssl_ctx_options |= SSL_OP_NO_TLSv1_1;
+
+ REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.TLSv1_1");
+ if (!client_ssl_options)
+ ssl_client_ctx_protocols |= SSL_OP_NO_TLSv1_1;
#endif
#ifdef SSL_OP_NO_TLSv1_2
REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_2");
if (!options)
ssl_ctx_options |= SSL_OP_NO_TLSv1_2;
+
+ REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.TLSv1_2");
+ if (!client_ssl_options)
+ ssl_client_ctx_protocols |= SSL_OP_NO_TLSv1_2;
#endif
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/6ac0e198/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index abb6a05..a745124 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -1109,6 +1109,16 @@ SSLInitClientContext(const SSLConfigParams * params)
return NULL;
}
+ if (params->ssl_client_ctx_protocols) {
+ SSL_CTX_set_options(client_ctx, params->ssl_client_ctx_protocols);
+ }
+ if (params->client_cipherSuite != NULL) {
+ if (!SSL_CTX_set_cipher_list(client_ctx, params->client_cipherSuite)) {
+ SSLError("invalid client cipher suite in records.config");
+ goto fail;
+ }
+ }
+
// if no path is given for the client private key,
// assume it is contained in the client certificate file.
clientKeyPtr = params->clientKeyPath;
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/6ac0e198/mgmt/RecordsConfig.cc
----------------------------------------------------------------------
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 3b2977c..5617f16 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1236,12 +1236,27 @@ RecordElement RecordsConfig[] = {
// Disable this when using some versions of OpenSSL that causes crashes. See TS-2355.
{RECT_CONFIG, "proxy.config.ssl.TLSv1_2", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
,
+
+ // Client SSL protocols
+ {RECT_CONFIG, "proxy.config.ssl.client.SSLv2", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+ ,
+ {RECT_CONFIG, "proxy.config.ssl.client.SSLv3", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+ ,
+ {RECT_CONFIG, "proxy.config.ssl.client.TLSv1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+ ,
+ {RECT_CONFIG, "proxy.config.ssl.client.TLSv1_1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+ ,
+ {RECT_CONFIG, "proxy.config.ssl.client.TLSv1_2", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+ ,
+
{RECT_CONFIG, "proxy.config.ssl.compression", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
,
{RECT_CONFIG, "proxy.config.ssl.number.threads", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}
,
{RECT_CONFIG, "proxy.config.ssl.server.cipher_suite", RECD_STRING, "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2", RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}
,
+ {RECT_CONFIG, "proxy.config.ssl.client.cipher_suite", RECD_STRING, NULL, RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}
+ ,
{RECT_CONFIG, "proxy.config.ssl.server.honor_cipher_order", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
,
{RECT_CONFIG, "proxy.config.ssl.server_port", RECD_INT, "-1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-65535]", RECA_NULL}