You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2014/07/18 22:04:26 UTC

git commit: TS-2924: Configurable client's ssl protocols and cipher suite

Repository: trafficserver
Updated Branches:
  refs/heads/master b0c07ef6f -> 6ac0e198e


TS-2924: Configurable client's ssl protocols and cipher suite


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/6ac0e198
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/6ac0e198
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/6ac0e198

Branch: refs/heads/master
Commit: 6ac0e198ee31f2e6aac1e0e17f6253c9a06dd118
Parents: b0c07ef
Author: Wei Sun <su...@yahoo-inc.com>
Authored: Fri Jul 18 13:01:33 2014 -0700
Committer: Bryan Call <bc...@apache.org>
Committed: Fri Jul 18 13:02:28 2014 -0700

----------------------------------------------------------------------
 CHANGES                  |  2 ++
 iocore/net/P_SSLConfig.h |  2 ++
 iocore/net/SSLConfig.cc  | 23 +++++++++++++++++++++++
 iocore/net/SSLUtils.cc   | 10 ++++++++++
 mgmt/RecordsConfig.cc    | 15 +++++++++++++++
 5 files changed, 52 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/6ac0e198/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index c7a260b..7685abe 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache Traffic Server 5.1.0
 
+  *) [TS-2924] Configurable client's ssl protocols and cipher suite
+
   *) [TS-2915] SEGV occurs when POST request was posted without Expect: 100-continue header
 
   *) [TS-2940] Fix varargs corruption when logging fatal errors.

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/6ac0e198/iocore/net/P_SSLConfig.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index 6408de3..31a6242 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -64,6 +64,7 @@ struct SSLConfigParams : public ConfigInfo
   char *  serverCACertPath;
   char *  configFilePath;
   char *  cipherSuite;
+  char *  client_cipherSuite;
   int     clientCertLevel;
   int     verify_depth;
   int     ssl_session_cache; // SSL_SESSION_CACHE_MODE
@@ -77,6 +78,7 @@ struct SSLConfigParams : public ConfigInfo
   int     clientVerify;
   int     client_verify_depth;
   long    ssl_ctx_options;
+  long    ssl_client_ctx_protocols;
 
   static int ssl_maxrecord;
   static bool ssl_allow_client_renegotiation;

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/6ac0e198/iocore/net/SSLConfig.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index d795fad..25c2875 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -59,11 +59,13 @@ SSLConfigParams::SSLConfigParams()
     clientCACertFilename =
     clientCACertPath =
     cipherSuite =
+    client_cipherSuite =
     serverKeyPathOnly = NULL;
 
   clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0;
 
   ssl_ctx_options = 0;
+  ssl_client_ctx_protocols = 0;
   ssl_session_cache = SSL_SESSION_CACHE_MODE_SERVER;
   ssl_session_cache_size = 1024*20;
   ssl_session_cache_timeout = 0;
@@ -88,6 +90,7 @@ SSLConfigParams::cleanup()
   ats_free_null(serverCertPathOnly);
   ats_free_null(serverKeyPathOnly);
   ats_free_null(cipherSuite);
+  ats_free_null(client_cipherSuite);
 
   clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0;
 }
@@ -141,8 +144,10 @@ SSLConfigParams::initialize()
 
   REC_ReadConfigInt32(clientCertLevel, "proxy.config.ssl.client.certification_level");
   REC_ReadConfigStringAlloc(cipherSuite, "proxy.config.ssl.server.cipher_suite");
+  REC_ReadConfigStringAlloc(client_cipherSuite, "proxy.config.ssl.client.cipher_suite");
 
   int options;
+  int client_ssl_options;
   REC_ReadConfigInteger(options, "proxy.config.ssl.SSLv2");
   if (!options)
     ssl_ctx_options |= SSL_OP_NO_SSLv2;
@@ -153,16 +158,34 @@ SSLConfigParams::initialize()
   if (!options)
     ssl_ctx_options |= SSL_OP_NO_TLSv1;
 
+  REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.SSLv2");
+  if (!client_ssl_options)
+    ssl_client_ctx_protocols |= SSL_OP_NO_SSLv2;
+  REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.SSLv3");
+  if (!client_ssl_options)
+    ssl_client_ctx_protocols |= SSL_OP_NO_SSLv3;
+  REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.TLSv1");
+  if (!client_ssl_options)
+    ssl_client_ctx_protocols |= SSL_OP_NO_TLSv1;
+
   // These are not available in all versions of OpenSSL (e.g. CentOS6). Also see http://s.apache.org/TS-2355.
 #ifdef SSL_OP_NO_TLSv1_1
   REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_1");
   if (!options)
     ssl_ctx_options |= SSL_OP_NO_TLSv1_1;
+
+  REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.TLSv1_1");
+  if (!client_ssl_options)
+    ssl_client_ctx_protocols |= SSL_OP_NO_TLSv1_1;
 #endif
 #ifdef SSL_OP_NO_TLSv1_2
   REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_2");
   if (!options)
     ssl_ctx_options |= SSL_OP_NO_TLSv1_2;
+
+  REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.TLSv1_2");
+  if (!client_ssl_options)
+    ssl_client_ctx_protocols |= SSL_OP_NO_TLSv1_2;
 #endif
 
 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/6ac0e198/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index abb6a05..a745124 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -1109,6 +1109,16 @@ SSLInitClientContext(const SSLConfigParams * params)
     return NULL;
   }
 
+  if (params->ssl_client_ctx_protocols) {
+    SSL_CTX_set_options(client_ctx, params->ssl_client_ctx_protocols);
+  }
+  if (params->client_cipherSuite != NULL) {
+    if (!SSL_CTX_set_cipher_list(client_ctx, params->client_cipherSuite)) {
+      SSLError("invalid client cipher suite in records.config");
+      goto fail;
+    }
+  }
+
   // if no path is given for the client private key,
   // assume it is contained in the client certificate file.
   clientKeyPtr = params->clientKeyPath;

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/6ac0e198/mgmt/RecordsConfig.cc
----------------------------------------------------------------------
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 3b2977c..5617f16 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1236,12 +1236,27 @@ RecordElement RecordsConfig[] = {
   // Disable this when using some versions of OpenSSL that causes crashes. See TS-2355.
   {RECT_CONFIG, "proxy.config.ssl.TLSv1_2", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,
+
+  // Client SSL protocols
+  {RECT_CONFIG, "proxy.config.ssl.client.SSLv2", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+  ,
+  {RECT_CONFIG, "proxy.config.ssl.client.SSLv3", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+  ,
+  {RECT_CONFIG, "proxy.config.ssl.client.TLSv1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+  ,
+  {RECT_CONFIG, "proxy.config.ssl.client.TLSv1_1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+  ,
+  {RECT_CONFIG, "proxy.config.ssl.client.TLSv1_2", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+  ,
+
   {RECT_CONFIG, "proxy.config.ssl.compression", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,
   {RECT_CONFIG, "proxy.config.ssl.number.threads", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}
   ,
   {RECT_CONFIG, "proxy.config.ssl.server.cipher_suite", RECD_STRING, "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2", RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}
   ,
+  {RECT_CONFIG, "proxy.config.ssl.client.cipher_suite", RECD_STRING, NULL, RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}
+  ,
   {RECT_CONFIG, "proxy.config.ssl.server.honor_cipher_order", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,
   {RECT_CONFIG, "proxy.config.ssl.server_port", RECD_INT, "-1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-65535]", RECA_NULL}