Repository: trafficserver Updated Branches: refs/heads/master b0c07ef6f -> 6ac0e198e
TS-2924: Configurable client's ssl protocols and cipher suite Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/6ac0e198 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/6ac0e198 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/6ac0e198 Branch: refs/heads/master Commit: 6ac0e198ee31f2e6aac1e0e17f6253c9a06dd118 Parents: b0c07ef Author: Wei Sun <[email protected]> Authored: Fri Jul 18 13:01:33 2014 -0700 Committer: Bryan Call <[email protected]> Committed: Fri Jul 18 13:02:28 2014 -0700 ---------------------------------------------------------------------- CHANGES | 2 ++ iocore/net/P_SSLConfig.h | 2 ++ iocore/net/SSLConfig.cc | 23 +++++++++++++++++++++++ iocore/net/SSLUtils.cc | 10 ++++++++++ mgmt/RecordsConfig.cc | 15 +++++++++++++++ 5 files changed, 52 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/6ac0e198/CHANGES ---------------------------------------------------------------------- diff --git a/CHANGES b/CHANGES index c7a260b..7685abe 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ -*- coding: utf-8 -*- Changes with Apache Traffic Server 5.1.0 + *) [TS-2924] Configurable client's ssl protocols and cipher suite + *) [TS-2915] SEGV occurs when POST request was posted without Expect: 100-continue header *) [TS-2940] Fix varargs corruption when logging fatal errors. http://git-wip-us.apache.org/repos/asf/trafficserver/blob/6ac0e198/iocore/net/P_SSLConfig.h ---------------------------------------------------------------------- diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h index 6408de3..31a6242 100644 --- a/iocore/net/P_SSLConfig.h +++ b/iocore/net/P_SSLConfig.h @@ -64,6 +64,7 @@ struct SSLConfigParams : public ConfigInfo char * serverCACertPath; char * configFilePath; char * cipherSuite; + char * client_cipherSuite; int clientCertLevel; int verify_depth; int ssl_session_cache; // SSL_SESSION_CACHE_MODE @@ -77,6 +78,7 @@ struct SSLConfigParams : public ConfigInfo int clientVerify; int client_verify_depth; long ssl_ctx_options; + long ssl_client_ctx_protocols; static int ssl_maxrecord; static bool ssl_allow_client_renegotiation; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/6ac0e198/iocore/net/SSLConfig.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc index d795fad..25c2875 100644 --- a/iocore/net/SSLConfig.cc +++ b/iocore/net/SSLConfig.cc @@ -59,11 +59,13 @@ SSLConfigParams::SSLConfigParams() clientCACertFilename = clientCACertPath = cipherSuite = + client_cipherSuite = serverKeyPathOnly = NULL; clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0; ssl_ctx_options = 0; + ssl_client_ctx_protocols = 0; ssl_session_cache = SSL_SESSION_CACHE_MODE_SERVER; ssl_session_cache_size = 1024*20; ssl_session_cache_timeout = 0; @@ -88,6 +90,7 @@ SSLConfigParams::cleanup() ats_free_null(serverCertPathOnly); ats_free_null(serverKeyPathOnly); ats_free_null(cipherSuite); + ats_free_null(client_cipherSuite); clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0; } @@ -141,8 +144,10 @@ SSLConfigParams::initialize() REC_ReadConfigInt32(clientCertLevel, "proxy.config.ssl.client.certification_level"); REC_ReadConfigStringAlloc(cipherSuite, "proxy.config.ssl.server.cipher_suite"); + REC_ReadConfigStringAlloc(client_cipherSuite, "proxy.config.ssl.client.cipher_suite"); int options; + int client_ssl_options; REC_ReadConfigInteger(options, "proxy.config.ssl.SSLv2"); if (!options) ssl_ctx_options |= SSL_OP_NO_SSLv2; @@ -153,16 +158,34 @@ SSLConfigParams::initialize() if (!options) ssl_ctx_options |= SSL_OP_NO_TLSv1; + REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.SSLv2"); + if (!client_ssl_options) + ssl_client_ctx_protocols |= SSL_OP_NO_SSLv2; + REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.SSLv3"); + if (!client_ssl_options) + ssl_client_ctx_protocols |= SSL_OP_NO_SSLv3; + REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.TLSv1"); + if (!client_ssl_options) + ssl_client_ctx_protocols |= SSL_OP_NO_TLSv1; + // These are not available in all versions of OpenSSL (e.g. CentOS6). Also see http://s.apache.org/TS-2355. #ifdef SSL_OP_NO_TLSv1_1 REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_1"); if (!options) ssl_ctx_options |= SSL_OP_NO_TLSv1_1; + + REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.TLSv1_1"); + if (!client_ssl_options) + ssl_client_ctx_protocols |= SSL_OP_NO_TLSv1_1; #endif #ifdef SSL_OP_NO_TLSv1_2 REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_2"); if (!options) ssl_ctx_options |= SSL_OP_NO_TLSv1_2; + + REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.TLSv1_2"); + if (!client_ssl_options) + ssl_client_ctx_protocols |= SSL_OP_NO_TLSv1_2; #endif #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE http://git-wip-us.apache.org/repos/asf/trafficserver/blob/6ac0e198/iocore/net/SSLUtils.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index abb6a05..a745124 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -1109,6 +1109,16 @@ SSLInitClientContext(const SSLConfigParams * params) return NULL; } + if (params->ssl_client_ctx_protocols) { + SSL_CTX_set_options(client_ctx, params->ssl_client_ctx_protocols); + } + if (params->client_cipherSuite != NULL) { + if (!SSL_CTX_set_cipher_list(client_ctx, params->client_cipherSuite)) { + SSLError("invalid client cipher suite in records.config"); + goto fail; + } + } + // if no path is given for the client private key, // assume it is contained in the client certificate file. clientKeyPtr = params->clientKeyPath; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/6ac0e198/mgmt/RecordsConfig.cc ---------------------------------------------------------------------- diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc index 3b2977c..5617f16 100644 --- a/mgmt/RecordsConfig.cc +++ b/mgmt/RecordsConfig.cc @@ -1236,12 +1236,27 @@ RecordElement RecordsConfig[] = { // Disable this when using some versions of OpenSSL that causes crashes. See TS-2355. {RECT_CONFIG, "proxy.config.ssl.TLSv1_2", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} , + + // Client SSL protocols + {RECT_CONFIG, "proxy.config.ssl.client.SSLv2", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} + , + {RECT_CONFIG, "proxy.config.ssl.client.SSLv3", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} + , + {RECT_CONFIG, "proxy.config.ssl.client.TLSv1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} + , + {RECT_CONFIG, "proxy.config.ssl.client.TLSv1_1", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} + , + {RECT_CONFIG, "proxy.config.ssl.client.TLSv1_2", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} + , + {RECT_CONFIG, "proxy.config.ssl.compression", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} , {RECT_CONFIG, "proxy.config.ssl.number.threads", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL} , {RECT_CONFIG, "proxy.config.ssl.server.cipher_suite", RECD_STRING, "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2", RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL} , + {RECT_CONFIG, "proxy.config.ssl.client.cipher_suite", RECD_STRING, NULL, RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL} + , {RECT_CONFIG, "proxy.config.ssl.server.honor_cipher_order", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} , {RECT_CONFIG, "proxy.config.ssl.server_port", RECD_INT, "-1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-65535]", RECA_NULL}
