This is an automated email from the ASF dual-hosted git repository.
shinrich pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 9fae4eef84 Add the TLSv1_3 setting to disable TLSv1_3
9fae4eef84 is described below
commit 9fae4eef8452c219c2b8574867091030a93cda87
Author: Susan Hinrichs <shinr...@oath.com>
AuthorDate: Mon Nov 5 22:28:59 2018 +0000
Add the TLSv1_3 setting to disable TLSv1_3
---
doc/admin-guide/files/records.config.en.rst | 8 ++++++++
iocore/net/SSLConfig.cc | 11 +++++++++++
mgmt/RecordsConfig.cc | 4 ++++
tests/gold_tests/tls_hooks/tls_hooks.test.py | 4 +++-
4 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/doc/admin-guide/files/records.config.en.rst
b/doc/admin-guide/files/records.config.en.rst
index a5075e0..f7d2f64 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3245,6 +3245,10 @@ SSL Termination
Enables (``1``) or disables (``0``) TLS v1.2. If not specified, enabled by
default. [Requires OpenSSL v1.0.1 and higher]
+.. ts:cv:: CONFIG proxy.config.ssl.TLSv1_3 INT 1
+
+ Enables (``1``) or disables (``0``) TLS v1.3. If not specified, enabled by
default. [Requires OpenSSL v1.1.1 and higher]
+
.. ts:cv:: CONFIG proxy.config.ssl.client.certification_level INT 0
Sets the client certification level:
@@ -3571,6 +3575,10 @@ Client-Related Configuration
Enables (``1``) or disables (``0``) TLSv1_2 in the ATS client context. If
not specified, enabled by default
+.. ts:cv:: CONFIG proxy.config.ssl.client.TLSv1_3 INT 1
+
+ Enables (``1``) or disables (``0``) TLSv1_3 in the ATS client context. If
not specified, enabled by default
+
.. ts:cv:: CONFIG proxy.config.ssl.async.handshake.enabled INT 0
Enables the use of openssl async job during the TLS handshake. Traffic
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 018cfcf..4948a2d 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -236,6 +236,17 @@ SSLConfigParams::initialize()
ssl_client_ctx_options |= SSL_OP_NO_TLSv1_2;
}
#endif
+#ifdef SSL_OP_NO_TLSv1_3
+ REC_ReadConfigInteger(options, "proxy.config.ssl.TLSv1_3");
+ if (!options) {
+ ssl_ctx_options |= SSL_OP_NO_TLSv1_3;
+ }
+
+ REC_ReadConfigInteger(client_ssl_options, "proxy.config.ssl.client.TLSv1_3");
+ if (!client_ssl_options) {
+ ssl_client_ctx_options |= SSL_OP_NO_TLSv1_3;
+ }
+#endif
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
REC_ReadConfigInteger(options, "proxy.config.ssl.server.honor_cipher_order");
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index b28e330..dff7e28 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1096,6 +1096,8 @@ static const RecordElement RecordsConfig[] =
// Disable this when using some versions of OpenSSL that causes crashes. See
TS-2355.
{RECT_CONFIG, "proxy.config.ssl.TLSv1_2", RECD_INT, "1", RECU_RESTART_TS,
RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
,
+ {RECT_CONFIG, "proxy.config.ssl.TLSv1_3", RECD_INT, "1", RECU_RESTART_TS,
RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+ ,
// Client SSL protocols
#if TS_USE_SSLV3_CLIENT
@@ -1108,6 +1110,8 @@ static const RecordElement RecordsConfig[] =
,
{RECT_CONFIG, "proxy.config.ssl.client.TLSv1_2", RECD_INT, "1",
RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
,
+ {RECT_CONFIG, "proxy.config.ssl.client.TLSv1_3", RECD_INT, "1",
RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+ ,
{RECT_CONFIG, "proxy.config.ssl.server.cipher_suite", RECD_STRING,
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256
[...]
,
{RECT_CONFIG, "proxy.config.ssl.client.cipher_suite", RECD_STRING, nullptr,
RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
diff --git a/tests/gold_tests/tls_hooks/tls_hooks.test.py
b/tests/gold_tests/tls_hooks/tls_hooks.test.py
index deb6448..7b4f006 100644
--- a/tests/gold_tests/tls_hooks/tls_hooks.test.py
+++ b/tests/gold_tests/tls_hooks/tls_hooks.test.py
@@ -45,6 +45,7 @@ ts.Disk.records_config.update({
# enable ssl port
'proxy.config.http.server_ports': '{0}:ssl'.format(ts.Variables.ssl_port),
'proxy.config.ssl.client.verify.server': 0,
+ 'proxy.config.ssl.TLSv1_3': 0,
'proxy.config.ssl.server.cipher_suite':
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
})
@@ -63,9 +64,10 @@ tr.Processes.Default.StartBefore(server)
tr.Processes.Default.StartBefore(Test.Processes.ts,
ready=When.PortOpen(ts.Variables.ssl_port))
tr.StillRunningAfter = ts
tr.StillRunningAfter = server
-tr.Processes.Default.Command = 'curl -k -H \'host:example.com:{0}\'
https://127.0.0.1:{0}'.format(ts.Variables.ssl_port)
+tr.Processes.Default.Command = 'curl -v -k -H \'host:example.com:{0}\'
https://127.0.0.1:{0}'.format(ts.Variables.ssl_port)
tr.Processes.Default.ReturnCode = 0
tr.Processes.Default.Streams.stdout = "gold/preaccept-1.gold"
+tr.Processes.Default.Streams.All = Testers.ExcludesExpression("TLSv1.3 (IN),
TLS handshake, Finished (20):", "Should not negotiate a TLSv1.3 connection")
ts.Streams.stderr = "gold/ts-preaccept-1.gold"
