diff options
author | Mykola Golub <mgolub@suse.com> | 2021-05-27 17:09:48 +0100 |
---|---|---|
committer | Mykola Golub <mgolub@suse.com> | 2021-07-16 08:34:54 +0300 |
commit | aaae13d8207b2946e9638f6bdb0ac56eddf73c50 (patch) | |
tree | 48de91f161312b477cc300bd4317dc99cf7e62c3 | |
parent | 7d518f6b629e6292006e88108f6ca78edde2db67 (diff) | |
download | ceph-aaae13d8207b2946e9638f6bdb0ac56eddf73c50.tar.gz |
rgw: allow to set ssl options and ciphers for beast frontend
Two new conf keys are added for "beast" framework:
- ssl_options: a colon separated list of ssl context options,
documented in boost's ssl::context_base;
- ssl_ciphers: a colon separated list of ciphers, documented
in openssl's ciphers(1) manual.
Example:
rgw frontends = beast ... ssl_options=default_workarounds:no_tlsv1:no_tlsv1_1 ssl_ciphers=HIGH:!aNULL:!MD5
Fixes: https://tracker.ceph.com/issues/50932
Signed-off-by: Mykola Golub <mgolub@suse.com>
(cherry picked from commit 91abede6357d167063c63eade45421d2f17bb0e7)
-rw-r--r-- | doc/radosgw/frontends.rst | 32 | ||||
-rw-r--r-- | src/rgw/rgw_asio_frontend.cc | 48 |
2 files changed, 80 insertions, 0 deletions
diff --git a/doc/radosgw/frontends.rst b/doc/radosgw/frontends.rst index e4a01359085..389572255e8 100644 --- a/doc/radosgw/frontends.rst +++ b/doc/radosgw/frontends.rst @@ -64,6 +64,38 @@ Options :Type: String :Default: None +``ssl_options`` + +:Description: Optional colon separated list of ssl context options: + + ``default_workarounds`` Implement various bug workarounds. + + ``no_compression`` Disable compression. + + ``no_sslv2`` Disable SSL v2. + + ``no_sslv3`` Disable SSL v3. + + ``no_tlsv1`` Disable TLS v1. + + ``no_tlsv1_1`` Disable TLS v1.1. + + ``no_tlsv1_2`` Disable TLS v1.2. + + ``single_dh_use`` Always create a new key when using tmp_dh parameters. + +:Type: String +:Default: None + +``ssl_ciphers`` + +:Description: Optional list of one or more cipher strings separated by colons. + The format of the string is described in openssl's ciphers(1) + manual. + +:Type: String +:Default: None + ``tcp_nodelay`` :Description: If set the socket option will disable Nagle's algorithm on diff --git a/src/rgw/rgw_asio_frontend.cc b/src/rgw/rgw_asio_frontend.cc index 577f70f385d..7b2a65a63a1 100644 --- a/src/rgw/rgw_asio_frontend.cc +++ b/src/rgw/rgw_asio_frontend.cc @@ -22,6 +22,8 @@ #include <boost/asio/ssl.hpp> #include <boost/beast/ssl/ssl_stream.hpp> +#include "common/split.h" + #include "services/svc_config_key.h" #include "services/svc_zone.h" @@ -772,6 +774,52 @@ int AsioFrontend::init_ssl() return -EINVAL; } + std::optional<string> options = conf->get_val("ssl_options"); + if (options) { + if (!cert) { + lderr(ctx()) << "no ssl_certificate configured for ssl_options" << dendl; + return -EINVAL; + } + + for (auto &option : ceph::split(*options, ":")) { + if (option == "default_workarounds") { + ssl_context->set_options(ssl::context::default_workarounds); + } else if (option == "no_compression") { + ssl_context->set_options(ssl::context::no_compression); + } else if (option == "no_sslv2") { + ssl_context->set_options(ssl::context::no_sslv2); + } else if (option == "no_sslv3") { + ssl_context->set_options(ssl::context::no_sslv3); + } else if (option == "no_tlsv1") { + ssl_context->set_options(ssl::context::no_tlsv1); + } else if (option == "no_tlsv1_1") { + ssl_context->set_options(ssl::context::no_tlsv1_1); + } else if (option == "no_tlsv1_2") { + ssl_context->set_options(ssl::context::no_tlsv1_2); + } else if (option == "single_dh_use") { + ssl_context->set_options(ssl::context::single_dh_use); + } else { + lderr(ctx()) << "ignoring unknown ssl option '" << option << "'" << dendl; + } + } + } + + std::optional<string> ciphers = conf->get_val("ssl_ciphers"); + if (ciphers) { + if (!cert) { + lderr(ctx()) << "no ssl_certificate configured for ssl_ciphers" << dendl; + return -EINVAL; + } + + int r = SSL_CTX_set_cipher_list(ssl_context->native_handle(), + ciphers->c_str()); + if (r == 0) { + lderr(ctx()) << "no cipher could be selected from ssl_ciphers: " + << *ciphers << dendl; + return -EINVAL; + } + } + auto ports = config.equal_range("ssl_port"); auto endpoints = config.equal_range("ssl_endpoint"); |