diff options
author | Mykola Golub <mgolub@suse.com> | 2021-06-16 16:41:44 +0100 |
---|---|---|
committer | Mykola Golub <mgolub@suse.com> | 2021-07-16 08:39:00 +0300 |
commit | fb9b7b056d69f6500c52d74361e723bf0649fee4 (patch) | |
tree | 189c1e0e94f58ddf1f77a8831a05b2fef4ba6fe8 | |
parent | aaae13d8207b2946e9638f6bdb0ac56eddf73c50 (diff) | |
download | ceph-fb9b7b056d69f6500c52d74361e723bf0649fee4.tar.gz |
rgw: set default ssl options for beast frontend
to 'no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1'
Signed-off-by: Mykola Golub <mgolub@suse.com>
(cherry picked from commit fb31c87c2d6c02563d2d2a1e63d5b62bea2c6f91)
Conflicts:
PendingReleaseNotes (added to 15.2.14 section)
-rw-r--r-- | PendingReleaseNotes | 8 | ||||
-rw-r--r-- | doc/radosgw/frontends.rst | 2 | ||||
-rw-r--r-- | src/rgw/rgw_asio_frontend.cc | 4 |
3 files changed, 13 insertions, 1 deletions
diff --git a/PendingReleaseNotes b/PendingReleaseNotes index 8d8a16d2668..3cd108a95b1 100644 --- a/PendingReleaseNotes +++ b/PendingReleaseNotes @@ -1,3 +1,11 @@ +15.2.14 +------- + +* RGW: It is possible to specify ssl options and ciphers for beast frontend now. + The default ssl options setting is "no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1". + If you want to return back the old behavior add 'ssl_options=' (empty) to + ``rgw frontends`` configuration. + 15.2.11 ------- diff --git a/doc/radosgw/frontends.rst b/doc/radosgw/frontends.rst index 389572255e8..be96e77e863 100644 --- a/doc/radosgw/frontends.rst +++ b/doc/radosgw/frontends.rst @@ -85,7 +85,7 @@ Options ``single_dh_use`` Always create a new key when using tmp_dh parameters. :Type: String -:Default: None +:Default: ``no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1`` ``ssl_ciphers`` diff --git a/src/rgw/rgw_asio_frontend.cc b/src/rgw/rgw_asio_frontend.cc index 7b2a65a63a1..a15523f3ac3 100644 --- a/src/rgw/rgw_asio_frontend.cc +++ b/src/rgw/rgw_asio_frontend.cc @@ -780,7 +780,11 @@ int AsioFrontend::init_ssl() lderr(ctx()) << "no ssl_certificate configured for ssl_options" << dendl; return -EINVAL; } + } else if (cert) { + options = "no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1"; + } + if (options) { for (auto &option : ceph::split(*options, ":")) { if (option == "default_workarounds") { ssl_context->set_options(ssl::context::default_workarounds); |