diff options
author | Spencer Jackson <spencer.jackson@mongodb.com> | 2015-03-11 14:09:55 -0400 |
---|---|---|
committer | Spencer Jackson <spencer.jackson@mongodb.com> | 2015-03-13 15:56:27 -0400 |
commit | 83ae47b5780cddca30fd09b40fa4d897895a595f (patch) | |
tree | 67d68335c14c8dbf66094461f13786d32dfb8584 | |
parent | 4d7b131c5454bf56fd494b1a3537eeb5e221a027 (diff) | |
download | mongo-83ae47b5780cddca30fd09b40fa4d897895a595f.tar.gz |
SERVER-16073: Allow overrides to OpenSSL ciphers
-rw-r--r-- | src/mongo/util/net/ssl_manager.cpp | 15 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_options.cpp | 9 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_options.h | 1 |
3 files changed, 24 insertions, 1 deletions
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index cec95e4ee51..ba3cdcf1b89 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -160,6 +160,7 @@ namespace mongo { const std::string& clusterpwd, const std::string& cafile = "", const std::string& crlfile = "", + const std::string& cipherConfig = "", bool weakCertificateValidation = false, bool allowInvalidCertificates = false, bool allowInvalidHostnames = false, @@ -170,6 +171,7 @@ namespace mongo { clusterpwd(clusterpwd), cafile(cafile), crlfile(crlfile), + cipherConfig(cipherConfig), weakCertificateValidation(weakCertificateValidation), allowInvalidCertificates(allowInvalidCertificates), allowInvalidHostnames(allowInvalidHostnames), @@ -181,6 +183,7 @@ namespace mongo { std::string clusterpwd; std::string cafile; std::string crlfile; + std::string cipherConfig; bool weakCertificateValidation; bool allowInvalidCertificates; bool allowInvalidHostnames; @@ -328,6 +331,7 @@ namespace mongo { sslGlobalParams.sslClusterPassword, sslGlobalParams.sslCAFile, sslGlobalParams.sslCRLFile, + sslGlobalParams.sslCipherConfig, sslGlobalParams.sslWeakCertificateValidation, sslGlobalParams.sslAllowInvalidCertificates, sslGlobalParams.sslAllowInvalidHostnames, @@ -589,7 +593,16 @@ namespace mongo { // !EXPORT - Disable export ciphers (40/56 bit) // !aNULL - Disable anonymous auth ciphers // @STRENGTH - Sort ciphers based on strength - SSL_CTX_set_cipher_list(*context, "HIGH:!EXPORT:!aNULL@STRENGTH"); + std::string cipherConfig = "HIGH:!EXPORT:!aNULL@STRENGTH"; + + // Allow the cipher configuration string to be overriden by --sslCipherConfig + if (!params.cipherConfig.empty()) { + cipherConfig = params.cipherConfig; + } + + massert(28615, mongoutils::str::stream() << "can't set supported cipher suites: " << + getSSLErrorMessage(ERR_get_error()), + SSL_CTX_set_cipher_list(*context, cipherConfig.c_str())); // If renegotiation is needed, don't return from recv() or send() until it's successful. // Note: this is for blocking sockets only. diff --git a/src/mongo/util/net/ssl_options.cpp b/src/mongo/util/net/ssl_options.cpp index c6e33a8a32a..c4ff4f2c48c 100644 --- a/src/mongo/util/net/ssl_options.cpp +++ b/src/mongo/util/net/ssl_options.cpp @@ -71,6 +71,10 @@ namespace mongo { options->addOptionChaining("net.ssl.CRLFile", "sslCRLFile", moe::String, "Certificate Revocation List file for SSL"); + options->addOptionChaining("net.ssl.sslCipherConfig", "sslCipherConfig", moe::String, + "OpenSSL cipher configuration string") + .hidden(); + options->addOptionChaining("net.ssl.weakCertificateValidation", "sslWeakCertificateValidation", moe::Switch, "allow client to connect without " "presenting a certificate"); @@ -229,6 +233,10 @@ namespace mongo { params["net.ssl.CRLFile"].as<std::string>()).generic_string(); } + if (params.count("net.ssl.sslCipherConfig")) { + sslGlobalParams.sslCipherConfig = params["net.ssl.sslCipherConfig"].as<string>(); + } + if (params.count("net.ssl.weakCertificateValidation")) { sslGlobalParams.sslWeakCertificateValidation = params["net.ssl.weakCertificateValidation"].as<bool>(); @@ -281,6 +289,7 @@ namespace mongo { sslGlobalParams.sslClusterPassword.size() || sslGlobalParams.sslCAFile.size() || sslGlobalParams.sslCRLFile.size() || + sslGlobalParams.sslCipherConfig.size() || sslGlobalParams.sslWeakCertificateValidation || sslGlobalParams.sslFIPSMode) { return Status(ErrorCodes::BadValue, diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h index 78ee2b899bf..bc4f2dbbad4 100644 --- a/src/mongo/util/net/ssl_options.h +++ b/src/mongo/util/net/ssl_options.h @@ -49,6 +49,7 @@ namespace mongo { std::string sslClusterPassword; // --sslInternalKeyPassword std::string sslCAFile; // --sslCAFile std::string sslCRLFile; // --sslCRLFile + std::string sslCipherConfig; // --sslCipherConfig bool sslWeakCertificateValidation; // --sslWeakCertificateValidation bool sslFIPSMode; // --sslFIPSMode bool sslAllowInvalidCertificates; // --sslAllowInvalidCertificates |