SERVER-16073: Allow overrides to OpenSSL ciphers

(cherry picked from commit 83ae47b5780cddca30fd09b40fa4d897895a595f)

3 files changed, 24 insertions, 1 deletions

diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp
index 7ec08da0725..af8bf305d91 100644
--- a/src/mongo/util/net/ssl_manager.cpp
+++ b/src/mongo/util/net/ssl_manager.cpp
@@ -160,6 +160,7 @@ namespace mongo {
                    const std::string& clusterpwd,
                    const std::string& cafile = "",
                    const std::string& crlfile = "",
+                   const std::string& cipherConfig = "",
                    bool weakCertificateValidation = false,
                    bool allowInvalidCertificates = false,
                    bool allowInvalidHostnames = false,
@@ -170,6 +171,7 @@ namespace mongo {
                 clusterpwd(clusterpwd),
                 cafile(cafile),
                 crlfile(crlfile),
+                cipherConfig(cipherConfig),
                 weakCertificateValidation(weakCertificateValidation),
                 allowInvalidCertificates(allowInvalidCertificates),
                 allowInvalidHostnames(allowInvalidHostnames),
@@ -181,6 +183,7 @@ namespace mongo {
             std::string clusterpwd;
             std::string cafile;
             std::string crlfile;
+            std::string cipherConfig;
             bool weakCertificateValidation;
             bool allowInvalidCertificates;
             bool allowInvalidHostnames;
@@ -328,6 +331,7 @@ namespace mongo {
                 sslGlobalParams.sslClusterPassword,
                 sslGlobalParams.sslCAFile,
                 sslGlobalParams.sslCRLFile,
+                sslGlobalParams.sslCipherConfig,
                 sslGlobalParams.sslWeakCertificateValidation,
                 sslGlobalParams.sslAllowInvalidCertificates,
                 sslGlobalParams.sslAllowInvalidHostnames,
@@ -589,7 +593,16 @@ namespace mongo {
         // !EXPORT - Disable export ciphers (40/56 bit) 
         // !aNULL - Disable anonymous auth ciphers
         // @STRENGTH - Sort ciphers based on strength 
-        SSL_CTX_set_cipher_list(*context, "HIGH:!EXPORT:!aNULL@STRENGTH");
+        std::string cipherConfig = "HIGH:!EXPORT:!aNULL@STRENGTH";
+
+        // Allow the cipher configuration string to be overriden by --sslCipherConfig
+        if (!params.cipherConfig.empty()) {
+            cipherConfig = params.cipherConfig;
+        }
+
+        massert(28615, mongoutils::str::stream() << "can't set supported cipher suites: " <<
+                getSSLErrorMessage(ERR_get_error()),
+                SSL_CTX_set_cipher_list(*context, cipherConfig.c_str()));
 
         // If renegotiation is needed, don't return from recv() or send() until it's successful.
         // Note: this is for blocking sockets only.
diff --git a/src/mongo/util/net/ssl_options.cpp b/src/mongo/util/net/ssl_options.cpp
index c6e33a8a32a..c4ff4f2c48c 100644
--- a/src/mongo/util/net/ssl_options.cpp
+++ b/src/mongo/util/net/ssl_options.cpp
@@ -71,6 +71,10 @@ namespace mongo {
         options->addOptionChaining("net.ssl.CRLFile", "sslCRLFile", moe::String,
                 "Certificate Revocation List file for SSL");
 
+        options->addOptionChaining("net.ssl.sslCipherConfig", "sslCipherConfig", moe::String,
+                "OpenSSL cipher configuration string")
+                                   .hidden();
+
         options->addOptionChaining("net.ssl.weakCertificateValidation",
                 "sslWeakCertificateValidation", moe::Switch, "allow client to connect without "
                 "presenting a certificate");
@@ -229,6 +233,10 @@ namespace mongo {
                                          params["net.ssl.CRLFile"].as<std::string>()).generic_string();
         }
 
+        if (params.count("net.ssl.sslCipherConfig")) {
+            sslGlobalParams.sslCipherConfig = params["net.ssl.sslCipherConfig"].as<string>();
+        }
+
         if (params.count("net.ssl.weakCertificateValidation")) {
             sslGlobalParams.sslWeakCertificateValidation =
                 params["net.ssl.weakCertificateValidation"].as<bool>();
@@ -281,6 +289,7 @@ namespace mongo {
                  sslGlobalParams.sslClusterPassword.size() ||
                  sslGlobalParams.sslCAFile.size() ||
                  sslGlobalParams.sslCRLFile.size() ||
+                 sslGlobalParams.sslCipherConfig.size() ||
                  sslGlobalParams.sslWeakCertificateValidation ||
                  sslGlobalParams.sslFIPSMode) {
             return Status(ErrorCodes::BadValue,
diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h
index 78ee2b899bf..bc4f2dbbad4 100644
--- a/src/mongo/util/net/ssl_options.h
+++ b/src/mongo/util/net/ssl_options.h
@@ -49,6 +49,7 @@ namespace mongo {
         std::string sslClusterPassword;   // --sslInternalKeyPassword
         std::string sslCAFile;      // --sslCAFile
         std::string sslCRLFile;     // --sslCRLFile
+        std::string sslCipherConfig; // --sslCipherConfig
         bool sslWeakCertificateValidation; // --sslWeakCertificateValidation
         bool sslFIPSMode; // --sslFIPSMode
         bool sslAllowInvalidCertificates; // --sslAllowInvalidCertificates