summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSpencer Jackson <spencer.jackson@mongodb.com>2015-03-11 14:09:55 -0400
committerSpencer Jackson <spencer.jackson@mongodb.com>2015-03-13 15:56:27 -0400
commit83ae47b5780cddca30fd09b40fa4d897895a595f (patch)
tree67d68335c14c8dbf66094461f13786d32dfb8584
parent4d7b131c5454bf56fd494b1a3537eeb5e221a027 (diff)
downloadmongo-83ae47b5780cddca30fd09b40fa4d897895a595f.tar.gz
SERVER-16073: Allow overrides to OpenSSL ciphers
-rw-r--r--src/mongo/util/net/ssl_manager.cpp15
-rw-r--r--src/mongo/util/net/ssl_options.cpp9
-rw-r--r--src/mongo/util/net/ssl_options.h1
3 files changed, 24 insertions, 1 deletions
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp
index cec95e4ee51..ba3cdcf1b89 100644
--- a/src/mongo/util/net/ssl_manager.cpp
+++ b/src/mongo/util/net/ssl_manager.cpp
@@ -160,6 +160,7 @@ namespace mongo {
const std::string& clusterpwd,
const std::string& cafile = "",
const std::string& crlfile = "",
+ const std::string& cipherConfig = "",
bool weakCertificateValidation = false,
bool allowInvalidCertificates = false,
bool allowInvalidHostnames = false,
@@ -170,6 +171,7 @@ namespace mongo {
clusterpwd(clusterpwd),
cafile(cafile),
crlfile(crlfile),
+ cipherConfig(cipherConfig),
weakCertificateValidation(weakCertificateValidation),
allowInvalidCertificates(allowInvalidCertificates),
allowInvalidHostnames(allowInvalidHostnames),
@@ -181,6 +183,7 @@ namespace mongo {
std::string clusterpwd;
std::string cafile;
std::string crlfile;
+ std::string cipherConfig;
bool weakCertificateValidation;
bool allowInvalidCertificates;
bool allowInvalidHostnames;
@@ -328,6 +331,7 @@ namespace mongo {
sslGlobalParams.sslClusterPassword,
sslGlobalParams.sslCAFile,
sslGlobalParams.sslCRLFile,
+ sslGlobalParams.sslCipherConfig,
sslGlobalParams.sslWeakCertificateValidation,
sslGlobalParams.sslAllowInvalidCertificates,
sslGlobalParams.sslAllowInvalidHostnames,
@@ -589,7 +593,16 @@ namespace mongo {
// !EXPORT - Disable export ciphers (40/56 bit)
// !aNULL - Disable anonymous auth ciphers
// @STRENGTH - Sort ciphers based on strength
- SSL_CTX_set_cipher_list(*context, "HIGH:!EXPORT:!aNULL@STRENGTH");
+ std::string cipherConfig = "HIGH:!EXPORT:!aNULL@STRENGTH";
+
+ // Allow the cipher configuration string to be overriden by --sslCipherConfig
+ if (!params.cipherConfig.empty()) {
+ cipherConfig = params.cipherConfig;
+ }
+
+ massert(28615, mongoutils::str::stream() << "can't set supported cipher suites: " <<
+ getSSLErrorMessage(ERR_get_error()),
+ SSL_CTX_set_cipher_list(*context, cipherConfig.c_str()));
// If renegotiation is needed, don't return from recv() or send() until it's successful.
// Note: this is for blocking sockets only.
diff --git a/src/mongo/util/net/ssl_options.cpp b/src/mongo/util/net/ssl_options.cpp
index c6e33a8a32a..c4ff4f2c48c 100644
--- a/src/mongo/util/net/ssl_options.cpp
+++ b/src/mongo/util/net/ssl_options.cpp
@@ -71,6 +71,10 @@ namespace mongo {
options->addOptionChaining("net.ssl.CRLFile", "sslCRLFile", moe::String,
"Certificate Revocation List file for SSL");
+ options->addOptionChaining("net.ssl.sslCipherConfig", "sslCipherConfig", moe::String,
+ "OpenSSL cipher configuration string")
+ .hidden();
+
options->addOptionChaining("net.ssl.weakCertificateValidation",
"sslWeakCertificateValidation", moe::Switch, "allow client to connect without "
"presenting a certificate");
@@ -229,6 +233,10 @@ namespace mongo {
params["net.ssl.CRLFile"].as<std::string>()).generic_string();
}
+ if (params.count("net.ssl.sslCipherConfig")) {
+ sslGlobalParams.sslCipherConfig = params["net.ssl.sslCipherConfig"].as<string>();
+ }
+
if (params.count("net.ssl.weakCertificateValidation")) {
sslGlobalParams.sslWeakCertificateValidation =
params["net.ssl.weakCertificateValidation"].as<bool>();
@@ -281,6 +289,7 @@ namespace mongo {
sslGlobalParams.sslClusterPassword.size() ||
sslGlobalParams.sslCAFile.size() ||
sslGlobalParams.sslCRLFile.size() ||
+ sslGlobalParams.sslCipherConfig.size() ||
sslGlobalParams.sslWeakCertificateValidation ||
sslGlobalParams.sslFIPSMode) {
return Status(ErrorCodes::BadValue,
diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h
index 78ee2b899bf..bc4f2dbbad4 100644
--- a/src/mongo/util/net/ssl_options.h
+++ b/src/mongo/util/net/ssl_options.h
@@ -49,6 +49,7 @@ namespace mongo {
std::string sslClusterPassword; // --sslInternalKeyPassword
std::string sslCAFile; // --sslCAFile
std::string sslCRLFile; // --sslCRLFile
+ std::string sslCipherConfig; // --sslCipherConfig
bool sslWeakCertificateValidation; // --sslWeakCertificateValidation
bool sslFIPSMode; // --sslFIPSMode
bool sslAllowInvalidCertificates; // --sslAllowInvalidCertificates