diff options
author | Spencer Jackson <spencer.jackson@mongodb.com> | 2017-06-21 13:56:22 -0400 |
---|---|---|
committer | Spencer Jackson <spencer.jackson@mongodb.com> | 2017-07-11 16:20:07 -0400 |
commit | b0083723ef4cff9918b151121926eb5e2d26f0cb (patch) | |
tree | 4fae8f199e19bc6d1f6e72a0b305ebdd502fb150 | |
parent | 764b75a48f57c84ea8c0b867b3128e1d8760086a (diff) | |
download | mongo-b0083723ef4cff9918b151121926eb5e2d26f0cb.tar.gz |
SERVER-29568: Create opensslCipherConfig setParameter
(cherry picked from commit b964786f0ce519caf214f4c321d2a2abf9580365)
-rw-r--r-- | src/mongo/util/net/ssl_manager.cpp | 25 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_options.cpp | 7 |
2 files changed, 32 insertions, 0 deletions
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index 817288ffb0f..9dd51e46fb9 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -88,6 +88,31 @@ ExportedServerParameter<bool, ServerParameterType::kStartupOnly> "disableNonSSLConnectionLogging", &sslGlobalParams.disableNonSSLConnectionLogging); +class OpenSSLCipherConfigParameter + : public ExportedServerParameter<std::string, ServerParameterType::kStartupOnly> { +public: + OpenSSLCipherConfigParameter() + : ExportedServerParameter<std::string, ServerParameterType::kStartupOnly>( + ServerParameterSet::getGlobal(), + "opensslCipherConfig", + &sslGlobalParams.sslCipherConfig) {} + Status validate(const std::string& potentialNewValue) final { + if (!sslGlobalParams.sslCipherConfig.empty()) { + return Status( + ErrorCodes::BadValue, + "opensslCipherConfig setParameter is incompatible with net.ssl.sslCipherConfig"); + } + // Note that there is very little validation that we can do here. + // OpenSSL exposes no API to validate a cipher config string. The only way to figure out + // what a string maps to is to make an SSL_CTX object, set the string on it, then parse the + // resulting STACK_OF object. If provided an invalid entry in the string, it will silently + // ignore it. Because an entry in the string may map to multiple ciphers, or remove ciphers + // from the final set produced by the full string, we can't tell if any entry failed + // to parse. + return Status::OK(); + } +} openSSLCipherConfig; + #ifdef MONGO_CONFIG_SSL // Old copies of OpenSSL will not have constants to disable protocols they don't support. // Define them to values we can OR together safely to generically disable these protocols across diff --git a/src/mongo/util/net/ssl_options.cpp b/src/mongo/util/net/ssl_options.cpp index 2d29e4704f2..a29b2d1805c 100644 --- a/src/mongo/util/net/ssl_options.cpp +++ b/src/mongo/util/net/ssl_options.cpp @@ -257,6 +257,13 @@ Status storeSSLServerOptions(const moe::Environment& params) { } if (params.count("net.ssl.sslCipherConfig")) { + warning() + << "net.ssl.sslCipherConfig is deprecated. It will be removed in a future release."; + if (!sslGlobalParams.sslCipherConfig.empty()) { + return Status(ErrorCodes::BadValue, + "net.ssl.sslCipherConfig is incompatible with the openSSLCipherConfig " + "setParameter"); + } sslGlobalParams.sslCipherConfig = params["net.ssl.sslCipherConfig"].as<string>(); } |