diff options
author | Spencer Jackson <spencer.jackson@mongodb.com> | 2017-06-21 13:56:22 -0400 |
---|---|---|
committer | Spencer Jackson <spencer.jackson@mongodb.com> | 2017-06-28 16:47:48 -0400 |
commit | b964786f0ce519caf214f4c321d2a2abf9580365 (patch) | |
tree | 8b4b5665daa7d4f0d58d503f7002e055f0bdb439 /src/mongo/util/net/ssl_manager.cpp | |
parent | 027b1151c78288f31e29f4b59dc41c9ed935fa79 (diff) | |
download | mongo-b964786f0ce519caf214f4c321d2a2abf9580365.tar.gz |
SERVER-29568: Create opensslCipherConfig setParameter
Diffstat (limited to 'src/mongo/util/net/ssl_manager.cpp')
-rw-r--r-- | src/mongo/util/net/ssl_manager.cpp | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index 96feccc4a7d..b0d762375bc 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -103,6 +103,31 @@ ExportedServerParameter<bool, ServerParameterType::kStartupOnly> "disableNonSSLConnectionLogging", &sslGlobalParams.disableNonSSLConnectionLogging); +class OpenSSLCipherConfigParameter + : public ExportedServerParameter<std::string, ServerParameterType::kStartupOnly> { +public: + OpenSSLCipherConfigParameter() + : ExportedServerParameter<std::string, ServerParameterType::kStartupOnly>( + ServerParameterSet::getGlobal(), + "opensslCipherConfig", + &sslGlobalParams.sslCipherConfig) {} + Status validate(const std::string& potentialNewValue) final { + if (!sslGlobalParams.sslCipherConfig.empty()) { + return Status( + ErrorCodes::BadValue, + "opensslCipherConfig setParameter is incompatible with net.ssl.sslCipherConfig"); + } + // Note that there is very little validation that we can do here. + // OpenSSL exposes no API to validate a cipher config string. The only way to figure out + // what a string maps to is to make an SSL_CTX object, set the string on it, then parse the + // resulting STACK_OF object. If provided an invalid entry in the string, it will silently + // ignore it. Because an entry in the string may map to multiple ciphers, or remove ciphers + // from the final set produced by the full string, we can't tell if any entry failed + // to parse. + return Status::OK(); + } +} openSSLCipherConfig; + #ifdef MONGO_CONFIG_SSL // Old copies of OpenSSL will not have constants to disable protocols they don't support. // Define them to values we can OR together safely to generically disable these protocols across |