From b964786f0ce519caf214f4c321d2a2abf9580365 Mon Sep 17 00:00:00 2001 From: Spencer Jackson Date: Wed, 21 Jun 2017 13:56:22 -0400 Subject: SERVER-29568: Create opensslCipherConfig setParameter --- src/mongo/util/net/ssl_manager.cpp | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'src/mongo/util/net/ssl_manager.cpp') diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index 96feccc4a7d..b0d762375bc 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -103,6 +103,31 @@ ExportedServerParameter "disableNonSSLConnectionLogging", &sslGlobalParams.disableNonSSLConnectionLogging); +class OpenSSLCipherConfigParameter + : public ExportedServerParameter { +public: + OpenSSLCipherConfigParameter() + : ExportedServerParameter( + ServerParameterSet::getGlobal(), + "opensslCipherConfig", + &sslGlobalParams.sslCipherConfig) {} + Status validate(const std::string& potentialNewValue) final { + if (!sslGlobalParams.sslCipherConfig.empty()) { + return Status( + ErrorCodes::BadValue, + "opensslCipherConfig setParameter is incompatible with net.ssl.sslCipherConfig"); + } + // Note that there is very little validation that we can do here. + // OpenSSL exposes no API to validate a cipher config string. The only way to figure out + // what a string maps to is to make an SSL_CTX object, set the string on it, then parse the + // resulting STACK_OF object. If provided an invalid entry in the string, it will silently + // ignore it. Because an entry in the string may map to multiple ciphers, or remove ciphers + // from the final set produced by the full string, we can't tell if any entry failed + // to parse. + return Status::OK(); + } +} openSSLCipherConfig; + #ifdef MONGO_CONFIG_SSL // Old copies of OpenSSL will not have constants to disable protocols they don't support. // Define them to values we can OR together safely to generically disable these protocols across -- cgit v1.2.1