rgw: set default ssl options for beast frontend

to 'no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1'

Signed-off-by: Mykola Golub <mgolub@suse.com>
(cherry picked from commit fb31c87c2d6c02563d2d2a1e63d5b62bea2c6f91)

diff --git a/PendingReleaseNotes b/PendingReleaseNotes
index 4d443bc47d2e30df1f39fb7a88006a6000a18172..b1e6d2ede865aca5663719864366bbf15ea66a7d 100644 (file)
--- a/PendingReleaseNotes
+++ b/PendingReleaseNotes
@@ -9,6 +9,11 @@
   that were storing state in RADOS omap, especially without striping which
   limits scalability.
 
+* RGW: It is possible to specify ssl options and ciphers for beast frontend now.
+  The default ssl options setting is "no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1".
+  If you want to return back the old behavior add 'ssl_options=' (empty) to
+  ``rgw frontends`` configuration.
+
 >=16.0.0
 --------
 

diff --git a/doc/radosgw/frontends.rst b/doc/radosgw/frontends.rst
index 389572255e893fd1e610174b9fe727f1be4a88cb..be96e77e863245c4fb9eceb18539028935ac21d7 100644 (file)
--- a/doc/radosgw/frontends.rst
+++ b/doc/radosgw/frontends.rst
@@ -85,7 +85,7 @@ Options
               ``single_dh_use`` Always create a new key when using tmp_dh parameters.
 
 :Type: String
-:Default: None
+:Default: ``no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1``
 
 ``ssl_ciphers``
 

diff --git a/src/rgw/rgw_asio_frontend.cc b/src/rgw/rgw_asio_frontend.cc
index d0673a39ab4c4741dc4a7cf67df25fec9d51223d..a265f184856eb4e8955ba893a18863a901e0ad8f 100644 (file)
--- a/src/rgw/rgw_asio_frontend.cc
+++ b/src/rgw/rgw_asio_frontend.cc
@@ -807,7 +807,11 @@ int AsioFrontend::init_ssl()
       lderr(ctx()) << "no ssl_certificate configured for ssl_options" << dendl;
       return -EINVAL;
     }
+  } else if (cert) {
+    options = "no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1";
+  }
 
+  if (options) {
     for (auto &option : ceph::split(*options, ":")) {
       if (option == "default_workarounds") {
         ssl_context->set_options(ssl::context::default_workarounds);