allow frontend config to specify a list of strings for openssl
SSL_CTX_set1_groups_list()
Fixes: https://tracker.ceph.com/issues/75568
Signed-off-by: Casey Bodley <cbodley@redhat.com>
:Type: String
:Default: None
+``tls_groups``
+
+:Description: Optional list of one or more `TLS Group`_ strings separated by colons.
+ The pseudo group name ``DEFAULT`` can be used to select the OpenSSL
+ built-in default list of groups. Other valid group names will depend on
+ OpenSSL version. As of OpenSSL 3.5, names can be listed with commands
+ ``openssl list -tls-groups`` and ``openssl list -all-tls-groups``.
+
+:Type: String
+:Default: None
+
``tcp_nodelay``
:Description: If set the socket option will disable Nagle's algorithm on
:Type: String
:Default: None
+
+.. _TLS Group: https://openssl-library.org/post/2022-10-21-tls-groups-configuration/
}
}
+ std::optional<std::string> groups = conf->get_val("tls_groups");
+ if (groups) {
+ if (!cert) {
+ lderr(ctx()) << "no ssl_certificate configured for tls_groups" << dendl;
+ return -EINVAL;
+ }
+
+ int r = SSL_CTX_set1_groups_list(ssl_ctx->native_handle(), groups->c_str());
+ if (r == 0) {
+ lderr(ctx()) << "openssl rejected tls_groups: " << *groups << dendl;
+ return -EINVAL;
+ }
+ }
+
bool key_is_cert = false;
bool have_cert = false;
if (cert) {
projects / ceph.git / commitdiff