the existing ssl_ciphers option is passed to `SSL_CTX_set_cipher_list()`
which only applies to "TLSv1.2 and below". there's a separate
`SSL_CTX_set_ciphersuites()` for TLSv1.3
because the frontend's default configuration for `ssl_options` accepts
both 1.2 and 1.3, users may need to specify ciphers for each. that's why
`ssl_ciphersuites` is introduced as a separate option
Fixes: https://tracker.ceph.com/issues/76578
Signed-off-by: Casey Bodley <cbodley@redhat.com>
:Type: String
:Default: ``no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1``
-``ssl_ciphers``
+``ssl_ciphers`` and ``ssl_ciphersuites``
:Description: Optional list of one or more cipher strings separated by colons.
The format of the string is described in OpenSSL's ciphers(1)
- manual.
+ manual. The ``ssl_ciphers`` option only applies to connections
+ using TLS v1.2 and below, while ``ssl_ciphersuites`` only applies
+ to TLS v1.3.
:Type: String
:Default: None
}
}
+ std::optional<string> ciphersuites = conf->get_val("ssl_ciphersuites");
+ if (ciphersuites) {
+ if (!cert) {
+ lderr(ctx()) << "no ssl_certificate configured for ssl_ciphersuites" << dendl;
+ return -EINVAL;
+ }
+
+ int r = SSL_CTX_set_ciphersuites(ssl_ctx->native_handle(), ciphersuites->c_str());
+ if (r == 0) {
+ lderr(ctx()) << "no cipher could be selected from ssl_ciphersuites: "
+ << *ciphersuites << dendl;
+ return -EINVAL;
+ }
+ }
+
std::optional<std::string> groups = conf->get_val("tls_groups");
if (groups) {
if (!cert) {
projects / ceph.git / commitdiff