rgw: set default ssl options for beast frontend

to 'no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1'

Signed-off-by: Mykola Golub <mgolub@suse.com>

diff --git a/PendingReleaseNotes b/PendingReleaseNotes
index 4858af5883a3d63a8c829bbc6d7265ac81f61bfc..8181b57c1193efba90b184285a3777734d50ae69 100644 (file)
--- a/PendingReleaseNotes
+++ b/PendingReleaseNotes
@@ -35,6 +35,11 @@
   and eventName values no longer carry the `s3:` prefix, fixing deviations from
   the message format observed on AWS.
 
+* RGW: It is possible to specify ssl options and ciphers for beast frontend now.
+  The default ssl options setting is "no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1".
+  If you want to return back the old behavior add 'ssl_options=' (empty) to
+  ``rgw frontends`` configuration.
+
 >=16.0.0
 --------
 * mgr/nfs: ``nfs`` module is moved out of volumes plugin. Prior using the

diff --git a/doc/radosgw/frontends.rst b/doc/radosgw/frontends.rst
index 59eb130bb90080af27e7a3325d3639973f3eeb63..7e4f3cf00de8c222e36fa419e1db12c1440cbbff 100644 (file)
--- a/doc/radosgw/frontends.rst
+++ b/doc/radosgw/frontends.rst
@@ -85,7 +85,7 @@ Options
               ``single_dh_use`` Always create a new key when using tmp_dh parameters.
 
 :Type: String
-:Default: None
+:Default: ``no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1``
 
 ``ssl_ciphers``
 

diff --git a/src/rgw/rgw_asio_frontend.cc b/src/rgw/rgw_asio_frontend.cc
index 72fa41d7a88fbc1a5273e580f91620874d40d211..5ef28d862aa2db0dc2f5734ce1bfb13998ef756d 100644 (file)
--- a/src/rgw/rgw_asio_frontend.cc
+++ b/src/rgw/rgw_asio_frontend.cc
@@ -809,7 +809,11 @@ int AsioFrontend::init_ssl()
       lderr(ctx()) << "no ssl_certificate configured for ssl_options" << dendl;
       return -EINVAL;
     }
+  } else if (cert) {
+    options = "no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1";
+  }
 
+  if (options) {
     for (auto &option : ceph::split(*options, ":")) {
       if (option == "default_workarounds") {
         ssl_context->set_options(ssl::context::default_workarounds);