rgw: set default ssl options for beast frontend

to 'no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1'

Signed-off-by: Mykola Golub <mgolub@suse.com>
(cherry picked from commit fb31c87c2d6c02563d2d2a1e63d5b62bea2c6f91)

Conflicts:
	PendingReleaseNotes (added to 15.2.14 section)

diff --git a/PendingReleaseNotes b/PendingReleaseNotes
index 8d8a16d266800b87fd6d44f76d102ed321f8eb84..3cd108a95b1a768c5a048a3c051505262f84c4ed 100644 (file)
--- a/PendingReleaseNotes
+++ b/PendingReleaseNotes
@@ -1,3 +1,11 @@
+15.2.14
+-------
+
+* RGW: It is possible to specify ssl options and ciphers for beast frontend now.
+  The default ssl options setting is "no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1".
+  If you want to return back the old behavior add 'ssl_options=' (empty) to
+  ``rgw frontends`` configuration.
+
 15.2.11
 -------
 

diff --git a/doc/radosgw/frontends.rst b/doc/radosgw/frontends.rst
index 389572255e893fd1e610174b9fe727f1be4a88cb..be96e77e863245c4fb9eceb18539028935ac21d7 100644 (file)
--- a/doc/radosgw/frontends.rst
+++ b/doc/radosgw/frontends.rst
@@ -85,7 +85,7 @@ Options
               ``single_dh_use`` Always create a new key when using tmp_dh parameters.
 
 :Type: String
-:Default: None
+:Default: ``no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1``
 
 ``ssl_ciphers``
 

diff --git a/src/rgw/rgw_asio_frontend.cc b/src/rgw/rgw_asio_frontend.cc
index 7b2a65a63a1038caff251676ba73db15b1f995a5..a15523f3ac3ead37a0ab50efe176a0e2382d5d6b 100644 (file)
--- a/src/rgw/rgw_asio_frontend.cc
+++ b/src/rgw/rgw_asio_frontend.cc
@@ -780,7 +780,11 @@ int AsioFrontend::init_ssl()
       lderr(ctx()) << "no ssl_certificate configured for ssl_options" << dendl;
       return -EINVAL;
     }
+  } else if (cert) {
+    options = "no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1";
+  }
 
+  if (options) {
     for (auto &option : ceph::split(*options, ":")) {
       if (option == "default_workarounds") {
         ssl_context->set_options(ssl::context::default_workarounds);