From: Mykola Golub Date: Thu, 27 May 2021 16:09:48 +0000 (+0100) Subject: rgw: allow to set ssl options and ciphers for beast frontend X-Git-Tag: v17.1.0~1386^2~1 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=91abede6357d167063c63eade45421d2f17bb0e7;p=ceph.git rgw: allow to set ssl options and ciphers for beast frontend Two new conf keys are added for "beast" framework: - ssl_options: a colon separated list of ssl context options, documented in boost's ssl::context_base; - ssl_ciphers: a colon separated list of ciphers, documented in openssl's ciphers(1) manual. Example: rgw frontends = beast ... ssl_options=default_workarounds:no_tlsv1:no_tlsv1_1 ssl_ciphers=HIGH:!aNULL:!MD5 Fixes: https://tracker.ceph.com/issues/50932 Signed-off-by: Mykola Golub --- diff --git a/doc/radosgw/frontends.rst b/doc/radosgw/frontends.rst index 7deeea29208f..59eb130bb900 100644 --- a/doc/radosgw/frontends.rst +++ b/doc/radosgw/frontends.rst @@ -64,6 +64,38 @@ Options :Type: String :Default: None +``ssl_options`` + +:Description: Optional colon separated list of ssl context options: + + ``default_workarounds`` Implement various bug workarounds. + + ``no_compression`` Disable compression. + + ``no_sslv2`` Disable SSL v2. + + ``no_sslv3`` Disable SSL v3. + + ``no_tlsv1`` Disable TLS v1. + + ``no_tlsv1_1`` Disable TLS v1.1. + + ``no_tlsv1_2`` Disable TLS v1.2. + + ``single_dh_use`` Always create a new key when using tmp_dh parameters. + +:Type: String +:Default: None + +``ssl_ciphers`` + +:Description: Optional list of one or more cipher strings separated by colons. + The format of the string is described in openssl's ciphers(1) + manual. + +:Type: String +:Default: None + ``tcp_nodelay`` :Description: If set the socket option will disable Nagle's algorithm on diff --git a/src/rgw/rgw_asio_frontend.cc b/src/rgw/rgw_asio_frontend.cc index e9f46265a702..72fa41d7a88f 100644 --- a/src/rgw/rgw_asio_frontend.cc +++ b/src/rgw/rgw_asio_frontend.cc @@ -23,6 +23,8 @@ #include #include +#include "common/split.h" + #include "services/svc_config_key.h" #include "services/svc_zone.h" @@ -801,6 +803,52 @@ int AsioFrontend::init_ssl() return -EINVAL; } + std::optional options = conf->get_val("ssl_options"); + if (options) { + if (!cert) { + lderr(ctx()) << "no ssl_certificate configured for ssl_options" << dendl; + return -EINVAL; + } + + for (auto &option : ceph::split(*options, ":")) { + if (option == "default_workarounds") { + ssl_context->set_options(ssl::context::default_workarounds); + } else if (option == "no_compression") { + ssl_context->set_options(ssl::context::no_compression); + } else if (option == "no_sslv2") { + ssl_context->set_options(ssl::context::no_sslv2); + } else if (option == "no_sslv3") { + ssl_context->set_options(ssl::context::no_sslv3); + } else if (option == "no_tlsv1") { + ssl_context->set_options(ssl::context::no_tlsv1); + } else if (option == "no_tlsv1_1") { + ssl_context->set_options(ssl::context::no_tlsv1_1); + } else if (option == "no_tlsv1_2") { + ssl_context->set_options(ssl::context::no_tlsv1_2); + } else if (option == "single_dh_use") { + ssl_context->set_options(ssl::context::single_dh_use); + } else { + lderr(ctx()) << "ignoring unknown ssl option '" << option << "'" << dendl; + } + } + } + + std::optional ciphers = conf->get_val("ssl_ciphers"); + if (ciphers) { + if (!cert) { + lderr(ctx()) << "no ssl_certificate configured for ssl_ciphers" << dendl; + return -EINVAL; + } + + int r = SSL_CTX_set_cipher_list(ssl_context->native_handle(), + ciphers->c_str()); + if (r == 0) { + lderr(ctx()) << "no cipher could be selected from ssl_ciphers: " + << *ciphers << dendl; + return -EINVAL; + } + } + auto ports = config.equal_range("ssl_port"); auto endpoints = config.equal_range("ssl_endpoint");