From: Casey Bodley <cbodley@redhat.com>
Date: Tue, 17 Mar 2026 17:39:06 +0000 (-0400)
Subject: rgw/beast: add frontend option 'tls_groups'
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=a9c929055f8bd047dd9d8b4ddadb2006b7b40fcd;p=ceph.git

rgw/beast: add frontend option 'tls_groups'

allow frontend config to specify a list of strings for openssl
SSL_CTX_set1_groups_list()

Fixes: https://tracker.ceph.com/issues/75568

Signed-off-by: Casey Bodley <cbodley@redhat.com>
---

diff --git a/doc/radosgw/frontends.rst b/doc/radosgw/frontends.rst
index ac38d427135e..d888ab3f9247 100644
--- a/doc/radosgw/frontends.rst
+++ b/doc/radosgw/frontends.rst
@@ -107,6 +107,17 @@ Options
 :Type: String
 :Default: None
 
+``tls_groups``
+
+:Description: Optional list of one or more `TLS Group`_ strings separated by colons.
+              The pseudo group name ``DEFAULT`` can be used to select the OpenSSL
+              built-in default list of groups. Other valid group names will depend on
+              OpenSSL version. As of OpenSSL 3.5, names can be listed with commands
+              ``openssl list -tls-groups`` and ``openssl list -all-tls-groups``.
+
+:Type: String
+:Default: None
+
 ``tcp_nodelay``
 
 :Description: If set the socket option will disable Nagle's algorithm on 
@@ -172,3 +183,5 @@ Some frontend options are generic and supported by all frontends:
 :Type: String
 :Default: None
 
+
+.. _TLS Group: https://openssl-library.org/post/2022-10-21-tls-groups-configuration/
diff --git a/src/rgw/rgw_asio_frontend.cc b/src/rgw/rgw_asio_frontend.cc
index 4c0ab7f29528..4103c0f53827 100644
--- a/src/rgw/rgw_asio_frontend.cc
+++ b/src/rgw/rgw_asio_frontend.cc
@@ -1072,6 +1072,20 @@ int AsioFrontend::ssl_reload() {
     }
   }
 
+  std::optional<std::string> groups = conf->get_val("tls_groups");
+  if (groups) {
+    if (!cert) {
+      lderr(ctx()) << "no ssl_certificate configured for tls_groups" << dendl;
+      return -EINVAL;
+    }
+
+    int r = SSL_CTX_set1_groups_list(ssl_ctx->native_handle(), groups->c_str());
+    if (r == 0) {
+      lderr(ctx()) << "openssl rejected tls_groups: " << *groups << dendl;
+      return -EINVAL;
+    }
+  }
+
   bool key_is_cert = false;
   bool have_cert = false;
   if (cert) {