From: Casey Bodley <cbodley@redhat.com>
Date: Fri, 15 May 2026 14:40:50 +0000 (-0400)
Subject: rgw/beast: add ssl_ciphersuites option for tls 1.3
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=c62f537f2c99513ef04595c748d392e9da36a7fd;p=ceph.git

rgw/beast: add ssl_ciphersuites option for tls 1.3

the existing ssl_ciphers option is passed to `SSL_CTX_set_cipher_list()`
which only applies to "TLSv1.2 and below". there's a separate
`SSL_CTX_set_ciphersuites()` for TLSv1.3

because the frontend's default configuration for `ssl_options` accepts
both 1.2 and 1.3, users may need to specify ciphers for each. that's why
`ssl_ciphersuites` is introduced as a separate option

Fixes: https://tracker.ceph.com/issues/76578

Signed-off-by: Casey Bodley <cbodley@redhat.com>
---

diff --git a/doc/radosgw/frontends.rst b/doc/radosgw/frontends.rst
index d888ab3f924..686f1af0cc9 100644
--- a/doc/radosgw/frontends.rst
+++ b/doc/radosgw/frontends.rst
@@ -98,11 +98,13 @@ Options
 :Type: String
 :Default: ``no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1``
 
-``ssl_ciphers``
+``ssl_ciphers`` and ``ssl_ciphersuites``
 
 :Description: Optional list of one or more cipher strings separated by colons.
               The format of the string is described in OpenSSL's ciphers(1)
-              manual.
+              manual. The ``ssl_ciphers`` option only applies to connections
+              using TLS v1.2 and below, while ``ssl_ciphersuites`` only applies
+              to TLS v1.3.
 
 :Type: String
 :Default: None
diff --git a/src/rgw/rgw_asio_frontend.cc b/src/rgw/rgw_asio_frontend.cc
index caa77eedbad..694eb88c544 100644
--- a/src/rgw/rgw_asio_frontend.cc
+++ b/src/rgw/rgw_asio_frontend.cc
@@ -1072,6 +1072,21 @@ int AsioFrontend::ssl_reload() {
     }
   }
 
+  std::optional<string> ciphersuites = conf->get_val("ssl_ciphersuites");
+  if (ciphersuites) {
+    if (!cert) {
+      lderr(ctx()) << "no ssl_certificate configured for ssl_ciphersuites" << dendl;
+      return -EINVAL;
+    }
+
+    int r = SSL_CTX_set_ciphersuites(ssl_ctx->native_handle(), ciphersuites->c_str());
+    if (r == 0) {
+      lderr(ctx()) << "no cipher could be selected from ssl_ciphersuites: "
+                   << *ciphersuites << dendl;
+      return -EINVAL;
+    }
+  }
+
   std::optional<std::string> groups = conf->get_val("tls_groups");
   if (groups) {
     if (!cert) {