From: Casey Bodley Date: Fri, 15 May 2026 14:40:50 +0000 (-0400) Subject: rgw/beast: add ssl_ciphersuites option for tls 1.3 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=d8daca895a22d9a0200c99b886d214d8081384df;p=ceph.git rgw/beast: add ssl_ciphersuites option for tls 1.3 the existing ssl_ciphers option is passed to `SSL_CTX_set_cipher_list()` which only applies to "TLSv1.2 and below". there's a separate `SSL_CTX_set_ciphersuites()` for TLSv1.3 because the frontend's default configuration for `ssl_options` accepts both 1.2 and 1.3, users may need to specify ciphers for each. that's why `ssl_ciphersuites` is introduced as a separate option Fixes: https://tracker.ceph.com/issues/76578 Signed-off-by: Casey Bodley (cherry picked from commit c62f537f2c99513ef04595c748d392e9da36a7fd) Conflicts: doc/radosgw/frontends.rst openssl -> OpenSSL src/rgw/rgw_asio_frontend.cc no tls_groups on tentacle --- diff --git a/doc/radosgw/frontends.rst b/doc/radosgw/frontends.rst index bf46e3cc15a..0884c540a79 100644 --- a/doc/radosgw/frontends.rst +++ b/doc/radosgw/frontends.rst @@ -87,11 +87,13 @@ Options :Type: String :Default: ``no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1`` -``ssl_ciphers`` +``ssl_ciphers`` and ``ssl_ciphersuites`` :Description: Optional list of one or more cipher strings separated by colons. - The format of the string is described in openssl's ciphers(1) - manual. + The format of the string is described in OpenSSL's ciphers(1) + manual. The ``ssl_ciphers`` option only applies to connections + using TLS v1.2 and below, while ``ssl_ciphersuites`` only applies + to TLS v1.3. :Type: String :Default: None diff --git a/src/rgw/rgw_asio_frontend.cc b/src/rgw/rgw_asio_frontend.cc index d55a006eec6..c71fb61514d 100644 --- a/src/rgw/rgw_asio_frontend.cc +++ b/src/rgw/rgw_asio_frontend.cc @@ -1005,6 +1005,21 @@ int AsioFrontend::init_ssl() } } + std::optional ciphersuites = conf->get_val("ssl_ciphersuites"); + if (ciphersuites) { + if (!cert) { + lderr(ctx()) << "no ssl_certificate configured for ssl_ciphersuites" << dendl; + return -EINVAL; + } + + int r = SSL_CTX_set_ciphersuites(ssl_context->native_handle(), ciphersuites->c_str()); + if (r == 0) { + lderr(ctx()) << "no cipher could be selected from ssl_ciphersuites: " + << *ciphersuites << dendl; + return -EINVAL; + } + } + auto ports = config.equal_range("ssl_port"); auto endpoints = config.equal_range("ssl_endpoint");