From: Mykola Golub Date: Wed, 16 Jun 2021 15:41:44 +0000 (+0100) Subject: rgw: set default ssl options for beast frontend X-Git-Tag: v17.1.0~1386^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F41579%2Fhead;p=ceph.git rgw: set default ssl options for beast frontend to 'no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1' Signed-off-by: Mykola Golub --- diff --git a/PendingReleaseNotes b/PendingReleaseNotes index 4858af5883a3..8181b57c1193 100644 --- a/PendingReleaseNotes +++ b/PendingReleaseNotes @@ -35,6 +35,11 @@ and eventName values no longer carry the `s3:` prefix, fixing deviations from the message format observed on AWS. +* RGW: It is possible to specify ssl options and ciphers for beast frontend now. + The default ssl options setting is "no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1". + If you want to return back the old behavior add 'ssl_options=' (empty) to + ``rgw frontends`` configuration. + >=16.0.0 -------- * mgr/nfs: ``nfs`` module is moved out of volumes plugin. Prior using the diff --git a/doc/radosgw/frontends.rst b/doc/radosgw/frontends.rst index 59eb130bb900..7e4f3cf00de8 100644 --- a/doc/radosgw/frontends.rst +++ b/doc/radosgw/frontends.rst @@ -85,7 +85,7 @@ Options ``single_dh_use`` Always create a new key when using tmp_dh parameters. :Type: String -:Default: None +:Default: ``no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1`` ``ssl_ciphers`` diff --git a/src/rgw/rgw_asio_frontend.cc b/src/rgw/rgw_asio_frontend.cc index 72fa41d7a88f..5ef28d862aa2 100644 --- a/src/rgw/rgw_asio_frontend.cc +++ b/src/rgw/rgw_asio_frontend.cc @@ -809,7 +809,11 @@ int AsioFrontend::init_ssl() lderr(ctx()) << "no ssl_certificate configured for ssl_options" << dendl; return -EINVAL; } + } else if (cert) { + options = "no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1"; + } + if (options) { for (auto &option : ceph::split(*options, ":")) { if (option == "default_workarounds") { ssl_context->set_options(ssl::context::default_workarounds);