From: Mykola Golub Date: Wed, 16 Jun 2021 15:41:44 +0000 (+0100) Subject: rgw: set default ssl options for beast frontend X-Git-Tag: v16.2.6~122^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F42363%2Fhead;p=ceph.git rgw: set default ssl options for beast frontend to 'no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1' Signed-off-by: Mykola Golub (cherry picked from commit fb31c87c2d6c02563d2d2a1e63d5b62bea2c6f91) --- diff --git a/PendingReleaseNotes b/PendingReleaseNotes index 4d443bc47d2e..b1e6d2ede865 100644 --- a/PendingReleaseNotes +++ b/PendingReleaseNotes @@ -9,6 +9,11 @@ that were storing state in RADOS omap, especially without striping which limits scalability. +* RGW: It is possible to specify ssl options and ciphers for beast frontend now. + The default ssl options setting is "no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1". + If you want to return back the old behavior add 'ssl_options=' (empty) to + ``rgw frontends`` configuration. + >=16.0.0 -------- diff --git a/doc/radosgw/frontends.rst b/doc/radosgw/frontends.rst index 389572255e89..be96e77e8632 100644 --- a/doc/radosgw/frontends.rst +++ b/doc/radosgw/frontends.rst @@ -85,7 +85,7 @@ Options ``single_dh_use`` Always create a new key when using tmp_dh parameters. :Type: String -:Default: None +:Default: ``no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1`` ``ssl_ciphers`` diff --git a/src/rgw/rgw_asio_frontend.cc b/src/rgw/rgw_asio_frontend.cc index d0673a39ab4c..a265f184856e 100644 --- a/src/rgw/rgw_asio_frontend.cc +++ b/src/rgw/rgw_asio_frontend.cc @@ -807,7 +807,11 @@ int AsioFrontend::init_ssl() lderr(ctx()) << "no ssl_certificate configured for ssl_options" << dendl; return -EINVAL; } + } else if (cert) { + options = "no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1"; + } + if (options) { for (auto &option : ceph::split(*options, ":")) { if (option == "default_workarounds") { ssl_context->set_options(ssl::context::default_workarounds);