From 4d3b01dbc1b547f2d589420b3f27d6b59163ad7e Mon Sep 17 00:00:00 2001 From: Mykola Golub Date: Wed, 16 Jun 2021 16:41:44 +0100 Subject: [PATCH] rgw: set default ssl options for beast frontend to 'no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1' Signed-off-by: Mykola Golub (cherry picked from commit fb31c87c2d6c02563d2d2a1e63d5b62bea2c6f91) --- PendingReleaseNotes | 5 +++++ doc/radosgw/frontends.rst | 2 +- src/rgw/rgw_asio_frontend.cc | 4 ++++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/PendingReleaseNotes b/PendingReleaseNotes index 4d443bc47d2e3..b1e6d2ede865a 100644 --- a/PendingReleaseNotes +++ b/PendingReleaseNotes @@ -9,6 +9,11 @@ that were storing state in RADOS omap, especially without striping which limits scalability. +* RGW: It is possible to specify ssl options and ciphers for beast frontend now. + The default ssl options setting is "no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1". + If you want to return back the old behavior add 'ssl_options=' (empty) to + ``rgw frontends`` configuration. + >=16.0.0 -------- diff --git a/doc/radosgw/frontends.rst b/doc/radosgw/frontends.rst index 389572255e893..be96e77e86324 100644 --- a/doc/radosgw/frontends.rst +++ b/doc/radosgw/frontends.rst @@ -85,7 +85,7 @@ Options ``single_dh_use`` Always create a new key when using tmp_dh parameters. :Type: String -:Default: None +:Default: ``no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1`` ``ssl_ciphers`` diff --git a/src/rgw/rgw_asio_frontend.cc b/src/rgw/rgw_asio_frontend.cc index d0673a39ab4c4..a265f184856eb 100644 --- a/src/rgw/rgw_asio_frontend.cc +++ b/src/rgw/rgw_asio_frontend.cc @@ -807,7 +807,11 @@ int AsioFrontend::init_ssl() lderr(ctx()) << "no ssl_certificate configured for ssl_options" << dendl; return -EINVAL; } + } else if (cert) { + options = "no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1"; + } + if (options) { for (auto &option : ceph::split(*options, ":")) { if (option == "default_workarounds") { ssl_context->set_options(ssl::context::default_workarounds); -- 2.39.5