From fb9b7b056d69f6500c52d74361e723bf0649fee4 Mon Sep 17 00:00:00 2001 From: Mykola Golub Date: Wed, 16 Jun 2021 16:41:44 +0100 Subject: [PATCH] rgw: set default ssl options for beast frontend to 'no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1' Signed-off-by: Mykola Golub (cherry picked from commit fb31c87c2d6c02563d2d2a1e63d5b62bea2c6f91) Conflicts: PendingReleaseNotes (added to 15.2.14 section) --- PendingReleaseNotes | 8 ++++++++ doc/radosgw/frontends.rst | 2 +- src/rgw/rgw_asio_frontend.cc | 4 ++++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/PendingReleaseNotes b/PendingReleaseNotes index 8d8a16d266800..3cd108a95b1a7 100644 --- a/PendingReleaseNotes +++ b/PendingReleaseNotes @@ -1,3 +1,11 @@ +15.2.14 +------- + +* RGW: It is possible to specify ssl options and ciphers for beast frontend now. + The default ssl options setting is "no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1". + If you want to return back the old behavior add 'ssl_options=' (empty) to + ``rgw frontends`` configuration. + 15.2.11 ------- diff --git a/doc/radosgw/frontends.rst b/doc/radosgw/frontends.rst index 389572255e893..be96e77e86324 100644 --- a/doc/radosgw/frontends.rst +++ b/doc/radosgw/frontends.rst @@ -85,7 +85,7 @@ Options ``single_dh_use`` Always create a new key when using tmp_dh parameters. :Type: String -:Default: None +:Default: ``no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1`` ``ssl_ciphers`` diff --git a/src/rgw/rgw_asio_frontend.cc b/src/rgw/rgw_asio_frontend.cc index 7b2a65a63a103..a15523f3ac3ea 100644 --- a/src/rgw/rgw_asio_frontend.cc +++ b/src/rgw/rgw_asio_frontend.cc @@ -780,7 +780,11 @@ int AsioFrontend::init_ssl() lderr(ctx()) << "no ssl_certificate configured for ssl_options" << dendl; return -EINVAL; } + } else if (cert) { + options = "no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1"; + } + if (options) { for (auto &option : ceph::split(*options, ":")) { if (option == "default_workarounds") { ssl_context->set_options(ssl::context::default_workarounds); -- 2.39.5