By default require TLS1.3
A configuration setting to allow negotiating TLS1.2 is included. If I got things done correctly, OpenSSL pre-1.1 can be used but requires explicitly lowering the minimum allowed TLS version in the configuration file. Signed-off-by: Erik Boasson <eb@ilities.com>
This commit is contained in:
parent
228aa71967
commit
c5e1c5b2f1
3 changed files with 64 additions and 1 deletions
|
@ -213,6 +213,13 @@ enum many_sockets_mode {
|
|||
MSM_MANY_UNICAST
|
||||
};
|
||||
|
||||
#ifdef DDSI_INCLUDE_SSL
|
||||
struct ssl_min_version {
|
||||
int major;
|
||||
int minor;
|
||||
};
|
||||
#endif
|
||||
|
||||
struct config
|
||||
{
|
||||
int valid;
|
||||
|
@ -301,6 +308,7 @@ struct config
|
|||
char * ssl_rand_file;
|
||||
char * ssl_key_pass;
|
||||
char * ssl_ciphers;
|
||||
struct ssl_min_version ssl_min_version;
|
||||
|
||||
#endif
|
||||
|
||||
|
|
|
@ -168,6 +168,7 @@ static int ddsi_ssl_password (char *buf, int num, int rwflag, void *udata)
|
|||
static SSL_CTX *ddsi_ssl_ctx_init (void)
|
||||
{
|
||||
SSL_CTX *ctx = SSL_CTX_new (SSLv23_method ());
|
||||
unsigned disallow_TLSv1_2;
|
||||
|
||||
/* Load certificates */
|
||||
if (! SSL_CTX_use_certificate_file (ctx, config.ssl_keystore, SSL_FILETYPE_PEM))
|
||||
|
@ -220,7 +221,32 @@ static SSL_CTX *ddsi_ssl_ctx_init (void)
|
|||
i |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
|
||||
SSL_CTX_set_verify (ctx, i, ddsi_ssl_verify);
|
||||
}
|
||||
SSL_CTX_set_options (ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
|
||||
switch (config.ssl_min_version.major)
|
||||
{
|
||||
case 1:
|
||||
switch (config.ssl_min_version.minor)
|
||||
{
|
||||
case 2:
|
||||
disallow_TLSv1_2 = 0;
|
||||
break;
|
||||
case 3:
|
||||
#ifdef SSL_OP_NO_TLSv1_2
|
||||
disallow_TLSv1_2 = SSL_OP_NO_TLSv1_2;
|
||||
#else
|
||||
DDS_LOG (DDS_LC_ERROR | DDS_LC_CONFIG, "tcp/ssl: openssl version does not support disabling TLSv1.2 as required by config\n");
|
||||
goto fail;
|
||||
#endif
|
||||
break;
|
||||
default:
|
||||
DDS_LOG (DDS_LC_ERROR | DDS_LC_CONFIG, "tcp/ssl: can't set minimum requested TLS version to %d.%d\n", config.ssl_min_version.major, config.ssl_min_version.minor);
|
||||
goto fail;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
DDS_LOG (DDS_LC_ERROR | DDS_LC_CONFIG, "tcp/ssl: can't set minimum requested TLS version to %d.%d\n", config.ssl_min_version.major, config.ssl_min_version.minor);
|
||||
goto fail;
|
||||
}
|
||||
SSL_CTX_set_options (ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | disallow_TLSv1_2);
|
||||
return ctx;
|
||||
|
||||
fail:
|
||||
|
|
|
@ -165,6 +165,9 @@ DUPF(durability_cdr);
|
|||
DUPF(transport_selector);
|
||||
DUPF(many_sockets_mode);
|
||||
DU(deaf_mute);
|
||||
#ifdef DDSI_INCLUDE_SSL
|
||||
DUPF(min_tls_version);
|
||||
#endif
|
||||
#undef DUPF
|
||||
#undef DU
|
||||
#undef PF
|
||||
|
@ -691,6 +694,8 @@ static const struct cfgelem ssl_cfgelems[] = {
|
|||
"<p>The set of ciphers used by SSL/TLS</p>" },
|
||||
{ LEAF("EntropyFile"), 1, "", ABSOFF(ssl_rand_file), 0, uf_string, ff_free, pf_string,
|
||||
"<p>The SSL/TLS random entropy file name.</p>" },
|
||||
{ LEAF("MinimumTLSVersion"), 1, "1.3", ABSOFF(ssl_min_version), 0, uf_min_tls_version, 0, pf_min_tls_version,
|
||||
"<p>The minimum TLS version that may be negotiated, valid values are 1.2 and 1.3.</p>" },
|
||||
END_MARKER
|
||||
};
|
||||
#endif
|
||||
|
@ -1408,6 +1413,30 @@ static void pf_besmode(struct cfgst *cfgst, void *parent, struct cfgelem const *
|
|||
cfg_log(cfgst, "%s%s", str, is_default ? " [def]" : "");
|
||||
}
|
||||
|
||||
#ifdef DDSI_INCLUDE_SSL
|
||||
static int uf_min_tls_version(struct cfgst *cfgst, UNUSED_ARG(void *parent), UNUSED_ARG(struct cfgelem const * const cfgelem), UNUSED_ARG(int first), const char *value)
|
||||
{
|
||||
static const char *vs[] = {
|
||||
"1.2", "1.3", NULL
|
||||
};
|
||||
static const struct ssl_min_version ms[] = {
|
||||
{1,2}, {1,3}, {0,0}
|
||||
};
|
||||
int idx = list_index(vs, value);
|
||||
struct ssl_min_version *elem = cfg_address(cfgst, parent, cfgelem);
|
||||
assert(sizeof(vs) / sizeof(*vs) == sizeof(ms) / sizeof(*ms));
|
||||
if ( idx < 0 )
|
||||
return cfg_error(cfgst, "'%s': undefined value", value);
|
||||
*elem = ms[idx];
|
||||
return 1;
|
||||
}
|
||||
|
||||
static void pf_min_tls_version(struct cfgst *cfgst, void *parent, struct cfgelem const * const cfgelem, int is_default)
|
||||
{
|
||||
struct ssl_min_version *p = cfg_address(cfgst, parent, cfgelem);
|
||||
cfg_log(cfgst, "%d.%d%s", p->major, p->minor, is_default ? " [def]" : "");
|
||||
}
|
||||
#endif
|
||||
|
||||
static int uf_durability_cdr(struct cfgst *cfgst, UNUSED_ARG(void *parent), UNUSED_ARG(struct cfgelem const * const cfgelem), UNUSED_ARG(int first), const char *value)
|
||||
{
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue