diff options
| author | Mykola Golub <mgolub@suse.com> | 2021-05-27 18:09:48 +0200 |
|---|---|---|
| committer | Mykola Golub <mgolub@suse.com> | 2021-07-14 10:20:15 +0200 |
| commit | 91abede6357d167063c63eade45421d2f17bb0e7 (patch) | |
| tree | 58fdf6d0faed4e94b0a099508bae27d76ac6a2a4 /src/rgw/rgw_asio_frontend.cc | |
| parent | Merge pull request #42314 from rzarzynski/wip-crimson-single-do_peering_event (diff) | |
| download | ceph-91abede6357d167063c63eade45421d2f17bb0e7.tar.xz ceph-91abede6357d167063c63eade45421d2f17bb0e7.zip | |
rgw: allow to set ssl options and ciphers for beast frontend
Two new conf keys are added for "beast" framework:
- ssl_options: a colon separated list of ssl context options,
documented in boost's ssl::context_base;
- ssl_ciphers: a colon separated list of ciphers, documented
in openssl's ciphers(1) manual.
Example:
rgw frontends = beast ... ssl_options=default_workarounds:no_tlsv1:no_tlsv1_1 ssl_ciphers=HIGH:!aNULL:!MD5
Fixes: https://tracker.ceph.com/issues/50932
Signed-off-by: Mykola Golub <mgolub@suse.com>
Diffstat (limited to 'src/rgw/rgw_asio_frontend.cc')
| -rw-r--r-- | src/rgw/rgw_asio_frontend.cc | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/src/rgw/rgw_asio_frontend.cc b/src/rgw/rgw_asio_frontend.cc index e9f46265a70..72fa41d7a88 100644 --- a/src/rgw/rgw_asio_frontend.cc +++ b/src/rgw/rgw_asio_frontend.cc @@ -23,6 +23,8 @@ #include <boost/asio/ssl.hpp> #include <boost/beast/ssl/ssl_stream.hpp> +#include "common/split.h" + #include "services/svc_config_key.h" #include "services/svc_zone.h" @@ -801,6 +803,52 @@ int AsioFrontend::init_ssl() return -EINVAL; } + std::optional<string> options = conf->get_val("ssl_options"); + if (options) { + if (!cert) { + lderr(ctx()) << "no ssl_certificate configured for ssl_options" << dendl; + return -EINVAL; + } + + for (auto &option : ceph::split(*options, ":")) { + if (option == "default_workarounds") { + ssl_context->set_options(ssl::context::default_workarounds); + } else if (option == "no_compression") { + ssl_context->set_options(ssl::context::no_compression); + } else if (option == "no_sslv2") { + ssl_context->set_options(ssl::context::no_sslv2); + } else if (option == "no_sslv3") { + ssl_context->set_options(ssl::context::no_sslv3); + } else if (option == "no_tlsv1") { + ssl_context->set_options(ssl::context::no_tlsv1); + } else if (option == "no_tlsv1_1") { + ssl_context->set_options(ssl::context::no_tlsv1_1); + } else if (option == "no_tlsv1_2") { + ssl_context->set_options(ssl::context::no_tlsv1_2); + } else if (option == "single_dh_use") { + ssl_context->set_options(ssl::context::single_dh_use); + } else { + lderr(ctx()) << "ignoring unknown ssl option '" << option << "'" << dendl; + } + } + } + + std::optional<string> ciphers = conf->get_val("ssl_ciphers"); + if (ciphers) { + if (!cert) { + lderr(ctx()) << "no ssl_certificate configured for ssl_ciphers" << dendl; + return -EINVAL; + } + + int r = SSL_CTX_set_cipher_list(ssl_context->native_handle(), + ciphers->c_str()); + if (r == 0) { + lderr(ctx()) << "no cipher could be selected from ssl_ciphers: " + << *ciphers << dendl; + return -EINVAL; + } + } + auto ports = config.equal_range("ssl_port"); auto endpoints = config.equal_range("ssl_endpoint"); |