MXS-2762: Add ssl_version=TLSv13

Added new ssl_version value for TLSv1.3. This allows the list of accepted protocol versions to be limited to all supported protocols. Previously TLSv1.3 was only available with ssl_version=MAX. Also fixed the enum value serialization to use a lowercase v. This causes them to have the same value as the one used in the enum.
2019-11-11 12:46:28 +02:00 · 2019-11-11 12:46:28 +02:00 · 774e9bc3f0
commit 774e9bc3f0
parent f7f865d4c3
4 changed files with 32 additions and 3 deletions
--- a/include/maxscale/ssl.h
+++ b/include/maxscale/ssl.h
@ -34,6 +34,7 @@ typedef enum ssl_method_type
    SERVICE_TLS10,
    SERVICE_TLS11,
    SERVICE_TLS12,
+    SERVICE_TLS13,
    SERVICE_SSL_MAX,
    SERVICE_TLS_MAX,
    SERVICE_SSL_TLS_MAX,
--- a/server/core/config.cc
+++ b/server/core/config.cc
@ -282,6 +282,7 @@ static const MXS_ENUM_VALUE ssl_version_values[] =
    {"TLSv10", SERVICE_TLS10      },
    {"TLSv11", SERVICE_TLS11      },
    {"TLSv12", SERVICE_TLS12      },
+    {"TLSv13", SERVICE_TLS13      },
    {NULL}
 };

--- a/server/core/listener.cc
+++ b/server/core/listener.cc
@ -200,6 +200,10 @@ int listener_set_ssl_version(SSL_LISTENER* ssl_listener, const char* version)
    {
        ssl_listener->ssl_method_type = SERVICE_TLS12;
    }
+    else if (strcasecmp(version, "TLSV13") == 0)
+    {
+        ssl_listener->ssl_method_type = SERVICE_TLS13;
+    }
    else
    {
        return -1;
@ -301,6 +305,15 @@ bool SSL_LISTENER_init(SSL_LISTENER* ssl)
 #endif
        break;

+    case SERVICE_TLS13:
+#ifdef OPENSSL_1_1
+        ssl->method = (SSL_METHOD*)TLS_method();
+#else
+        MXS_ERROR("TLSv1.3 is not supported on this system.");
+        return false;
+#endif
+        break;
+
    /** Rest of these use the maximum available SSL/TLS methods */
    case SERVICE_SSL_MAX:
        ssl->method = (SSL_METHOD*)SSLv23_method();
@ -335,6 +348,13 @@ bool SSL_LISTENER_init(SSL_LISTENER* ssl)
    /** Disable SSLv3 */
    SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);

+    if (ssl->ssl_method_type == SERVICE_TLS13)
+    {
+        // There is no TLSv1_3_method function as the TLSv1_X_method functions are deprecated in favor of
+        // disabling them via options.
+        SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
+    }
+
    // Disable session cache
    SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);

--- a/server/core/ssl.cc
+++ b/server/core/ssl.cc
@ -202,13 +202,16 @@ const char* ssl_method_type_to_string(ssl_method_type_t method_type)
    switch (method_type)
    {
    case SERVICE_TLS10:
-        return "TLSV10";
+        return "TLSv10";

    case SERVICE_TLS11:
-        return "TLSV11";
+        return "TLSv11";

    case SERVICE_TLS12:
-        return "TLSV12";
+        return "TLSv12";
+
+    case SERVICE_TLS13:
+        return "TLSv13";

    case SERVICE_SSL_MAX:
    case SERVICE_TLS_MAX:
@ -238,6 +241,10 @@ ssl_method_type_t string_to_ssl_method_type(const char* str)
    {
        return SERVICE_TLS12;
    }
+    else if (strcasecmp("TLSV13", str) == 0)
+    {
+        return SERVICE_TLS13;
+    }
    return SERVICE_SSL_UNKNOWN;
 }