hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-2762: Add ssl_version=TLSv13

Browse Source 
Added new ssl_version value for TLSv1.3. This allows the list of accepted
protocol versions to be limited to all supported protocols. Previously
TLSv1.3 was only available with ssl_version=MAX.

Also fixed the enum value serialization to use a lowercase v. This causes
them to have the same value as the one used in the enum.
This commit is contained in:
Markus Mäkelä
2019-11-11 12:46:28 +02:00
parent f7f865d4c3
commit 774e9bc3f0
4 changed files with 32 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
include/maxscale/ssl.h
View File

@ -34,6 +34,7 @@ typedef enum ssl_method_type
SERVICE_TLS10, SERVICE_TLS10,
SERVICE_TLS11, SERVICE_TLS11,
SERVICE_TLS12, SERVICE_TLS12,
SERVICE_TLS13,
SERVICE_SSL_MAX, SERVICE_SSL_MAX,
SERVICE_TLS_MAX, SERVICE_TLS_MAX,
SERVICE_SSL_TLS_MAX, SERVICE_SSL_TLS_MAX,

1
server/core/config.cc
View File

@ -282,6 +282,7 @@ static const MXS_ENUM_VALUE ssl_version_values[] =
{"TLSv10", SERVICE_TLS10 }, {"TLSv10", SERVICE_TLS10 },
{"TLSv11", SERVICE_TLS11 }, {"TLSv11", SERVICE_TLS11 },
{"TLSv12", SERVICE_TLS12 }, {"TLSv12", SERVICE_TLS12 },
{"TLSv13", SERVICE_TLS13 },
{NULL} {NULL}
}; };

20
server/core/listener.cc
View File

@ -200,6 +200,10 @@ int listener_set_ssl_version(SSL_LISTENER* ssl_listener, const char* version)
{ {
ssl_listener->ssl_method_type = SERVICE_TLS12; ssl_listener->ssl_method_type = SERVICE_TLS12;
} }
else if (strcasecmp(version, "TLSV13") == 0)
{
ssl_listener->ssl_method_type = SERVICE_TLS13;
}
else else
{ {
return -1; return -1;
@ -301,6 +305,15 @@ bool SSL_LISTENER_init(SSL_LISTENER* ssl)
#endif #endif
break; break;
case SERVICE_TLS13:
#ifdef OPENSSL_1_1
ssl->method = (SSL_METHOD*)TLS_method();
#else
MXS_ERROR("TLSv1.3 is not supported on this system.");
return false;
#endif
break;
/** Rest of these use the maximum available SSL/TLS methods */ /** Rest of these use the maximum available SSL/TLS methods */
case SERVICE_SSL_MAX: case SERVICE_SSL_MAX:
ssl->method = (SSL_METHOD*)SSLv23_method(); ssl->method = (SSL_METHOD*)SSLv23_method();
@ -335,6 +348,13 @@ bool SSL_LISTENER_init(SSL_LISTENER* ssl)
/** Disable SSLv3 */ /** Disable SSLv3 */
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
if (ssl->ssl_method_type == SERVICE_TLS13)
{
// There is no TLSv1_3_method function as the TLSv1_X_method functions are deprecated in favor of
// disabling them via options.
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2);
}
// Disable session cache // Disable session cache
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);

13
server/core/ssl.cc
View File

@ -202,13 +202,16 @@ const char* ssl_method_type_to_string(ssl_method_type_t method_type)
switch (method_type) switch (method_type)
{ {
case SERVICE_TLS10: case SERVICE_TLS10:
return "TLSV10"; return "TLSv10";
case SERVICE_TLS11: case SERVICE_TLS11:
return "TLSV11"; return "TLSv11";
case SERVICE_TLS12: case SERVICE_TLS12:
return "TLSV12"; return "TLSv12";
case SERVICE_TLS13:
return "TLSv13";
case SERVICE_SSL_MAX: case SERVICE_SSL_MAX:
case SERVICE_TLS_MAX: case SERVICE_TLS_MAX:
@ -238,6 +241,10 @@ ssl_method_type_t string_to_ssl_method_type(const char* str)
{ {
return SERVICE_TLS12; return SERVICE_TLS12;
} }
else if (strcasecmp("TLSV13", str) == 0)
{
return SERVICE_TLS13;
}
return SERVICE_SSL_UNKNOWN; return SERVICE_SSL_UNKNOWN;
} }