hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-2861: Add ssl_cipher to servers and listeners

Browse Source 
This allows the set of TLSv1.2 ciphers to be selected which is required to
fulfill certain regulatory requirements.
This commit is contained in:
Markus Mäkelä
2020-04-08 08:32:01 +03:00
parent 1ff112ca38
commit 83b03d89b5
5 changed files with 34 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
Documentation/Getting-Started/Configuration-Guide.md
View File

@ -2055,6 +2055,12 @@ TLSv1.3 depending on the OpenSSL library version.
The `TLSv13` value was added in MaxScale 2.3.15 ([MXS-2762](https://jira.mariadb.org/browse/MXS-2762)).
### `ssl_cipher`
Set the list of TLS ciphers. By default, no explicit ciphers are defined and the
system defaults are used. Note that this parameter does not modify TLSv1.3
ciphers.
### `ssl_cert_verify_depth`
The maximum length of the certificate authority chain that will be accepted. The

1
include/maxscale/config.hh
View File

@ -196,6 +196,7 @@ extern const char CN_SKIP_PERMISSION_CHECKS[];
extern const char CN_SOCKET[];
extern const char CN_SSL_CA_CERT[];
extern const char CN_SSL_CERT_VERIFY_DEPTH[];
extern const char CN_SSL_CIPHER[];
extern const char CN_SSL_CERT[];
extern const char CN_SSL_KEY[];
extern const char CN_SSL_VERIFY_PEER_CERTIFICATE[];

13
include/maxscale/ssl.hh
View File

@ -77,12 +77,13 @@ struct SSLConfig
// Convert to human readable string representation
std::string to_string() const;
std::string key; /**< SSL private key */
std::string cert; /**< SSL certificate */
std::string ca; /**< SSL CA certificate */
ssl_method_type_t version = SERVICE_SSL_TLS_MAX; /**< Which TLS version to use */
int verify_depth = 9; /**< SSL certificate verification depth */
bool verify_peer = true; /**< Enable peer certificate verification */
std::string key; /**< SSL private key */
std::string cert; /**< SSL certificate */
std::string ca; /**< SSL CA certificate */
ssl_method_type_t version = SERVICE_SSL_TLS_MAX;/**< Which TLS version to use */
int verify_depth = 9; /**< SSL certificate verification depth */
bool verify_peer = true; /**< Enable peer certificate verification */
std::string cipher; /**< Selected TLS cipher */
};
/**

10
server/core/config.cc
View File

@ -181,6 +181,7 @@ const char CN_SSL[] = "ssl";
const char CN_SSL_CA_CERT[] = "ssl_ca_cert";
const char CN_SSL_CERT[] = "ssl_cert";
const char CN_SSL_CERT_VERIFY_DEPTH[] = "ssl_cert_verify_depth";
const char CN_SSL_CIPHER[] = "ssl_cipher";
const char CN_SSL_KEY[] = "ssl_key";
const char CN_SSL_VERIFY_PEER_CERTIFICATE[] = "ssl_verify_peer_certificate";
const char CN_SSL_VERSION[] = "ssl_version";
@ -490,6 +491,10 @@ const MXS_MODULE_PARAM config_listener_params[] =
MXS_MODULE_PARAM_BOOL,
"false"
},
{
CN_SSL_CIPHER,
MXS_MODULE_PARAM_STRING
},
{NULL}
};
@ -704,6 +709,10 @@ const MXS_MODULE_PARAM config_server_params[] =
MXS_MODULE_PARAM_BOOL,
"false"
},
{
CN_SSL_CIPHER,
MXS_MODULE_PARAM_STRING,
},
{
CN_DISK_SPACE_THRESHOLD,
MXS_MODULE_PARAM_STRING
@ -4173,6 +4182,7 @@ bool config_is_ssl_parameter(const char* key)
CN_SSL_VERSION,
CN_SSL_CERT_VERIFY_DEPTH,
CN_SSL_VERIFY_PEER_CERTIFICATE,
CN_SSL_CIPHER,
NULL
};

10
server/core/ssl.cc
View File

@ -201,6 +201,7 @@ SSLConfig::SSLConfig(const MXS_CONFIG_PARAMETER& params)
, version((ssl_method_type_t)params.get_enum(CN_SSL_VERSION, ssl_version_values))
, verify_depth(params.get_integer(CN_SSL_CERT_VERIFY_DEPTH))
, verify_peer(params.get_bool(CN_SSL_VERIFY_PEER_CERTIFICATE))
, cipher(params.get_string(CN_SSL_CIPHER))
{
}
@ -384,6 +385,15 @@ bool SSLContext::init()
/* Set the verification depth */
SSL_CTX_set_verify_depth(m_ctx, m_cfg.verify_depth);
if (!m_cfg.cipher.empty())
{
if (SSL_CTX_set_cipher_list(m_ctx, m_cfg.cipher.c_str()) == 0)
{
MXS_ERROR("Could not set cipher list '%s': %s", m_cfg.cipher.c_str(), get_ssl_errors());
return false;
}
}
return true;
}