From 83b03d89b5e2233f3db06079bd5a0cfa9be7614c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= <markus.makela@mariadb.com>
Date: Wed, 8 Apr 2020 08:32:01 +0300
Subject: [PATCH] MXS-2861: Add ssl_cipher to servers and listeners

This allows the set of TLSv1.2 ciphers to be selected which is required to
fulfill certain regulatory requirements.
---
 .../Getting-Started/Configuration-Guide.md          |  6 ++++++
 include/maxscale/config.hh                          |  1 +
 include/maxscale/ssl.hh                             | 13 +++++++------
 server/core/config.cc                               | 10 ++++++++++
 server/core/ssl.cc                                  | 10 ++++++++++
 5 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/Documentation/Getting-Started/Configuration-Guide.md b/Documentation/Getting-Started/Configuration-Guide.md
index bb57c5095..7d4948f7c 100644
--- a/Documentation/Getting-Started/Configuration-Guide.md
+++ b/Documentation/Getting-Started/Configuration-Guide.md
@@ -2055,6 +2055,12 @@ TLSv1.3 depending on the OpenSSL library version.
 
 The `TLSv13` value was added in MaxScale 2.3.15 ([MXS-2762](https://jira.mariadb.org/browse/MXS-2762)).
 
+### `ssl_cipher`
+
+Set the list of TLS ciphers. By default, no explicit ciphers are defined and the
+system defaults are used. Note that this parameter does not modify TLSv1.3
+ciphers.
+
 ### `ssl_cert_verify_depth`
 
 The maximum length of the certificate authority chain that will be accepted. The
diff --git a/include/maxscale/config.hh b/include/maxscale/config.hh
index b4a085208..06ab75a08 100644
--- a/include/maxscale/config.hh
+++ b/include/maxscale/config.hh
@@ -196,6 +196,7 @@ extern const char CN_SKIP_PERMISSION_CHECKS[];
 extern const char CN_SOCKET[];
 extern const char CN_SSL_CA_CERT[];
 extern const char CN_SSL_CERT_VERIFY_DEPTH[];
+extern const char CN_SSL_CIPHER[];
 extern const char CN_SSL_CERT[];
 extern const char CN_SSL_KEY[];
 extern const char CN_SSL_VERIFY_PEER_CERTIFICATE[];
diff --git a/include/maxscale/ssl.hh b/include/maxscale/ssl.hh
index 01cfaf7f1..a01363163 100644
--- a/include/maxscale/ssl.hh
+++ b/include/maxscale/ssl.hh
@@ -77,12 +77,13 @@ struct SSLConfig
     // Convert to human readable string representation
     std::string to_string() const;
 
-    std::string       key;                              /**< SSL private key */
-    std::string       cert;                             /**< SSL certificate */
-    std::string       ca;                               /**< SSL CA certificate */
-    ssl_method_type_t version = SERVICE_SSL_TLS_MAX;    /**< Which TLS version to use */
-    int               verify_depth = 9;                 /**< SSL certificate verification depth */
-    bool              verify_peer = true;               /**< Enable peer certificate verification */
+    std::string       key;                          /**< SSL private key */
+    std::string       cert;                         /**< SSL certificate */
+    std::string       ca;                           /**< SSL CA certificate */
+    ssl_method_type_t version = SERVICE_SSL_TLS_MAX;/**< Which TLS version to use */
+    int               verify_depth = 9;             /**< SSL certificate verification depth */
+    bool              verify_peer = true;           /**< Enable peer certificate verification */
+    std::string       cipher;                       /**< Selected TLS cipher */
 };
 
 /**
diff --git a/server/core/config.cc b/server/core/config.cc
index 3f694a23e..02cd0ae00 100644
--- a/server/core/config.cc
+++ b/server/core/config.cc
@@ -181,6 +181,7 @@ const char CN_SSL[] = "ssl";
 const char CN_SSL_CA_CERT[] = "ssl_ca_cert";
 const char CN_SSL_CERT[] = "ssl_cert";
 const char CN_SSL_CERT_VERIFY_DEPTH[] = "ssl_cert_verify_depth";
+const char CN_SSL_CIPHER[] = "ssl_cipher";
 const char CN_SSL_KEY[] = "ssl_key";
 const char CN_SSL_VERIFY_PEER_CERTIFICATE[] = "ssl_verify_peer_certificate";
 const char CN_SSL_VERSION[] = "ssl_version";
@@ -490,6 +491,10 @@ const MXS_MODULE_PARAM config_listener_params[] =
         MXS_MODULE_PARAM_BOOL,
         "false"
     },
+    {
+        CN_SSL_CIPHER,
+        MXS_MODULE_PARAM_STRING
+    },
     {NULL}
 };
 
@@ -704,6 +709,10 @@ const MXS_MODULE_PARAM config_server_params[] =
         MXS_MODULE_PARAM_BOOL,
         "false"
     },
+    {
+        CN_SSL_CIPHER,
+        MXS_MODULE_PARAM_STRING,
+    },
     {
         CN_DISK_SPACE_THRESHOLD,
         MXS_MODULE_PARAM_STRING
@@ -4173,6 +4182,7 @@ bool config_is_ssl_parameter(const char* key)
         CN_SSL_VERSION,
         CN_SSL_CERT_VERIFY_DEPTH,
         CN_SSL_VERIFY_PEER_CERTIFICATE,
+        CN_SSL_CIPHER,
         NULL
     };
 
diff --git a/server/core/ssl.cc b/server/core/ssl.cc
index c2fd3802a..ddc9d65f0 100644
--- a/server/core/ssl.cc
+++ b/server/core/ssl.cc
@@ -201,6 +201,7 @@ SSLConfig::SSLConfig(const MXS_CONFIG_PARAMETER& params)
     , version((ssl_method_type_t)params.get_enum(CN_SSL_VERSION, ssl_version_values))
     , verify_depth(params.get_integer(CN_SSL_CERT_VERIFY_DEPTH))
     , verify_peer(params.get_bool(CN_SSL_VERIFY_PEER_CERTIFICATE))
+    , cipher(params.get_string(CN_SSL_CIPHER))
 {
 }
 
@@ -384,6 +385,15 @@ bool SSLContext::init()
     /* Set the verification depth */
     SSL_CTX_set_verify_depth(m_ctx, m_cfg.verify_depth);
 
+    if (!m_cfg.cipher.empty())
+    {
+        if (SSL_CTX_set_cipher_list(m_ctx, m_cfg.cipher.c_str()) == 0)
+        {
+            MXS_ERROR("Could not set cipher list '%s': %s", m_cfg.cipher.c_str(), get_ssl_errors());
+            return false;
+        }
+    }
+
     return true;
 }