hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MXS-2861: Add ssl_cipher to servers and listeners

Browse Source 
This allows the set of TLSv1.2 ciphers to be selected which is required to
fulfill certain regulatory requirements.
This commit is contained in:
Markus Mäkelä
2020-04-08 08:32:01 +03:00
parent 1ff112ca38
commit 83b03d89b5
5 changed files with 34 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
server/core/config.cc
View File

@ -181,6 +181,7 @@ const char CN_SSL[] = "ssl";
const char CN_SSL_CA_CERT[] = "ssl_ca_cert";
const char CN_SSL_CERT[] = "ssl_cert";
const char CN_SSL_CERT_VERIFY_DEPTH[] = "ssl_cert_verify_depth";
const char CN_SSL_CIPHER[] = "ssl_cipher";
const char CN_SSL_KEY[] = "ssl_key";
const char CN_SSL_VERIFY_PEER_CERTIFICATE[] = "ssl_verify_peer_certificate";
const char CN_SSL_VERSION[] = "ssl_version";
@ -490,6 +491,10 @@ const MXS_MODULE_PARAM config_listener_params[] =
MXS_MODULE_PARAM_BOOL,
"false"
},
{
CN_SSL_CIPHER,
MXS_MODULE_PARAM_STRING
},
{NULL}
};
@ -704,6 +709,10 @@ const MXS_MODULE_PARAM config_server_params[] =
MXS_MODULE_PARAM_BOOL,
"false"
},
{
CN_SSL_CIPHER,
MXS_MODULE_PARAM_STRING,
},
{
CN_DISK_SPACE_THRESHOLD,
MXS_MODULE_PARAM_STRING
@ -4173,6 +4182,7 @@ bool config_is_ssl_parameter(const char* key)
CN_SSL_VERSION,
CN_SSL_CERT_VERIFY_DEPTH,
CN_SSL_VERIFY_PEER_CERTIFICATE,
CN_SSL_CIPHER,
NULL
};

10
server/core/ssl.cc
View File

@ -201,6 +201,7 @@ SSLConfig::SSLConfig(const MXS_CONFIG_PARAMETER& params)
, version((ssl_method_type_t)params.get_enum(CN_SSL_VERSION, ssl_version_values))
, verify_depth(params.get_integer(CN_SSL_CERT_VERIFY_DEPTH))
, verify_peer(params.get_bool(CN_SSL_VERIFY_PEER_CERTIFICATE))
, cipher(params.get_string(CN_SSL_CIPHER))
{
}
@ -384,6 +385,15 @@ bool SSLContext::init()
/* Set the verification depth */
SSL_CTX_set_verify_depth(m_ctx, m_cfg.verify_depth);
if (!m_cfg.cipher.empty())
{
if (SSL_CTX_set_cipher_list(m_ctx, m_cfg.cipher.c_str()) == 0)
{
MXS_ERROR("Could not set cipher list '%s': %s", m_cfg.cipher.c_str(), get_ssl_errors());
return false;
}
}
return true;
}