Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[dev.icinga.com #10988] Support TLSv1.1 and TLSv1.2 for the cluster transport encryption #3857

Closed
icinga-migration opened this issue Jan 19, 2016 · 13 comments

Comments

@icinga-migration
Copy link
Member

@icinga-migration icinga-migration commented Jan 19, 2016

This issue has been migrated from Redmine: https://dev.icinga.com/issues/10988

Created by tobiasvdk on 2016-01-19 20:01:35 +00:00

Assignee: tobiasvdk
Status: Resolved (closed on 2016-02-23 10:00:11 +00:00)
Target Version: 2.4.2
Last Update: 2016-02-23 10:54:04 +00:00 (in Redmine)

Backport?: Already backported
Include in Changelog: 1

Using (only) TLSv1.0 is a security issue so also support TLSv1.1 and TLSv1.2 for the cluster transport encryption.

Changesets

2016-01-19 20:06:34 +00:00 by (unknown) 40b9515

Support TLSv1.1 and TLSv1.2 for the cluster transport encryption

From https://wiki.openssl.org/index.php/SSL/TLS_Client:
SSLv23_method specifies the protocols used and behavior of the handshake.
The method essentially means SSLv2 or above, and includes the TLS protocols.
The protocols are further tuned through SSL/TLS options. By using
SSLv23_method (and removing the SSL protocols with SSL_OP_NO_SSLv2 and
SSL_OP_NO_SSLv3), then you will use TLS v1.0 and above, including TLS v1.2.
You will also use a TLS handshake in the TLS Record.

If you use TLSv1_method, then you will only use TLS v1.0.

refs #10988

2016-01-20 15:48:00 +00:00 by (unknown) 1c67bf3

Support TLSv1.1 and TLSv1.2 for the cluster transport encryption

From https://wiki.openssl.org/index.php/SSL/TLS_Client:
SSLv23_method specifies the protocols used and behavior of the handshake.
The method essentially means SSLv2 or above, and includes the TLS protocols.
The protocols are further tuned through SSL/TLS options. By using
SSLv23_method (and removing the SSL protocols with SSL_OP_NO_SSLv2 and
SSL_OP_NO_SSLv3), then you will use TLS v1.0 and above, including TLS v1.2.
You will also use a TLS handshake in the TLS Record.

If you use TLSv1_method, then you will only use TLS v1.0.

fixes #10988

2016-01-25 13:53:26 +00:00 by mfriedrich a4562fb

Only set SSL_OP_NO_COMPRESSION if supported

OpenSSL 0.9.8 does not support this flag.

fixes #10988

2016-01-26 07:35:29 +00:00 by (unknown) 23edd6c

Add missing comment

refs #10988

2016-02-23 09:50:23 +00:00 by (unknown) ae50334

Support TLSv1.1 and TLSv1.2 for the cluster transport encryption

From https://wiki.openssl.org/index.php/SSL/TLS_Client:
SSLv23_method specifies the protocols used and behavior of the handshake.
The method essentially means SSLv2 or above, and includes the TLS protocols.
The protocols are further tuned through SSL/TLS options. By using
SSLv23_method (and removing the SSL protocols with SSL_OP_NO_SSLv2 and
SSL_OP_NO_SSLv3), then you will use TLS v1.0 and above, including TLS v1.2.
You will also use a TLS handshake in the TLS Record.

If you use TLSv1_method, then you will only use TLS v1.0.

fixes #10988

2016-02-23 09:50:29 +00:00 by mfriedrich d1cc56b

Only set SSL_OP_NO_COMPRESSION if supported

OpenSSL 0.9.8 does not support this flag.

fixes #10988

2016-02-23 09:50:42 +00:00 by (unknown) 6e11836

Add missing comment

refs #10988

Relations:

@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Jan 20, 2016

Updated by gbeutner on 2016-01-20 12:44:33 +00:00

Looks good to me. Feel free to merge it into the master.

@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Jan 20, 2016

Updated by mfriedrich on 2016-01-20 15:46:05 +00:00

  • Target Version set to 2.5.0
@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Jan 20, 2016

Updated by Anonymous on 2016-01-20 15:50:03 +00:00

  • Status changed from Assigned to Resolved
  • Done % changed from 0 to 100

Applied in changeset 1c67bf3.

@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Jan 25, 2016

Updated by mfriedrich on 2016-01-25 13:34:54 +00:00

  • Status changed from Resolved to Assigned

Doesn't build with 0.9.8

In file included from /root/rpmbuild/BUILD/icinga2/lib/base/tlsutility.hpp:26:0,
                 from /root/rpmbuild/BUILD/icinga2/lib/base/tlsstream.hpp:27,
                 from /root/rpmbuild/BUILD/icinga2/lib/base/tlsstream.cpp:20,
                 from /root/rpmbuild/BUILD/icinga2/lib/base/base_unity.cpp:56:
/root/rpmbuild/BUILD/icinga2/lib/base/tlsutility.cpp: In function 'boost::shared_ptr icinga::MakeSSLContext(const icinga::String&, const icinga::String&, const icinga::String&)':
/root/rpmbuild/BUILD/icinga2/lib/base/tlsutility.cpp:88:76: error: 'SSL_OP_NO_COMPRESSION' was not declared in this scope
  SSL_CTX_set_options(sslContext.get(), SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION);

znc/znc#765

@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Jan 25, 2016

Updated by mfriedrich on 2016-01-25 14:00:04 +00:00

  • Status changed from Assigned to Resolved

Applied in changeset a4562fb.

@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Jan 31, 2016

Updated by kobmaki on 2016-01-31 12:28:25 +00:00

Use of the method

SSLv23_method()

is deprecated as described on

https://www.openssl.org/docs/manmaster/ssl/SSL\_CTX\_new.html

The usage of the method

 TLS_method()

should be used when compatibility is a concern.

Compare to the "origin"

TLSv1_method => TLSv_method

the diffence is simply the character "1".

@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Feb 2, 2016

Updated by tobiasvdk on 2016-02-02 12:26:12 +00:00

  • Assigned to changed from tobiasvdk to mfriedrich

kobmaki wrote:

Use of the method

[...]

is deprecated as described on

https://www.openssl.org/docs/manmaster/ssl/SSL\_CTX\_new.html

[...]

That's correct for openssl version >1.0.2. In version <=1.0.2 this function does not exist. But this can can be handled inside the code, I think.

dnsmichi: should we re-open this ticket or create a new?

@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Feb 2, 2016

Updated by mfriedrich on 2016-02-02 12:44:46 +00:00

  • Status changed from Resolved to Assigned
  • Assigned to changed from mfriedrich to tobiasvdk

Leave the assignee as is, and just re-open the ticket for your fix.

@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Feb 23, 2016

Updated by Anonymous on 2016-02-23 10:00:11 +00:00

  • Status changed from Assigned to Resolved

Applied in changeset ae50334.

@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Feb 23, 2016

Updated by gbeutner on 2016-02-23 10:00:24 +00:00

  • Backport? changed from Not yet backported to Already backported
@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Feb 23, 2016

Updated by gbeutner on 2016-02-23 10:23:05 +00:00

  • Target Version changed from 2.5.0 to 2.4.2
@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Feb 23, 2016

Updated by mfriedrich on 2016-02-23 10:54:04 +00:00

Please open a new issue for fixing the deprecated function usage.

@icinga-migration
Copy link
Member Author

@icinga-migration icinga-migration commented Feb 29, 2016

Updated by tobiasvdk on 2016-02-29 07:23:27 +00:00

  • Relates set to 11256
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.