Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[dev.icinga.com #11292] ApiListener: Make minimum TLS version configurable #3999

Closed
icinga-migration opened this issue Mar 3, 2016 · 14 comments

Comments

Projects
None yet
1 participant
@icinga-migration
Copy link
Member

commented Mar 3, 2016

This issue has been migrated from Redmine: https://dev.icinga.com/issues/11292

Created by tobiasvdk on 2016-03-03 13:37:53 +00:00

Assignee: gbeutner
Status: Resolved (closed on 2016-08-08 13:28:20 +00:00)
Target Version: 2.5.0
Last Update: 2016-08-08 13:48:55 +00:00 (in Redmine)

Backport?: Not yet backported
Include in Changelog: 1

In OpenSSL 1.1.0 there is the function "SSL_CTX_set_min_proto_version" "[1]":https://www.openssl.org/docs/manmaster/ssl/SSL\_CTX\_set\_min\_proto\_version.html to specify the minimum supported protocol version. For lower OpenSSL versions this needs to be implemented, afaik.

[1] https://www.openssl.org/docs/manmaster/ssl/SSL\_CTX\_set\_min\_proto\_version.html

Attachments

Changesets

2016-08-03 05:46:50 +00:00 by kobmaki b2ac05a

Make the minimum TLS protocol version configurable

The ApiListener accepts all TLS versions that the underlying
OpenSSL library supports. This patch give the ability to restrict
the connection to a minimum TLS version.

fixes #11292

Signed-off-by: Gunnar Beutner <gunnar.beutner@netways.de>

2016-08-04 04:34:47 +00:00 by gbeutner bd3660f

Build fix for Windows

refs #11292

2016-08-08 13:27:16 +00:00 by gbeutner 231fd8d

Build fix for CentOS 5

refs #11292

Relations:

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Mar 3, 2016

Updated by tobiasvdk on 2016-03-03 13:37:54 +00:00

  • Copied From set to 11063
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Mar 3, 2016

Updated by tobiasvdk on 2016-03-03 13:38:28 +00:00

  • Copied From deleted 11063
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Mar 3, 2016

Updated by tobiasvdk on 2016-03-03 13:38:33 +00:00

  • Relates set to 11063
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Apr 16, 2016

Updated by kobmaki on 2016-04-16 18:21:36 +00:00

Will be implement and PR will be send after the feature #11063.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 1, 2016

Updated by kobmaki on 2016-08-01 04:02:02 +00:00

  • File added 0001-feature-ApiListener-Make-minimum-TLS-version-configurable-11292.patch

Attach is the patch for configuration the tls-minimum protocol.
On #11063#note-18 you see how you could verify the minimum TLS protocol.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 3, 2016

Updated by kobmaki on 2016-08-03 05:50:04 +00:00

  • Status changed from Assigned to Resolved
  • Done % changed from 0 to 100

Applied in changeset b2ac05a.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 3, 2016

Updated by mfriedrich on 2016-08-03 07:36:41 +00:00

  • Target Version set to 2.5.0
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 5, 2016

Updated by mfriedrich on 2016-08-05 13:54:10 +00:00

  • Status changed from Resolved to Assigned
  • Done % changed from 100 to 90

That patch breaks the el5 builds.

/home/build/rpmbuild/BUILD/icinga2/lib/base/tlsutility.cpp: In function 'void icinga::SetTlsProtocolminToSSLContext(const boost::shared_ptr&, const icinga::String&)':
/home/build/rpmbuild/BUILD/icinga2/lib/base/tlsutility.cpp:196:24: error: 'SSL_TXT_TLSV1_1' was not declared in this scope
  if (tlsProtocolmin == SSL_TXT_TLSV1_1)
                        ^
/home/build/rpmbuild/BUILD/icinga2/lib/base/tlsutility.cpp:198:29: error: 'SSL_TXT_TLSV1_2' was not declared in this scope
  else if (tlsProtocolmin == SSL_TXT_TLSV1_2)
                             ^
/home/build/rpmbuild/BUILD/icinga2/lib/base/tlsutility.cpp:199:30: error: 'SSL_OP_NO_TLSv1_1' was not declared in this scope
   flags |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
                              ^
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 6, 2016

Updated by kobmaki on 2016-08-06 11:15:20 +00:00

On the build server, I can see the break.

https://build.icinga.org/job/icinga2-centos-package/lastBuild/

The build server show that a boost153 library is used. These libs are available from http://packages.icinga.org/ . But the distribution has only boost up to version 1.48 available. The used compiler looks newer than the gcc (latest gcc44) and distcc is used.

Some link compile options failed, as they are not recognize. E.g.

cc1: warning: command line option "-fvisibility-inlines-hidden" is valid for C++/ObjC++ but not for C
Building C object third-party/yajl/src/CMakeFiles/yajl.dir/yajl_version.c.o
cc1: warning: command line option "-fvisibility-inlines-hidden" is valid for C++/ObjC++ but not for C
Linking C shared library ../../../Bin/Release/libyajl.so
/usr/bin/ld: unrecognized option '--no-export-dynamic'
/usr/bin/ld: use the --help option for usage information
collect2: ld returned 1 exit status
make[2]: *** [Bin/Release/libyajl.so.2.1.0] Error 1
make[1]: *** [third-party/yajl/src/CMakeFiles/yajl.dir/all] Error 2
make: *** [all] Error 2
UNKNOWN 2 
[monmaki@kob-cent5 build]$ 

For compiling I use the gcc/**

[monmaki@kob-cent5 build]$ env | egrep "CC|CXX"
CXX=/usr/bin/g++44
CC=/usr/bin/gcc44
[monmaki@kob-cent5 build]$

How could I fix the broken ld option?

--no-export-dynamic

How could I disable the compile option or upgrade the gcc by adding a new repo to centos5?

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 8, 2016

Updated by gbeutner on 2016-08-08 13:21:40 +00:00

  1. You can use the boost packages from packages.icinga.org
  2. We're using a more recent version of GCC to build Icinga on CentOS 5: https://people.centos.org/tru/devtools-2/readme
  3. We're not using distcc.
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 8, 2016

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 8, 2016

Updated by gbeutner on 2016-08-08 13:28:20 +00:00

  • Status changed from Assigned to Resolved
  • Assigned to changed from kobmaki to gbeutner
  • Done % changed from 90 to 100
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 8, 2016

Updated by gbeutner on 2016-08-08 13:48:55 +00:00

Fixed in 231fd8d.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 18, 2016

Updated by gbeutner on 2016-08-18 08:22:07 +00:00

  • Relates set to 12475
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.