Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add configuration options for TLS cipher suites and protocol version #6

Merged
merged 1 commit into from Aug 15, 2017
Merged

Add configuration options for TLS cipher suites and protocol version #6

merged 1 commit into from Aug 15, 2017

Conversation

henryr
Copy link
Contributor

@henryr henryr commented Aug 15, 2017

  • ssl_min_version (one of "TLSv1", "TLSv1_1" or "TLSv1_2") controls the
    minimum TLS version allowed to connect to the webserver when SSL is
    enabled.

  • ssl_ciphers is a whitelist of cipher suites, in OpenSSL format. If not
    set the system default cipher suites are enabled.

@henryr henryr requested a review from toddlipcon August 15, 2017 04:19
toddlipcon
toddlipcon reviewed Aug 15, 2017
View reviewed changes
Copy link
Contributor

@toddlipcon toddlipcon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mind also editing UserManual.md with these new options?

squeasel.c Outdated
if (sq_strcasecmp(ssl_version, "tlsv1") == 0) {
// No-op - don't exclude any TLS protocols.
#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_HAS_TLS_1_1
} else if (sq_strcasecmp(ssl_version, "tlsv1_1") == 0) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in Kudu we have a similar config but we use '.' instead of '_' in the string. ie this would be "tlsv1.1" instead of "tlsv1_1". Do you mind doing the same for consistency?

squeasel.c Outdated
@@ -4251,6 +4271,13 @@ static int set_ssl_option(struct sq_context *ctx) {
(void) SSL_CTX_use_certificate_chain_file(ctx->ssl_ctx, pem);
}

if (ctx->config[SSL_CIPHERS] != NULL) {
if (SSL_CTX_set_cipher_list(ctx->ssl_ctx, ctx->config[SSL_CIPHERS]) == 0) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: combine two lines into a single if?

@henryr
Copy link
Contributor Author

henryr commented Aug 15, 2017

Done for both of these. I'll update the commit msg as well, just realised that needs doing.

Add configuration options for TLS cipher suites and protocol version
70d3b5a 
* ssl_min_version (one of "TLSv1", "TLSv1.1" or "TLSv1.2") controls the
  minimum TLS version allowed to connect to the webserver when SSL is
  enabled.

* ssl_ciphers is a whitelist of cipher suites, in OpenSSL format. If not
  set the system default cipher suites are enabled.
@henryr henryr merged commit 4f469f2 into cloudera:master Aug 15, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@toddlipcon toddlipcon toddlipcon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@henryr @toddlipcon