CXXCBC-339: disable older TLS protocols (#418)

couchbaselabs · Jun 29, 2023 · 37a7cbe · 37a7cbe
1 parent b98351a
commit 37a7cbe
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 6 deletions.
diff --git a/core/cluster.hxx b/core/cluster.hxx
@@ -337,8 +337,8 @@ class cluster : public std::enable_shared_from_this<cluster>
     void do_open(Handler&& handler)
     {
         // Warn users if they attempt to use Capella without TLS being enabled.
+        bool has_capella_host = false;
         {
-            bool has_capella_host = false;
             bool has_non_capella_host = false;
             static std::string suffix = "cloud.couchbase.com";
             for (const auto& node : origin_.get_hostnames()) {
@@ -366,7 +366,17 @@ class cluster : public std::enable_shared_from_this<cluster>
         }
 
         if (origin_.options().enable_tls) {
-            tls_.set_options(asio::ssl::context::default_workarounds | asio::ssl::context::no_sslv2 | asio::ssl::context::no_sslv3);
+            long tls_options = asio::ssl::context::default_workarounds | // various bug workarounds that should be rather harmless
+                               asio::ssl::context::no_sslv2 |            // published: 1995, deprecated: 2011
+                               asio::ssl::context::no_sslv3;             // published: 1996, deprecated: 2015
+            if (origin_.options().tls_disable_deprecated_protocols) {
+                tls_options |= asio::ssl::context::no_tlsv1 |  // published: 1999, deprecated: 2021
+                               asio::ssl::context::no_tlsv1_1; // published: 2006, deprecated: 2021
+            }
+            if (origin_.options().tls_disable_v1_2 || has_capella_host) {
+                tls_options |= asio::ssl::context::no_tlsv1_2; // published: 2008, still in use
+            }
+            tls_.set_options(tls_options);
             switch (origin_.options().tls_verify) {
                 case tls_verify_mode::none:
                     tls_.set_verify_mode(asio::ssl::verify_none);

diff --git a/core/cluster_options.hxx b/core/cluster_options.hxx
@@ -50,6 +50,8 @@ struct cluster_options {
     std::chrono::milliseconds management_timeout = timeout_defaults::management_timeout;
 
     bool enable_tls{ false };
+    bool tls_disable_deprecated_protocols{ true };
+    bool tls_disable_v1_2{ false };
     std::string trust_certificate{};
     bool enable_mutation_tokens{ true };
     bool enable_tcp_keep_alive{ true };

diff --git a/core/impl/cluster.cxx b/core/impl/cluster.cxx
@@ -91,6 +91,8 @@ options_to_origin(const std::string& connection_string, const couchbase::cluster
                 break;
         }
         user_options.disable_mozilla_ca_certificates = opts.security.disable_mozilla_ca_certificates;
+        user_options.tls_disable_deprecated_protocols = opts.security.disable_deprecated_protocols;
+        user_options.tls_disable_v1_2 = opts.security.disable_tls_v1_2;
     }
 
     if (opts.dns.nameserver) {

diff --git a/core/utils/connection_string.cxx b/core/utils/connection_string.cxx
@@ -415,6 +415,10 @@ extract_options(connection_string& connstr)
             parse_option(connstr.options.tls_verify, name, value, connstr.warnings);
         } else if (name == "disable_mozilla_ca_certificates") {
             parse_option(connstr.options.disable_mozilla_ca_certificates, name, value, connstr.warnings);
+        } else if (name == "tls_disable_deprecated_protocols") {
+            parse_option(connstr.options.tls_disable_deprecated_protocols, name, value, connstr.warnings);
+        } else if (name == "tls_disable_v1_2") {
+            parse_option(connstr.options.tls_disable_v1_2, name, value, connstr.warnings);
         } else if (name == "user_agent_extra") {
             /**
              * string, that will be appended to identification fields of the server protocols (key in HELO packet for MCBP, "user-agent"

diff --git a/couchbase/security_options.hxx b/couchbase/security_options.hxx
@@ -50,15 +50,14 @@ class security_options
         tls_verify_mode tls_verify;
         std::optional<std::string> trust_certificate;
         bool disable_mozilla_ca_certificates;
+        bool disable_deprecated_protocols;
+        bool disable_tls_v1_2;
     };
 
     [[nodiscard]] auto build() const -> built
     {
         return {
-            enabled_,
-            tls_verify_,
-            trust_certificate_,
-            disable_mozilla_ca_certificates_,
+            enabled_, tls_verify_, trust_certificate_, disable_mozilla_ca_certificates_, disable_deprecated_protocols, disable_tls_v1_2,
         };
     }
 
@@ -67,5 +66,7 @@ class security_options
     tls_verify_mode tls_verify_{ tls_verify_mode::peer };
     std::optional<std::string> trust_certificate_{};
     bool disable_mozilla_ca_certificates_{ false };
+    bool disable_deprecated_protocols{ true };
+    bool disable_tls_v1_2{ false };
 };
 } // namespace couchbase