Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Support ssl_honor_cipher_order #18

Merged
merged 1 commit into from

2 participants

@andk

The SSL attack known as BEAST (https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls) can be countered with recent IO::Socket::SSL releases. Documentation about it is in the IO::Socket::SSL manpage.

The missing piece for Perlbal is the passthrough mechanism for ssl_honor_cipher_order which I added in my fork. Tested with the help of https://www.ssllabs.com/ssltest/analyze.html

@abh
Collaborator

Wouldn't it be better to turn it on by default?

@andk

Since the maintainer of IO::Socket::SSL chose to not make it the default I wanted to follow his reasoning. He has this separate option, Openssl has this separate option, apache has it too, so it might cause more confusion when Perlbal tries to be different.

In https://rt.cpan.org/Ticket/Display.html?id=76929 Steffen comments on this question. Search for 'Therefore I don't like the workaround included by default.'

@abh abh merged commit f31eff1 into from
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Oct 27, 2012
  1. @andk

    add support for ssl_honor_cipher_order

    Andreas Koenig authored andk committed
This page is out of date. Refresh to see the latest.
Showing with 8 additions and 0 deletions.
  1. +8 −0 lib/Perlbal/Service.pm
View
8 lib/Perlbal/Service.pm
@@ -97,6 +97,7 @@ use fields (
'ssl_cipher_list', # OpenSSL cipher list string
'ssl_ca_path', # directory: path to certificates
'ssl_verify_mode', # int: verification mode, see IO::Socket::SSL documentation
+ 'ssl_honor_cipher_order', # bool: see IO::Socket::SSL documentation (requires version >= 1.71)
'enable_error_retries', # bool: whether we should retry requests after errors
'error_retry_schedule', # string of comma-separated seconds (full or partial) to delay between retries
@@ -615,6 +616,12 @@ our $tunables = {
check_type => "int",
check_role => "*",
},
+ 'ssl_honor_cipher_order' => {
+ des => 'SSL: server determines cipher order to try',
+ default => 0,
+ check_type => "int",
+ check_role => "*",
+ },
'enable_error_retries' => {
des => 'Whether Perlbal should transparently retry requests to backends if a backend returns a 500 server error.',
@@ -1643,6 +1650,7 @@ sub enable {
SSL_cipher_list => $self->{ssl_cipher_list},
(defined $self->{ssl_ca_path} ? (SSL_ca_path => $self->{ssl_ca_path}) : ()),
(defined $self->{ssl_verify_mode} ? (SSL_verify_mode => $self->{ssl_verify_mode}) : ()),
+ (defined $self->{ssl_honor_cipher_order} ? (SSL_honor_cipher_order => $self->{ssl_honor_cipher_order}) : ()),
};
return $mc->err("IO::Socket:SSL (0.98+) not available. Can't do SSL.") unless eval "use IO::Socket::SSL 0.98 (); 1;";
return $mc->err("SSL key file ($self->{ssl_key_file}) doesn't exist") unless -f $self->{ssl_key_file};
Something went wrong with that request. Please try again.