Skip to content

Commit

Permalink
Support of OpenSSL 1.1.1 and TLS v1.3
Browse files Browse the repository at this point in the history 
OpenSSL 1.1.1 was released on 11 September 2018. This is the latest LTS (Long
Term Support) release, supported until September 2023. The headline new feature
of OpenSSL 1.1.1 is TLSv1.3. This new version of the Transport Layer Security
(formerly known as SSL) protocol was published by the IETF as RFC8446. This is a
major rewrite of the standard and introduces significant changes, features and
improvements which have been reflected in the new OpenSSL version. Main changes
to be considered by Cherokee webserver:
- Fully compliant implementation of TLSv1.3 (RFC8446) on by default
- Support for all five new RFC8446 ciphersuites (TLS v1.3)
- Full support of minimum and maximum available TLS protocol version configuration

Recently OS distribution maintainers have started to improve OpenSSL security
by hardcoded configuration of the min. available TLS protocol version for clients
that want to connect to a server using TLS encryption. Cherokee command-line
option cherokee -i now reports this hardcoded setting to users.

Fixes: cherokee#1256

Signed-off-by: Thomas Reim <reimth@gmail.com>
  • Loading branch information
@thor-sssd
thor-sssd committed Apr 3, 2021
1 parent 4a527eb commit 9044f48
Show file tree
Hide file tree
Showing 8 changed files with 319 additions and 60 deletions.
16 changes: 10 additions & 6 deletions cherokee/cryptor.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,12 +49,15 @@ cherokee_cryptor_init_base (cherokee_cryptor_t *cryp,
/* Properties
*/
cryp->hardcoded_ssl_options = 0;
cryp->timeout_handshake = TIMEOUT_DEFAULT;
cryp->allow_SSLv2 = false;
cryp->allow_SSLv3 = false;
cryp->allow_TLSv1 = true;
cryp->allow_TLSv1_1 = true;
cryp->allow_TLSv1_2 = true;
cryp->timeout_handshake = TIMEOUT_DEFAULT;
cryp->min_tls_protocol = 0;
cryp->max_tls_protocol = 0;
cryp->allow_SSLv2 = false;
cryp->allow_SSLv3 = false;
cryp->allow_TLSv1 = true;
cryp->allow_TLSv1_1 = true;
cryp->allow_TLSv1_2 = true;
cryp->allow_TLSv1_3 = true;

return ret_ok;
}
Expand Down Expand Up @@ -93,6 +96,7 @@ cherokee_cryptor_configure (cherokee_cryptor_t *cryp,
cherokee_config_node_read_bool (conf, "protocol!TLSv1", &cryp->allow_TLSv1);
cherokee_config_node_read_bool (conf, "protocol!TLSv1_1", &cryp->allow_TLSv1_1);
cherokee_config_node_read_bool (conf, "protocol!TLSv1_2", &cryp->allow_TLSv1_2);
cherokee_config_node_read_bool (conf, "protocol!TLSv1_3", &cryp->allow_TLSv1_3);

/* Call the its virtual method
*/
Expand Down
4 changes: 4 additions & 0 deletions cherokee/cryptor.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@

CHEROKEE_BEGIN_DECLS

#define CHEROKEE_CIPHERSUITES_DEFAULT "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
#define CHEROKEE_CIPHERS_OLD "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

Expand Down Expand Up @@ -69,11 +70,14 @@ typedef struct {
cherokee_module_t module;
long hardcoded_ssl_options;
cint_t timeout_handshake;
int min_tls_protocol;
int max_tls_protocol;
cherokee_boolean_t allow_SSLv2;
cherokee_boolean_t allow_SSLv3;
cherokee_boolean_t allow_TLSv1;
cherokee_boolean_t allow_TLSv1_1;
cherokee_boolean_t allow_TLSv1_2;
cherokee_boolean_t allow_TLSv1_3;

/* Methods */
cryptor_func_configure_t configure;
Expand Down
Loading

0 comments on commit 9044f48

Please sign in to comment.