[CORE-2426] tls: Added new functions to support OpenSSL #116
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
michael-redpanda
requested review from
a team,
BenPope and
graphcareful
and removed request for
a team
|
To see how it's used, here's a commit on redpanda: michael-redpanda/redpanda@adbc4e6 |
BenPope
reviewed
May 28, 2024
| } | ||
| // This call is required to lower SSL's security level to permit TLSv1.0 and TLSv1.1 | ||
| // See https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_security_level.html | ||
| SSL_CTX_set_security_level(ssl_ctx.get(), 0); |
There was a problem hiding this comment.
Should this be configurable, or is an empty ciphersuite sufficient to disable TLS v1.2 and below?
There was a problem hiding this comment.
No, leaving either ciphersuites or cipher_string empty just results in a default.
There is another project for us to work on to allow the user to control which TLS versions are enabled. Would probably cover that there. This PR was just to get to feature parity with GnuTLS
michael-redpanda
force-pushed
the
CORE-2426-Support-OSSL-Cipher-Strings
branch
from
5da1c16
to
af36250
Compare
michael-redpanda
force-pushed
the
CORE-2426-Support-OSSL-Cipher-Strings
branch
from
af36250
to
432b2cc
Compare
BenPope
reviewed
May 29, 2024
GnuTLS allows for setting priority and server precedence all through the GnuTLS priority system. OpenSSL on the other hand, has different APIs to handle this. - To set server precedence in GnuTLS, simply provide the string %SERVER_PRECEDENCE in the priority string. For OpenSSL, the flag SSL_OP_CIPHER_SERVER_PREFERENCE must be passed to SSL_CTX_set_options - GnuTLS's priority string can be used to set the priority for all versions of TLS. For OpenSSL, to set the ciphers available in TLSv1.2 and below, the user must call SSL_CTX_set_cipher_list. For TLSv1.3, the call is SSL_CTX_set_ciphersuites As the format of the cipher/priority strings are different between OpenSSL and GnuTLS, the user of Seastar would have to change their code in order to change the format to match the requirements of the underlying TLS provider. Therefor, this change adds three new functions to credentials_builder and server_credentials that plumb through these strings/settings to OpenSSL and are no-ops in GnuTLS. Conversely, the set_priority_string function is a no-op when using OpenSSL. Signed-off-by: Michael Boquard <michael@redpanda.com>ggV
michael-redpanda
force-pushed
the
CORE-2426-Support-OSSL-Cipher-Strings
branch
from
432b2cc
to
2bc4309
Compare
|
Force push
|
graphcareful
approved these changes
May 29, 2024
BenPope
approved these changes
May 29, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
GnuTLS allows for setting priority and server precedence all through the GnuTLS priority system. OpenSSL on the other hand, has different APIs to handle this.
To set server precedence in GnuTLS, simply provide the string %SERVER_PRECEDENCE in the priority string. For OpenSSL, the flag SSL_OP_CIPHER_SERVER_PREFERENCE must be passed to SSL_CTX_set_options
GnuTLS's priority string can be used to set the priority for all versions of TLS. For OpenSSL, to set the ciphers available in TLSv1.2 and below, the user must call SSL_CTX_set_cipher_list. For TLSv1.3, the call is SSL_CTX_set_ciphersuites
As the format of the cipher/priority strings are different between OpenSSL and GnuTLS, the user of Seastar would have to change their code in order to change the format to match the requirements of the underlying TLS provider. Therefor, this change adds three new functions to credentials_builder and server_credentials that plumb through these strings/settings to OpenSSL and are no-ops in GnuTLS. Conversely, the set_priority_string function is a no-op when using OpenSSL.