Add configuration options for OpenSSL TLS provider

Signed-off-by: Florentin Dubois <florentin.dubois@clever-cloud.com>

bin/Cargo.toml

@@ -14,8 +14,12 @@ authors = [
   "Florentin Dubois <florentin.dubois@clever-cloud.com>",
 ]
 categories = ["network-programming"]
-edition = "2021"
-include = ["README.md", "Cargo.toml", "src/**/*"]
+edition="2021"
+include = [
+  "README.md",
+  "Cargo.toml",
+  "src/**/*",
+]
 
 [[bin]]
 name = "sozu"

bin/config.toml

@@ -148,6 +148,7 @@ activate_listeners = true
 # Example for a HTTP (plaintext) listener
 [[listeners]]
 protocol = "http"
+
 # listening address
 address = "0.0.0.0:8080"
 
@@ -172,6 +173,7 @@ address = "0.0.0.0:8080"
 # Example for a HTTPS (OpenSSL based or rustls based) listener
 [[listeners]]
 protocol = "https"
+
 # listening address
 address = "0.0.0.0:8443"
 
@@ -187,30 +189,95 @@ address = "0.0.0.0:8443"
 # this option is incompatible with public_address
 # expect_proxy = false
 
-# supported TLS versions. Possible values are "SSLv2", "SSLv3", "TLSv1",
-# "TLSv1.1", "TLSv1.2", "TLSv1.3". Defaults to `["TLSv1.2", "TLSv1.3"]`
+# Supported TLS versions. Possible values are "SSLv2", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3".
+# Defaults to `["TLSv1.2", "TLSv1.3"]`. Besides, `rustls` tls provider only support "TLSv1.2" and "TLSv1.3" values.
 tls_versions = ["TLSv1.2", "TLSv1.3"]
 
-# cipher combinations used by OpenSSL, you can retrieve cipher suites secure and
-# recomended here: https://ciphersuite.info/cs/?security=secure
-cipher_list = "DHE-RSA-AES128-CCM:ECDHE-ECDSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:ECDHE-PSK-CHACHA20-POLY1305:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-CHACHA20-POLY1305:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:DHE-RSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-PSK-AES128-CCM8:DHE-PSK-AES256-CCM:TLS_AES_128_CCM_SHA256:ECDHE-ECDSA-AES128-CCM8:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_128_GCM_SHA256:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM8:DHE-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-CCM8:DHE-RSA-AES128-CCM8:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-CCM:ECDHE-RSA-AES128-GCM-SHA256:DHE-PSK-AES128-CCM:TLS_AES_256_GCM_SHA384"
-
-# cipher combinations used by rustls
-# ciphersuites names, specified in https://docs.rs/rustls/latest/rustls/static.ALL_CIPHER_SUITES.html
-# defaults to all supported ciphersuites
-rustls_cipher_list = [
-  # TLS 1.3 cipher suites
-  "TLS13_AES_256_GCM_SHA384",
-  "TLS13_AES_128_GCM_SHA256",
-  "TLS13_CHACHA20_POLY1305_SHA256",
-  # TLS 1.2 cipher suites
-  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-  "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-  "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+# TLS ciphers considered as secure can be retrieved on the ANSSI document located here:
+# https://www.ssi.gouv.fr/uploads/2020/03/anssi-guide-recommandations_de_securite_relatives_a_tls-v1.2.pdf
+#
+# When using `Rustls` TLS provider:
+# * Sets the lists of availables ciphers (TLSv1.2 and TLSv1.3). Supported ciphers names are specified at
+#   https://docs.rs/rustls/latest/rustls/static.ALL_CIPHER_SUITES.html
+#
+cipher_list = [
+    # TLS 1.3 cipher suites
+    "TLS13_AES_256_GCM_SHA384",
+    "TLS13_AES_128_GCM_SHA256",
+    "TLS13_CHACHA20_POLY1305_SHA256",
+    # TLS 1.2 cipher suites
+    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
 ]
+#
+# When using `OpenSSL` TLS provider:
+# * Sets the list of available ciphers (TLSv1.2 and below) for ctx using the control string str. The format of the string
+#   is described in [openssl-ciphers(1)](https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html). The list of
+#   ciphers is inherited by all ssl objects created from ctx. This function does not impact TLSv1.3 ciphersuites.
+#
+#   See:
+#   - https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_cipher_list.html
+#
+# Defaults to all supported ciphersuites.
+#cipher_list = [
+#    "ECDHE-ECDSA-AES256-GCM-SHA384",
+#    "ECDHE-ECDSA-AES128-GCM-SHA256",
+#    "ECDHE-ECDSA-AES256-CCM",
+#    "ECDHE-ECDSA-AES128-CCM",
+#    "ECDHE-ECDSA-CHACHA20-POLY1305",
+#    "ECDHE-RSA-AES256-GCM-SHA384",
+#    "ECDHE-RSA-AES128-GCM-SHA256",
+#    "ECDHE-RSA-CHACHA20-POLY1305",
+#]
+
+# Sets the list of available ciphers (TLSv1.3 and above). The format of the string is described in
+# [openssl-ciphers(1)](https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html). The list of ciphers is
+# inherited by all ssl objects created from ctx.
+#
+# See:
+# - https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html
+#
+# `OpenSSL  v1.1.0+` TLS provider only.
+cipher_suites = [
+    "TLS_AES_256_GCM_SHA384",
+    "TLS_AES_128_GCM_SHA256",
+    "TLS_AES_128_CCM_SHA256",
+    "TLS_CHACHA20_POLY1305_SHA256",
+]
+
+# Set the supported signature algorithms for ctx or ssl. The array slist of length slistlen must consist of pairs of
+# NIDs corresponding to digest and public key algorithms or a TLSv1.3-style named SignatureScheme such as
+# `rsa_pss_rsae_sha256`.
+#
+# See:
+# - https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_sigalgs_list.html
+#
+# `OpenSSL v1.0.2+` TLS provider only.
+signature_algorithms = [
+    "ECDSA+SHA512",
+    "ECDSA+SHA384",
+    "ECDSA+SHA256",
+    "RSA+SHA512",
+    "RSA+SHA384",
+    "RSA+SHA256",
+    "RSA-PSS+SHA512",
+    "RSA-PSS+SHA256",
+    "RSA-PSS+SHA384",
+]
+
+# Sets the supported groups for ctx to glistlen groups in the array glist. The array consist of all NIDs of groups in
+# preference order. For a TLS client the groups are used directly in the supported groups extension. For a TLS server
+# the groups are used to determine the set of shared groups.
+#
+# See:
+# - https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_groups_list.html
+#
+# `OpenSSL v1.1.0+` TLS provider only.
+groups_list = ["P-521", "P-384", "P-256", "x25519"]
 
 # default certificate and key
 # in case you want to set up TLS without SNI, you can define the default
@@ -264,9 +331,9 @@ load_balancing = "round_robin"
 # - https_redirect = false #  activates automatic redirection to HTTPS for this cluster
 # - custom_tag: a tag to retrieve a frontend with the CLI or in the logs
 frontends = [
-  { address = "0.0.0.0:8080", hostname = "lolcatho.st", tags = { key = "value" }, path = "/api" },
-  # HTTPS frontends also have an optional `tls_versions` key like the HTTPS listeners
-  { address = "0.0.0.0:8443", hostname = "lolcatho.st", tags = { key = "value" }, certificate = "../lib/assets/certificate.pem", key = "../lib/assets/key.pem", certificate_chain = "../lib/assets/certificate_chain.pem" },
+    { address = "0.0.0.0:8080", hostname = "lolcatho.st", tags = { key = "value" }, path = "/api" },
+    # HTTPS frontends also have an optional `tls_versions` key like the HTTPS listeners
+    { address = "0.0.0.0:8443", hostname = "lolcatho.st", tags = { key = "value" }, certificate = "../lib/assets/certificate.pem", key = "../lib/assets/key.pem", certificate_chain = "../lib/assets/certificate_chain.pem" },
 ]
 
 # backends configuration
@@ -276,21 +343,21 @@ frontends = [
 # - weight: weight used by the load balancing algorithm
 # - sticky-id: sticky session identifier
 backends = [
-  { address = "127.0.0.1:1026", backend_id = "the-backend-to-my-app" }
+    { address = "127.0.0.1:1026", backend_id = "the-backend-to-my-app" }
 ]
 
 # this is an example of a routing configuration for the TCP proxy
 [clusters.TcpTest]
 protocol = "tcp"
 
 frontends = [
-  { address = "0.0.0.0:8081", tags = { owner = "John", uuid = "3f740af1-45fd-45ce-b61f-17bf1a51505f" } }
+    { address = "0.0.0.0:8081", tags = { owner = "John", uuid = "3f740af1-45fd-45ce-b61f-17bf1a51505f" } }
 ]
 
 # activates the proxy protocol to send IP information to the backend
 # send_proxy = false
 
 backends = [
-  { address = "127.0.0.1:4000", weight = 100 },
-  { address = "127.0.0.1:4001", weight = 50 }
+    { address = "127.0.0.1:4000", weight = 100 },
+    { address = "127.0.0.1:4001", weight = 50 }
 ]

bin/src/cli.rs

@@ -564,6 +564,14 @@ pub enum HttpListenerCmd {
         expect_proxy: bool,
         #[clap(long = "sticky-name", help = "sticky session cookie name")]
         sticky_name: Option<String>,
+        #[clap(long = "front-timeout", help = "Set front timeout")]
+        front_timeout: Option<u32>,
+        #[clap(long = "back-timeout", help = "Set back timeout")]
+        back_timeout: Option<u32>,
+        #[clap(long = "request-timeout", help = "Set request timeout")]
+        request_timeout: Option<u32>,
+        #[clap(long = "connect-timeout", help = "Set connect timeout")]
+        connect_timeout: Option<u32>,
     },
     #[clap(name = "remove")]
     Remove {
@@ -617,17 +625,41 @@ pub enum HttpsListenerCmd {
         answer_503: Option<String>,
         #[clap(long = "tls-versions", help = "list of TLS versions to use")]
         tls_versions: Vec<TlsVersion>,
-        #[clap(long = "tls-ciphers-list", help = "list of OpenSSL TLS ciphers to use")]
-        cipher_list: Option<String>,
-        #[clap(long = "rustls-cipher-list", help = "list of RustTLS ciphers to use")]
-        rustls_cipher_list: Vec<String>,
+        #[clap(
+            long = "tls-cipher-list",
+            help = "List of TLS cipher list to use (TLSv1.2 and below for OpenSSL, TLSv1.2 and TLS1.3 for Rustls)"
+        )]
+        cipher_list: Option<Vec<String>>,
+        #[clap(
+            long = "tls-cipher-suites",
+            help = "List of TLS cipher suites to use (TLSv1.3 and OpenSSL only)"
+        )]
+        cipher_suites: Option<Vec<String>>,
+        #[clap(
+            long = "tls-signature-algorithms",
+            help = "List of TLS signature algorithms to use (OpenSSL only)"
+        )]
+        signature_algorithms: Option<Vec<String>>,
+        #[clap(
+            long = "tls-groups-list",
+            help = "List of TLS groups list to use (OpenSSL only)"
+        )]
+        groups_list: Option<Vec<String>>,
         #[clap(
             long = "expect-proxy",
             help = "Configures the client socket to receive a PROXY protocol header"
         )]
         expect_proxy: bool,
         #[clap(long = "sticky-name", help = "sticky session cookie name")]
         sticky_name: Option<String>,
+        #[clap(long = "front-timeout", help = "Set front timeout")]
+        front_timeout: Option<u32>,
+        #[clap(long = "back-timeout", help = "Set back timeout")]
+        back_timeout: Option<u32>,
+        #[clap(long = "request-timeout", help = "Set request timeout")]
+        request_timeout: Option<u32>,
+        #[clap(long = "connect-timeout", help = "Set connect timeout")]
+        connect_timeout: Option<u32>,
     },
     #[clap(name = "remove")]
     Remove {