nghttpx: Add client-no-http2-cipher-black-list option

This commit adds client-no-http2-cipher-black-list option to disable
enforcement of HTTP/2 cipher black list on backend HTTP/2 connection.
Previously, existing no-http2-cipher-black-list option disables it for
both frontend and backend connections.  Now no-http2-cipher-black-list
option only disables it for frontend connection.
This commit is contained in:
Tatsuhiro Tsujikawa 2017-01-08 22:33:19 +09:00
parent 36dfc0a56a
commit 3c03024881
6 changed files with 46 additions and 5 deletions

View File

@ -155,6 +155,7 @@ OPTIONS = [
"frontend-keep-alive-timeout", "frontend-keep-alive-timeout",
"psk-secrets", "psk-secrets",
"client-psk-secrets", "client-psk-secrets",
"client-no-http2-cipher-black-list",
] ]
LOGVARS = [ LOGVARS = [

View File

@ -2091,9 +2091,15 @@ SSL/TLS:
Default: )" Default: )"
<< util::duration_str(config->tls.dyn_rec.idle_timeout) << R"( << util::duration_str(config->tls.dyn_rec.idle_timeout) << R"(
--no-http2-cipher-black-list --no-http2-cipher-black-list
Allow black listed cipher suite on HTTP/2 connection. Allow black listed cipher suite on frontend HTTP/2
See https://tools.ietf.org/html/rfc7540#appendix-A for connection. See
the complete HTTP/2 cipher suites black list. https://tools.ietf.org/html/rfc7540#appendix-A for the
complete HTTP/2 cipher suites black list.
--client-no-http2-cipher-black-list
Allow black listed cipher suite on backend HTTP/2
connection. See
https://tools.ietf.org/html/rfc7540#appendix-A for the
complete HTTP/2 cipher suites black list.
--tls-sct-dir=<DIR> --tls-sct-dir=<DIR>
Specifies the directory where *.sct files exist. All Specifies the directory where *.sct files exist. All
*.sct files in <DIR> are read, and sent as *.sct files in <DIR> are read, and sent as
@ -3096,6 +3102,8 @@ int main(int argc, char **argv) {
&flag, 146}, &flag, 146},
{SHRPX_OPT_PSK_SECRETS.c_str(), required_argument, &flag, 147}, {SHRPX_OPT_PSK_SECRETS.c_str(), required_argument, &flag, 147},
{SHRPX_OPT_CLIENT_PSK_SECRETS.c_str(), required_argument, &flag, 148}, {SHRPX_OPT_CLIENT_PSK_SECRETS.c_str(), required_argument, &flag, 148},
{SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST.c_str(), no_argument,
&flag, 149},
{nullptr, 0, nullptr, 0}}; {nullptr, 0, nullptr, 0}};
int option_index = 0; int option_index = 0;
@ -3794,6 +3802,11 @@ int main(int argc, char **argv) {
// --client-psk-secrets // --client-psk-secrets
cmdcfgs.emplace_back(SHRPX_OPT_CLIENT_PSK_SECRETS, StringRef{optarg}); cmdcfgs.emplace_back(SHRPX_OPT_CLIENT_PSK_SECRETS, StringRef{optarg});
break; break;
case 149:
// --client-no-http2-cipher-black-list
cmdcfgs.emplace_back(SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST,
StringRef::from_lit("yes"));
break;
default: default:
break; break;
} }

View File

@ -2004,6 +2004,11 @@ int option_lookup_token(const char *name, size_t namelen) {
return SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_FAIL; return SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_FAIL;
} }
break; break;
case 't':
if (util::strieq_l("client-no-http2-cipher-black-lis", name, 32)) {
return SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST;
}
break;
} }
break; break;
case 34: case 34:
@ -3274,6 +3279,11 @@ int parse_config(Config *config, int optid, const StringRef &opt,
return parse_psk_secrets(config, optarg); return parse_psk_secrets(config, optarg);
case SHRPX_OPTID_CLIENT_PSK_SECRETS: case SHRPX_OPTID_CLIENT_PSK_SECRETS:
return parse_client_psk_secrets(config, optarg); return parse_client_psk_secrets(config, optarg);
case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST:
config->tls.client.no_http2_cipher_black_list =
util::strieq_l("yes", optarg);
return 0;
case SHRPX_OPTID_CONF: case SHRPX_OPTID_CONF:
LOG(WARN) << "conf: ignored"; LOG(WARN) << "conf: ignored";

View File

@ -322,6 +322,8 @@ constexpr auto SHRPX_OPT_FRONTEND_KEEP_ALIVE_TIMEOUT =
constexpr auto SHRPX_OPT_PSK_SECRETS = StringRef::from_lit("psk-secrets"); constexpr auto SHRPX_OPT_PSK_SECRETS = StringRef::from_lit("psk-secrets");
constexpr auto SHRPX_OPT_CLIENT_PSK_SECRETS = constexpr auto SHRPX_OPT_CLIENT_PSK_SECRETS =
StringRef::from_lit("client-psk-secrets"); StringRef::from_lit("client-psk-secrets");
constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST =
StringRef::from_lit("client-no-http2-cipher-black-list");
constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8; constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
@ -556,6 +558,7 @@ struct TLSConfig {
} psk; } psk;
StringRef private_key_file; StringRef private_key_file;
StringRef cert_file; StringRef cert_file;
bool no_http2_cipher_black_list;
} client; } client;
// PSK secrets. The key is identity, and the associated value is // PSK secrets. The key is identity, and the associated value is
@ -924,6 +927,7 @@ enum {
SHRPX_OPTID_CIPHERS, SHRPX_OPTID_CIPHERS,
SHRPX_OPTID_CLIENT, SHRPX_OPTID_CLIENT,
SHRPX_OPTID_CLIENT_CERT_FILE, SHRPX_OPTID_CLIENT_CERT_FILE,
SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST,
SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE, SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE,
SHRPX_OPTID_CLIENT_PROXY, SHRPX_OPTID_CLIENT_PROXY,
SHRPX_OPTID_CLIENT_PSK_SECRETS, SHRPX_OPTID_CLIENT_PSK_SECRETS,

View File

@ -141,7 +141,10 @@ void Connection::disconnect() {
void Connection::prepare_client_handshake() { SSL_set_connect_state(tls.ssl); } void Connection::prepare_client_handshake() { SSL_set_connect_state(tls.ssl); }
void Connection::prepare_server_handshake() { SSL_set_accept_state(tls.ssl); } void Connection::prepare_server_handshake() {
SSL_set_accept_state(tls.ssl);
tls.server_handshake = true;
}
// BIO implementation is inspired by openldap implementation: // BIO implementation is inspired by openldap implementation:
// http://www.openldap.org/devel/cvsweb.cgi/~checkout~/libraries/libldap/tls_o.c // http://www.openldap.org/devel/cvsweb.cgi/~checkout~/libraries/libldap/tls_o.c
@ -530,7 +533,15 @@ int Connection::check_http2_requirement() {
} }
return -1; return -1;
} }
if (!get_config()->tls.no_http2_cipher_black_list &&
auto check_black_list = false;
if (tls.server_handshake) {
check_black_list = !get_config()->tls.no_http2_cipher_black_list;
} else {
check_black_list = !get_config()->tls.client.no_http2_cipher_black_list;
}
if (check_black_list &&
nghttp2::ssl::check_http2_cipher_black_list(tls.ssl)) { nghttp2::ssl::check_http2_cipher_black_list(tls.ssl)) {
if (LOG_ENABLED(INFO)) { if (LOG_ENABLED(INFO)) {
LOG(INFO) << "The negotiated cipher suite is in HTTP/2 cipher suite " LOG(INFO) << "The negotiated cipher suite is in HTTP/2 cipher suite "

View File

@ -64,6 +64,8 @@ struct TLSConnection {
int handshake_state; int handshake_state;
bool initial_handshake_done; bool initial_handshake_done;
bool reneg_started; bool reneg_started;
// true if ssl is prepared to do handshake as server.
bool server_handshake;
}; };
struct TCPHint { struct TCPHint {