Add --honor-cipher-order option to mitigate BEAST attacks
This commit is contained in:
moparisthebest
parent
4c238c5b36
commit
7dfa559bc4
10
src/shrpx.cc
10
src/shrpx.cc
|
|
@ -380,6 +380,7 @@ void fill_default_config()
|
||||||
// Default accept() backlog
|
// Default accept() backlog
|
||||||
mod_config()->backlog = 256;
|
mod_config()->backlog = 256;
|
||||||
mod_config()->ciphers = 0;
|
mod_config()->ciphers = 0;
|
||||||
|
mod_config()->honor_cipher_order = false;
|
||||||
mod_config()->spdy_proxy = false;
|
mod_config()->spdy_proxy = false;
|
||||||
mod_config()->spdy_bridge = false;
|
mod_config()->spdy_bridge = false;
|
||||||
mod_config()->client_proxy = false;
|
mod_config()->client_proxy = false;
|
||||||
|
|
@ -501,6 +502,9 @@ void print_help(std::ostream& out)
|
||||||
<< " SSL/TLS:\n"
|
<< " SSL/TLS:\n"
|
||||||
<< " --ciphers=<SUITE> Set allowed cipher list. The format of the\n"
|
<< " --ciphers=<SUITE> Set allowed cipher list. The format of the\n"
|
||||||
<< " string is described in OpenSSL ciphers(1).\n"
|
<< " string is described in OpenSSL ciphers(1).\n"
|
||||||
|
<< " --honor-cipher-order\n"
|
||||||
|
<< " Honor server cipher order, giving the\n"
|
||||||
|
<< " ability to mitigate BEAST attacks.\n"
|
||||||
<< " -k, --insecure When used with -p or --client, don't verify\n"
|
<< " -k, --insecure When used with -p or --client, don't verify\n"
|
||||||
<< " backend server's certificate.\n"
|
<< " backend server's certificate.\n"
|
||||||
<< " --cacert=<PATH> When used with -p or --client, set path to\n"
|
<< " --cacert=<PATH> When used with -p or --client, set path to\n"
|
||||||
|
|
@ -663,6 +667,7 @@ int main(int argc, char **argv)
|
||||||
{"frontend-spdy-no-tls", no_argument, &flag, 29},
|
{"frontend-spdy-no-tls", no_argument, &flag, 29},
|
||||||
{"frontend-spdy-proto", required_argument, &flag, 30},
|
{"frontend-spdy-proto", required_argument, &flag, 30},
|
||||||
{"backend-tls-sni-field", required_argument, &flag, 31},
|
{"backend-tls-sni-field", required_argument, &flag, 31},
|
||||||
|
{"honor-cipher-order", no_argument, &flag, 32},
|
||||||
{0, 0, 0, 0 }
|
{0, 0, 0, 0 }
|
||||||
};
|
};
|
||||||
int option_index = 0;
|
int option_index = 0;
|
||||||
|
|
@ -847,6 +852,11 @@ int main(int argc, char **argv)
|
||||||
cmdcfgs.push_back(std::make_pair(SHRPX_OPT_BACKEND_TLS_SNI_FIELD,
|
cmdcfgs.push_back(std::make_pair(SHRPX_OPT_BACKEND_TLS_SNI_FIELD,
|
||||||
optarg));
|
optarg));
|
||||||
break;
|
break;
|
||||||
|
case 32:
|
||||||
|
// --honor-cipher-order
|
||||||
|
cmdcfgs.push_back(std::make_pair(SHRPX_OPT_HONOR_CIPHER_ORDER,
|
||||||
|
"yes"));
|
||||||
|
break;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
|
|
|
||||||
|
|
@ -86,6 +86,7 @@ const char SHRPX_OPT_SYSLOG[] = "syslog";
|
||||||
const char SHRPX_OPT_SYSLOG_FACILITY[] = "syslog-facility";
|
const char SHRPX_OPT_SYSLOG_FACILITY[] = "syslog-facility";
|
||||||
const char SHRPX_OPT_BACKLOG[] = "backlog";
|
const char SHRPX_OPT_BACKLOG[] = "backlog";
|
||||||
const char SHRPX_OPT_CIPHERS[] = "ciphers";
|
const char SHRPX_OPT_CIPHERS[] = "ciphers";
|
||||||
|
const char SHRPX_OPT_HONOR_CIPHER_ORDER[] = "honor-cipher-order";
|
||||||
const char SHRPX_OPT_CLIENT[] = "client";
|
const char SHRPX_OPT_CLIENT[] = "client";
|
||||||
const char SHRPX_OPT_INSECURE[] = "insecure";
|
const char SHRPX_OPT_INSECURE[] = "insecure";
|
||||||
const char SHRPX_OPT_CACERT[] = "cacert";
|
const char SHRPX_OPT_CACERT[] = "cacert";
|
||||||
|
|
@ -353,6 +354,8 @@ int parse_config(const char *opt, const char *optarg)
|
||||||
mod_config()->backlog = strtol(optarg, 0, 10);
|
mod_config()->backlog = strtol(optarg, 0, 10);
|
||||||
} else if(util::strieq(opt, SHRPX_OPT_CIPHERS)) {
|
} else if(util::strieq(opt, SHRPX_OPT_CIPHERS)) {
|
||||||
set_config_str(&mod_config()->ciphers, optarg);
|
set_config_str(&mod_config()->ciphers, optarg);
|
||||||
|
} else if(util::strieq(opt, SHRPX_OPT_HONOR_CIPHER_ORDER)) {
|
||||||
|
mod_config()->honor_cipher_order = util::strieq(optarg, "yes");
|
||||||
} else if(util::strieq(opt, SHRPX_OPT_CLIENT)) {
|
} else if(util::strieq(opt, SHRPX_OPT_CLIENT)) {
|
||||||
mod_config()->client = util::strieq(optarg, "yes");
|
mod_config()->client = util::strieq(optarg, "yes");
|
||||||
} else if(util::strieq(opt, SHRPX_OPT_INSECURE)) {
|
} else if(util::strieq(opt, SHRPX_OPT_INSECURE)) {
|
||||||
|
|
|
||||||
|
|
@ -78,6 +78,7 @@ extern const char SHRPX_OPT_SYSLOG[];
|
||||||
extern const char SHRPX_OPT_SYSLOG_FACILITY[];
|
extern const char SHRPX_OPT_SYSLOG_FACILITY[];
|
||||||
extern const char SHRPX_OPT_BACKLOG[];
|
extern const char SHRPX_OPT_BACKLOG[];
|
||||||
extern const char SHRPX_OPT_CIPHERS[];
|
extern const char SHRPX_OPT_CIPHERS[];
|
||||||
|
extern const char SHRPX_OPT_HONOR_CIPHER_ORDER[];
|
||||||
extern const char SHRPX_OPT_CLIENT[];
|
extern const char SHRPX_OPT_CLIENT[];
|
||||||
extern const char SHRPX_OPT_INSECURE[];
|
extern const char SHRPX_OPT_INSECURE[];
|
||||||
extern const char SHRPX_OPT_CACERT[];
|
extern const char SHRPX_OPT_CACERT[];
|
||||||
|
|
@ -146,6 +147,7 @@ struct Config {
|
||||||
bool use_syslog;
|
bool use_syslog;
|
||||||
int backlog;
|
int backlog;
|
||||||
char *ciphers;
|
char *ciphers;
|
||||||
|
bool honor_cipher_order;
|
||||||
bool client;
|
bool client;
|
||||||
// true if --client or --client-proxy are enabled.
|
// true if --client or --client-proxy are enabled.
|
||||||
bool client_mode;
|
bool client_mode;
|
||||||
|
|
|
||||||
|
|
@ -146,6 +146,9 @@ SSL_CTX* create_ssl_context(const char *private_key_file,
|
||||||
<< ERR_error_string(ERR_get_error(), NULL);
|
<< ERR_error_string(ERR_get_error(), NULL);
|
||||||
DIE();
|
DIE();
|
||||||
}
|
}
|
||||||
|
if(get_config()->honor_cipher_order) {
|
||||||
|
SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
|
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue