Add --honor-cipher-order option to mitigate BEAST attacks

This commit is contained in:
moparisthebest 2013-04-18 14:25:48 -04:00
parent 4c238c5b36
commit 7dfa559bc4
4 changed files with 18 additions and 0 deletions

View File

@ -380,6 +380,7 @@ void fill_default_config()
// Default accept() backlog // Default accept() backlog
mod_config()->backlog = 256; mod_config()->backlog = 256;
mod_config()->ciphers = 0; mod_config()->ciphers = 0;
mod_config()->honor_cipher_order = false;
mod_config()->spdy_proxy = false; mod_config()->spdy_proxy = false;
mod_config()->spdy_bridge = false; mod_config()->spdy_bridge = false;
mod_config()->client_proxy = false; mod_config()->client_proxy = false;
@ -501,6 +502,9 @@ void print_help(std::ostream& out)
<< " SSL/TLS:\n" << " SSL/TLS:\n"
<< " --ciphers=<SUITE> Set allowed cipher list. The format of the\n" << " --ciphers=<SUITE> Set allowed cipher list. The format of the\n"
<< " string is described in OpenSSL ciphers(1).\n" << " string is described in OpenSSL ciphers(1).\n"
<< " --honor-cipher-order\n"
<< " Honor server cipher order, giving the\n"
<< " ability to mitigate BEAST attacks.\n"
<< " -k, --insecure When used with -p or --client, don't verify\n" << " -k, --insecure When used with -p or --client, don't verify\n"
<< " backend server's certificate.\n" << " backend server's certificate.\n"
<< " --cacert=<PATH> When used with -p or --client, set path to\n" << " --cacert=<PATH> When used with -p or --client, set path to\n"
@ -663,6 +667,7 @@ int main(int argc, char **argv)
{"frontend-spdy-no-tls", no_argument, &flag, 29}, {"frontend-spdy-no-tls", no_argument, &flag, 29},
{"frontend-spdy-proto", required_argument, &flag, 30}, {"frontend-spdy-proto", required_argument, &flag, 30},
{"backend-tls-sni-field", required_argument, &flag, 31}, {"backend-tls-sni-field", required_argument, &flag, 31},
{"honor-cipher-order", no_argument, &flag, 32},
{0, 0, 0, 0 } {0, 0, 0, 0 }
}; };
int option_index = 0; int option_index = 0;
@ -847,6 +852,11 @@ int main(int argc, char **argv)
cmdcfgs.push_back(std::make_pair(SHRPX_OPT_BACKEND_TLS_SNI_FIELD, cmdcfgs.push_back(std::make_pair(SHRPX_OPT_BACKEND_TLS_SNI_FIELD,
optarg)); optarg));
break; break;
case 32:
// --honor-cipher-order
cmdcfgs.push_back(std::make_pair(SHRPX_OPT_HONOR_CIPHER_ORDER,
"yes"));
break;
default: default:
break; break;

View File

@ -86,6 +86,7 @@ const char SHRPX_OPT_SYSLOG[] = "syslog";
const char SHRPX_OPT_SYSLOG_FACILITY[] = "syslog-facility"; const char SHRPX_OPT_SYSLOG_FACILITY[] = "syslog-facility";
const char SHRPX_OPT_BACKLOG[] = "backlog"; const char SHRPX_OPT_BACKLOG[] = "backlog";
const char SHRPX_OPT_CIPHERS[] = "ciphers"; const char SHRPX_OPT_CIPHERS[] = "ciphers";
const char SHRPX_OPT_HONOR_CIPHER_ORDER[] = "honor-cipher-order";
const char SHRPX_OPT_CLIENT[] = "client"; const char SHRPX_OPT_CLIENT[] = "client";
const char SHRPX_OPT_INSECURE[] = "insecure"; const char SHRPX_OPT_INSECURE[] = "insecure";
const char SHRPX_OPT_CACERT[] = "cacert"; const char SHRPX_OPT_CACERT[] = "cacert";
@ -353,6 +354,8 @@ int parse_config(const char *opt, const char *optarg)
mod_config()->backlog = strtol(optarg, 0, 10); mod_config()->backlog = strtol(optarg, 0, 10);
} else if(util::strieq(opt, SHRPX_OPT_CIPHERS)) { } else if(util::strieq(opt, SHRPX_OPT_CIPHERS)) {
set_config_str(&mod_config()->ciphers, optarg); set_config_str(&mod_config()->ciphers, optarg);
} else if(util::strieq(opt, SHRPX_OPT_HONOR_CIPHER_ORDER)) {
mod_config()->honor_cipher_order = util::strieq(optarg, "yes");
} else if(util::strieq(opt, SHRPX_OPT_CLIENT)) { } else if(util::strieq(opt, SHRPX_OPT_CLIENT)) {
mod_config()->client = util::strieq(optarg, "yes"); mod_config()->client = util::strieq(optarg, "yes");
} else if(util::strieq(opt, SHRPX_OPT_INSECURE)) { } else if(util::strieq(opt, SHRPX_OPT_INSECURE)) {

View File

@ -78,6 +78,7 @@ extern const char SHRPX_OPT_SYSLOG[];
extern const char SHRPX_OPT_SYSLOG_FACILITY[]; extern const char SHRPX_OPT_SYSLOG_FACILITY[];
extern const char SHRPX_OPT_BACKLOG[]; extern const char SHRPX_OPT_BACKLOG[];
extern const char SHRPX_OPT_CIPHERS[]; extern const char SHRPX_OPT_CIPHERS[];
extern const char SHRPX_OPT_HONOR_CIPHER_ORDER[];
extern const char SHRPX_OPT_CLIENT[]; extern const char SHRPX_OPT_CLIENT[];
extern const char SHRPX_OPT_INSECURE[]; extern const char SHRPX_OPT_INSECURE[];
extern const char SHRPX_OPT_CACERT[]; extern const char SHRPX_OPT_CACERT[];
@ -146,6 +147,7 @@ struct Config {
bool use_syslog; bool use_syslog;
int backlog; int backlog;
char *ciphers; char *ciphers;
bool honor_cipher_order;
bool client; bool client;
// true if --client or --client-proxy are enabled. // true if --client or --client-proxy are enabled.
bool client_mode; bool client_mode;

View File

@ -146,6 +146,9 @@ SSL_CTX* create_ssl_context(const char *private_key_file,
<< ERR_error_string(ERR_get_error(), NULL); << ERR_error_string(ERR_get_error(), NULL);
DIE(); DIE();
} }
if(get_config()->honor_cipher_order) {
SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
}
} }
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);