Add --honor-cipher-order option to mitigate BEAST attacks
This commit is contained in:
parent
4c238c5b36
commit
7dfa559bc4
10
src/shrpx.cc
10
src/shrpx.cc
|
@ -380,6 +380,7 @@ void fill_default_config()
|
|||
// Default accept() backlog
|
||||
mod_config()->backlog = 256;
|
||||
mod_config()->ciphers = 0;
|
||||
mod_config()->honor_cipher_order = false;
|
||||
mod_config()->spdy_proxy = false;
|
||||
mod_config()->spdy_bridge = false;
|
||||
mod_config()->client_proxy = false;
|
||||
|
@ -501,6 +502,9 @@ void print_help(std::ostream& out)
|
|||
<< " SSL/TLS:\n"
|
||||
<< " --ciphers=<SUITE> Set allowed cipher list. The format of the\n"
|
||||
<< " string is described in OpenSSL ciphers(1).\n"
|
||||
<< " --honor-cipher-order\n"
|
||||
<< " Honor server cipher order, giving the\n"
|
||||
<< " ability to mitigate BEAST attacks.\n"
|
||||
<< " -k, --insecure When used with -p or --client, don't verify\n"
|
||||
<< " backend server's certificate.\n"
|
||||
<< " --cacert=<PATH> When used with -p or --client, set path to\n"
|
||||
|
@ -663,6 +667,7 @@ int main(int argc, char **argv)
|
|||
{"frontend-spdy-no-tls", no_argument, &flag, 29},
|
||||
{"frontend-spdy-proto", required_argument, &flag, 30},
|
||||
{"backend-tls-sni-field", required_argument, &flag, 31},
|
||||
{"honor-cipher-order", no_argument, &flag, 32},
|
||||
{0, 0, 0, 0 }
|
||||
};
|
||||
int option_index = 0;
|
||||
|
@ -847,6 +852,11 @@ int main(int argc, char **argv)
|
|||
cmdcfgs.push_back(std::make_pair(SHRPX_OPT_BACKEND_TLS_SNI_FIELD,
|
||||
optarg));
|
||||
break;
|
||||
case 32:
|
||||
// --honor-cipher-order
|
||||
cmdcfgs.push_back(std::make_pair(SHRPX_OPT_HONOR_CIPHER_ORDER,
|
||||
"yes"));
|
||||
break;
|
||||
|
||||
default:
|
||||
break;
|
||||
|
|
|
@ -86,6 +86,7 @@ const char SHRPX_OPT_SYSLOG[] = "syslog";
|
|||
const char SHRPX_OPT_SYSLOG_FACILITY[] = "syslog-facility";
|
||||
const char SHRPX_OPT_BACKLOG[] = "backlog";
|
||||
const char SHRPX_OPT_CIPHERS[] = "ciphers";
|
||||
const char SHRPX_OPT_HONOR_CIPHER_ORDER[] = "honor-cipher-order";
|
||||
const char SHRPX_OPT_CLIENT[] = "client";
|
||||
const char SHRPX_OPT_INSECURE[] = "insecure";
|
||||
const char SHRPX_OPT_CACERT[] = "cacert";
|
||||
|
@ -353,6 +354,8 @@ int parse_config(const char *opt, const char *optarg)
|
|||
mod_config()->backlog = strtol(optarg, 0, 10);
|
||||
} else if(util::strieq(opt, SHRPX_OPT_CIPHERS)) {
|
||||
set_config_str(&mod_config()->ciphers, optarg);
|
||||
} else if(util::strieq(opt, SHRPX_OPT_HONOR_CIPHER_ORDER)) {
|
||||
mod_config()->honor_cipher_order = util::strieq(optarg, "yes");
|
||||
} else if(util::strieq(opt, SHRPX_OPT_CLIENT)) {
|
||||
mod_config()->client = util::strieq(optarg, "yes");
|
||||
} else if(util::strieq(opt, SHRPX_OPT_INSECURE)) {
|
||||
|
|
|
@ -78,6 +78,7 @@ extern const char SHRPX_OPT_SYSLOG[];
|
|||
extern const char SHRPX_OPT_SYSLOG_FACILITY[];
|
||||
extern const char SHRPX_OPT_BACKLOG[];
|
||||
extern const char SHRPX_OPT_CIPHERS[];
|
||||
extern const char SHRPX_OPT_HONOR_CIPHER_ORDER[];
|
||||
extern const char SHRPX_OPT_CLIENT[];
|
||||
extern const char SHRPX_OPT_INSECURE[];
|
||||
extern const char SHRPX_OPT_CACERT[];
|
||||
|
@ -146,6 +147,7 @@ struct Config {
|
|||
bool use_syslog;
|
||||
int backlog;
|
||||
char *ciphers;
|
||||
bool honor_cipher_order;
|
||||
bool client;
|
||||
// true if --client or --client-proxy are enabled.
|
||||
bool client_mode;
|
||||
|
|
|
@ -146,6 +146,9 @@ SSL_CTX* create_ssl_context(const char *private_key_file,
|
|||
<< ERR_error_string(ERR_get_error(), NULL);
|
||||
DIE();
|
||||
}
|
||||
if(get_config()->honor_cipher_order) {
|
||||
SSL_CTX_set_options(ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
||||
}
|
||||
}
|
||||
|
||||
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
|
||||
|
|
Loading…
Reference in New Issue