nghttpx: Add --tls13-ciphers and --tls-client-ciphers options
This commit is contained in:
Tatsuhiro Tsujikawa
parent
cb8a9d58fd
commit
cfe7fa9a75
|
|
@ -172,6 +172,8 @@ OPTIONS = [
|
||||||
"ignore-per-pattern-mruby-error",
|
"ignore-per-pattern-mruby-error",
|
||||||
"tls-no-postpone-early-data",
|
"tls-no-postpone-early-data",
|
||||||
"tls-max-early-data",
|
"tls-max-early-data",
|
||||||
|
"tls13-ciphers",
|
||||||
|
"tls13-client-ciphers",
|
||||||
]
|
]
|
||||||
|
|
||||||
LOGVARS = [
|
LOGVARS = [
|
||||||
|
|
|
||||||
32
src/shrpx.cc
32
src/shrpx.cc
|
|
@ -1459,8 +1459,12 @@ void fill_default_config(Config *config) {
|
||||||
|
|
||||||
tlsconf.session_timeout = std::chrono::hours(12);
|
tlsconf.session_timeout = std::chrono::hours(12);
|
||||||
tlsconf.ciphers = StringRef::from_lit(nghttp2::tls::DEFAULT_CIPHER_LIST);
|
tlsconf.ciphers = StringRef::from_lit(nghttp2::tls::DEFAULT_CIPHER_LIST);
|
||||||
|
tlsconf.tls13_ciphers =
|
||||||
|
StringRef::from_lit(nghttp2::tls::DEFAULT_TLS13_CIPHER_LIST);
|
||||||
tlsconf.client.ciphers =
|
tlsconf.client.ciphers =
|
||||||
StringRef::from_lit(nghttp2::tls::DEFAULT_CIPHER_LIST);
|
StringRef::from_lit(nghttp2::tls::DEFAULT_CIPHER_LIST);
|
||||||
|
tlsconf.client.tls13_ciphers =
|
||||||
|
StringRef::from_lit(nghttp2::tls::DEFAULT_TLS13_CIPHER_LIST);
|
||||||
tlsconf.min_proto_version =
|
tlsconf.min_proto_version =
|
||||||
tls::proto_version_from_string(DEFAULT_TLS_MIN_PROTO_VERSION);
|
tls::proto_version_from_string(DEFAULT_TLS_MIN_PROTO_VERSION);
|
||||||
tlsconf.max_proto_version =
|
tlsconf.max_proto_version =
|
||||||
|
|
@ -2081,13 +2085,31 @@ SSL/TLS:
|
||||||
--ciphers=<SUITE>
|
--ciphers=<SUITE>
|
||||||
Set allowed cipher list for frontend connection. The
|
Set allowed cipher list for frontend connection. The
|
||||||
format of the string is described in OpenSSL ciphers(1).
|
format of the string is described in OpenSSL ciphers(1).
|
||||||
|
This option sets cipher suites for TLSv1.2 or earlier.
|
||||||
|
Use --tls13-ciphers for TLSv1.3.
|
||||||
Default: )"
|
Default: )"
|
||||||
<< config->tls.ciphers << R"(
|
<< config->tls.ciphers << R"(
|
||||||
|
--tls13-ciphers=<SUITE>
|
||||||
|
Set allowed cipher list for frontend connection. The
|
||||||
|
format of the string is described in OpenSSL ciphers(1).
|
||||||
|
This option sets cipher suites for TLSv1.3. Use
|
||||||
|
--ciphers for TLSv1.2 or earlier.
|
||||||
|
Default: )"
|
||||||
|
<< config->tls.tls13_ciphers << R"(
|
||||||
--client-ciphers=<SUITE>
|
--client-ciphers=<SUITE>
|
||||||
Set allowed cipher list for backend connection. The
|
Set allowed cipher list for backend connection. The
|
||||||
format of the string is described in OpenSSL ciphers(1).
|
format of the string is described in OpenSSL ciphers(1).
|
||||||
|
This option sets cipher suites for TLSv1.2 or earlier.
|
||||||
|
Use --tls13-client-ciphers for TLSv1.3.
|
||||||
Default: )"
|
Default: )"
|
||||||
<< config->tls.client.ciphers << R"(
|
<< config->tls.client.ciphers << R"(
|
||||||
|
--tls13-client-ciphers=<SUITE>
|
||||||
|
Set allowed cipher list for backend connection. The
|
||||||
|
format of the string is described in OpenSSL ciphers(1).
|
||||||
|
This option sets cipher suites for TLSv1.3. Use
|
||||||
|
--tls13-client-ciphers for TLSv1.2 or earlier.
|
||||||
|
Default: )"
|
||||||
|
<< config->tls.client.tls13_ciphers << R"(
|
||||||
--ecdh-curves=<LIST>
|
--ecdh-curves=<LIST>
|
||||||
Set supported curve list for frontend connections.
|
Set supported curve list for frontend connections.
|
||||||
<LIST> is a colon separated list of curve NID or names
|
<LIST> is a colon separated list of curve NID or names
|
||||||
|
|
@ -3451,6 +3473,8 @@ int main(int argc, char **argv) {
|
||||||
161},
|
161},
|
||||||
{SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA.c_str(), no_argument, &flag, 162},
|
{SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA.c_str(), no_argument, &flag, 162},
|
||||||
{SHRPX_OPT_TLS_MAX_EARLY_DATA.c_str(), required_argument, &flag, 163},
|
{SHRPX_OPT_TLS_MAX_EARLY_DATA.c_str(), required_argument, &flag, 163},
|
||||||
|
{SHRPX_OPT_TLS13_CIPHERS.c_str(), required_argument, &flag, 164},
|
||||||
|
{SHRPX_OPT_TLS13_CLIENT_CIPHERS.c_str(), required_argument, &flag, 165},
|
||||||
{nullptr, 0, nullptr, 0}};
|
{nullptr, 0, nullptr, 0}};
|
||||||
|
|
||||||
int option_index = 0;
|
int option_index = 0;
|
||||||
|
|
@ -4231,6 +4255,14 @@ int main(int argc, char **argv) {
|
||||||
// --tls-max-early-data
|
// --tls-max-early-data
|
||||||
cmdcfgs.emplace_back(SHRPX_OPT_TLS_MAX_EARLY_DATA, StringRef{optarg});
|
cmdcfgs.emplace_back(SHRPX_OPT_TLS_MAX_EARLY_DATA, StringRef{optarg});
|
||||||
break;
|
break;
|
||||||
|
case 164:
|
||||||
|
// --tls13-ciphers
|
||||||
|
cmdcfgs.emplace_back(SHRPX_OPT_TLS13_CIPHERS, StringRef{optarg});
|
||||||
|
break;
|
||||||
|
case 165:
|
||||||
|
// --tls13-client-ciphers
|
||||||
|
cmdcfgs.emplace_back(SHRPX_OPT_TLS13_CLIENT_CIPHERS, StringRef{optarg});
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1759,6 +1759,11 @@ int option_lookup_token(const char *name, size_t namelen) {
|
||||||
return SHRPX_OPTID_FORWARDED_FOR;
|
return SHRPX_OPTID_FORWARDED_FOR;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
case 's':
|
||||||
|
if (util::strieq_l("tls13-cipher", name, 12)) {
|
||||||
|
return SHRPX_OPTID_TLS13_CIPHERS;
|
||||||
|
}
|
||||||
|
break;
|
||||||
case 't':
|
case 't':
|
||||||
if (util::strieq_l("verify-clien", name, 12)) {
|
if (util::strieq_l("verify-clien", name, 12)) {
|
||||||
return SHRPX_OPTID_VERIFY_CLIENT;
|
return SHRPX_OPTID_VERIFY_CLIENT;
|
||||||
|
|
@ -1956,6 +1961,11 @@ int option_lookup_token(const char *name, size_t namelen) {
|
||||||
return SHRPX_OPTID_OCSP_UPDATE_INTERVAL;
|
return SHRPX_OPTID_OCSP_UPDATE_INTERVAL;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
case 's':
|
||||||
|
if (util::strieq_l("tls13-client-cipher", name, 19)) {
|
||||||
|
return SHRPX_OPTID_TLS13_CLIENT_CIPHERS;
|
||||||
|
}
|
||||||
|
break;
|
||||||
case 't':
|
case 't':
|
||||||
if (util::strieq_l("backend-read-timeou", name, 19)) {
|
if (util::strieq_l("backend-read-timeou", name, 19)) {
|
||||||
return SHRPX_OPTID_BACKEND_READ_TIMEOUT;
|
return SHRPX_OPTID_BACKEND_READ_TIMEOUT;
|
||||||
|
|
@ -2832,6 +2842,10 @@ int parse_config(Config *config, int optid, const StringRef &opt,
|
||||||
case SHRPX_OPTID_CIPHERS:
|
case SHRPX_OPTID_CIPHERS:
|
||||||
config->tls.ciphers = make_string_ref(config->balloc, optarg);
|
config->tls.ciphers = make_string_ref(config->balloc, optarg);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
case SHRPX_OPTID_TLS13_CIPHERS:
|
||||||
|
config->tls.tls13_ciphers = make_string_ref(config->balloc, optarg);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
case SHRPX_OPTID_CLIENT:
|
case SHRPX_OPTID_CLIENT:
|
||||||
LOG(ERROR) << opt
|
LOG(ERROR) << opt
|
||||||
|
|
@ -3547,6 +3561,10 @@ int parse_config(Config *config, int optid, const StringRef &opt,
|
||||||
case SHRPX_OPTID_CLIENT_CIPHERS:
|
case SHRPX_OPTID_CLIENT_CIPHERS:
|
||||||
config->tls.client.ciphers = make_string_ref(config->balloc, optarg);
|
config->tls.client.ciphers = make_string_ref(config->balloc, optarg);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
case SHRPX_OPTID_TLS13_CLIENT_CIPHERS:
|
||||||
|
config->tls.client.tls13_ciphers = make_string_ref(config->balloc, optarg);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
case SHRPX_OPTID_ACCESSLOG_WRITE_EARLY:
|
case SHRPX_OPTID_ACCESSLOG_WRITE_EARLY:
|
||||||
config->logging.access.write_early = util::strieq_l("yes", optarg);
|
config->logging.access.write_early = util::strieq_l("yes", optarg);
|
||||||
|
|
|
||||||
|
|
@ -351,6 +351,9 @@ constexpr auto SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA =
|
||||||
StringRef::from_lit("tls-no-postpone-early-data");
|
StringRef::from_lit("tls-no-postpone-early-data");
|
||||||
constexpr auto SHRPX_OPT_TLS_MAX_EARLY_DATA =
|
constexpr auto SHRPX_OPT_TLS_MAX_EARLY_DATA =
|
||||||
StringRef::from_lit("tls-max-early-data");
|
StringRef::from_lit("tls-max-early-data");
|
||||||
|
constexpr auto SHRPX_OPT_TLS13_CIPHERS = StringRef::from_lit("tls13-ciphers");
|
||||||
|
constexpr auto SHRPX_OPT_TLS13_CLIENT_CIPHERS =
|
||||||
|
StringRef::from_lit("tls13-client-ciphers");
|
||||||
|
|
||||||
constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
|
constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
|
||||||
|
|
||||||
|
|
@ -626,6 +629,7 @@ struct TLSConfig {
|
||||||
StringRef private_key_file;
|
StringRef private_key_file;
|
||||||
StringRef cert_file;
|
StringRef cert_file;
|
||||||
StringRef ciphers;
|
StringRef ciphers;
|
||||||
|
StringRef tls13_ciphers;
|
||||||
bool no_http2_cipher_black_list;
|
bool no_http2_cipher_black_list;
|
||||||
} client;
|
} client;
|
||||||
|
|
||||||
|
|
@ -652,6 +656,7 @@ struct TLSConfig {
|
||||||
StringRef cert_file;
|
StringRef cert_file;
|
||||||
StringRef dh_param_file;
|
StringRef dh_param_file;
|
||||||
StringRef ciphers;
|
StringRef ciphers;
|
||||||
|
StringRef tls13_ciphers;
|
||||||
StringRef ecdh_curves;
|
StringRef ecdh_curves;
|
||||||
StringRef cacert;
|
StringRef cacert;
|
||||||
// The maximum amount of 0-RTT data that server accepts.
|
// The maximum amount of 0-RTT data that server accepts.
|
||||||
|
|
@ -1144,6 +1149,8 @@ enum {
|
||||||
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_RETRY,
|
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_RETRY,
|
||||||
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_PRIVATE_KEY_FILE,
|
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_PRIVATE_KEY_FILE,
|
||||||
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_TLS,
|
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_TLS,
|
||||||
|
SHRPX_OPTID_TLS13_CIPHERS,
|
||||||
|
SHRPX_OPTID_TLS13_CLIENT_CIPHERS,
|
||||||
SHRPX_OPTID_USER,
|
SHRPX_OPTID_USER,
|
||||||
SHRPX_OPTID_VERIFY_CLIENT,
|
SHRPX_OPTID_VERIFY_CLIENT,
|
||||||
SHRPX_OPTID_VERIFY_CLIENT_CACERT,
|
SHRPX_OPTID_VERIFY_CLIENT_CACERT,
|
||||||
|
|
|
||||||
|
|
@ -810,6 +810,14 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
|
||||||
DIE();
|
DIE();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if OPENSSL_1_1_1_API
|
||||||
|
if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.tls13_ciphers.c_str()) == 0) {
|
||||||
|
LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.tls13_ciphers
|
||||||
|
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr);
|
||||||
|
DIE();
|
||||||
|
}
|
||||||
|
#endif // OPENSSL_1_1_1_API
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_EC
|
#ifndef OPENSSL_NO_EC
|
||||||
# if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
|
# if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||||
if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.c_str()) != 1) {
|
if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.c_str()) != 1) {
|
||||||
|
|
@ -1091,6 +1099,15 @@ SSL_CTX *create_ssl_client_context(
|
||||||
DIE();
|
DIE();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if OPENSSL_1_1_1_API
|
||||||
|
if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.client.tls13_ciphers.c_str()) ==
|
||||||
|
0) {
|
||||||
|
LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.client.tls13_ciphers
|
||||||
|
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr);
|
||||||
|
DIE();
|
||||||
|
}
|
||||||
|
#endif // OPENSSL_1_1_1_API
|
||||||
|
|
||||||
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
|
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
|
||||||
|
|
||||||
if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
|
if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
|
||||||
|
|
|
||||||
10
src/tls.h
10
src/tls.h
|
|
@ -31,6 +31,8 @@
|
||||||
|
|
||||||
#include <openssl/ssl.h>
|
#include <openssl/ssl.h>
|
||||||
|
|
||||||
|
#include "ssl_compat.h"
|
||||||
|
|
||||||
namespace nghttp2 {
|
namespace nghttp2 {
|
||||||
|
|
||||||
namespace tls {
|
namespace tls {
|
||||||
|
|
@ -54,6 +56,14 @@ constexpr char DEFAULT_CIPHER_LIST[] =
|
||||||
"SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-"
|
"SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-"
|
||||||
"AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
|
"AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
|
||||||
|
|
||||||
|
constexpr char DEFAULT_TLS13_CIPHER_LIST[] =
|
||||||
|
#if OPENSSL_1_1_1_API
|
||||||
|
TLS_DEFAULT_CIPHERSUITES
|
||||||
|
#else // !OPENSSL_1_1_1_API
|
||||||
|
""
|
||||||
|
#endif // !OPENSSL_1_1_1_API
|
||||||
|
;
|
||||||
|
|
||||||
constexpr auto NGHTTP2_TLS_MIN_VERSION = TLS1_VERSION;
|
constexpr auto NGHTTP2_TLS_MIN_VERSION = TLS1_VERSION;
|
||||||
#ifdef TLS1_3_VERSION
|
#ifdef TLS1_3_VERSION
|
||||||
constexpr auto NGHTTP2_TLS_MAX_VERSION = TLS1_3_VERSION;
|
constexpr auto NGHTTP2_TLS_MAX_VERSION = TLS1_3_VERSION;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue