nghttpx: Add --tls13-ciphers and --tls-client-ciphers options

This commit is contained in:
Tatsuhiro Tsujikawa 2018-09-09 16:32:34 +09:00
parent cb8a9d58fd
commit cfe7fa9a75
6 changed files with 86 additions and 0 deletions

View File

@ -172,6 +172,8 @@ OPTIONS = [
"ignore-per-pattern-mruby-error",
"tls-no-postpone-early-data",
"tls-max-early-data",
"tls13-ciphers",
"tls13-client-ciphers",
]
LOGVARS = [

View File

@ -1459,8 +1459,12 @@ void fill_default_config(Config *config) {
tlsconf.session_timeout = std::chrono::hours(12);
tlsconf.ciphers = StringRef::from_lit(nghttp2::tls::DEFAULT_CIPHER_LIST);
tlsconf.tls13_ciphers =
StringRef::from_lit(nghttp2::tls::DEFAULT_TLS13_CIPHER_LIST);
tlsconf.client.ciphers =
StringRef::from_lit(nghttp2::tls::DEFAULT_CIPHER_LIST);
tlsconf.client.tls13_ciphers =
StringRef::from_lit(nghttp2::tls::DEFAULT_TLS13_CIPHER_LIST);
tlsconf.min_proto_version =
tls::proto_version_from_string(DEFAULT_TLS_MIN_PROTO_VERSION);
tlsconf.max_proto_version =
@ -2081,13 +2085,31 @@ SSL/TLS:
--ciphers=<SUITE>
Set allowed cipher list for frontend connection. The
format of the string is described in OpenSSL ciphers(1).
This option sets cipher suites for TLSv1.2 or earlier.
Use --tls13-ciphers for TLSv1.3.
Default: )"
<< config->tls.ciphers << R"(
--tls13-ciphers=<SUITE>
Set allowed cipher list for frontend connection. The
format of the string is described in OpenSSL ciphers(1).
This option sets cipher suites for TLSv1.3. Use
--ciphers for TLSv1.2 or earlier.
Default: )"
<< config->tls.tls13_ciphers << R"(
--client-ciphers=<SUITE>
Set allowed cipher list for backend connection. The
format of the string is described in OpenSSL ciphers(1).
This option sets cipher suites for TLSv1.2 or earlier.
Use --tls13-client-ciphers for TLSv1.3.
Default: )"
<< config->tls.client.ciphers << R"(
--tls13-client-ciphers=<SUITE>
Set allowed cipher list for backend connection. The
format of the string is described in OpenSSL ciphers(1).
This option sets cipher suites for TLSv1.3. Use
--tls13-client-ciphers for TLSv1.2 or earlier.
Default: )"
<< config->tls.client.tls13_ciphers << R"(
--ecdh-curves=<LIST>
Set supported curve list for frontend connections.
<LIST> is a colon separated list of curve NID or names
@ -3451,6 +3473,8 @@ int main(int argc, char **argv) {
161},
{SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA.c_str(), no_argument, &flag, 162},
{SHRPX_OPT_TLS_MAX_EARLY_DATA.c_str(), required_argument, &flag, 163},
{SHRPX_OPT_TLS13_CIPHERS.c_str(), required_argument, &flag, 164},
{SHRPX_OPT_TLS13_CLIENT_CIPHERS.c_str(), required_argument, &flag, 165},
{nullptr, 0, nullptr, 0}};
int option_index = 0;
@ -4231,6 +4255,14 @@ int main(int argc, char **argv) {
// --tls-max-early-data
cmdcfgs.emplace_back(SHRPX_OPT_TLS_MAX_EARLY_DATA, StringRef{optarg});
break;
case 164:
// --tls13-ciphers
cmdcfgs.emplace_back(SHRPX_OPT_TLS13_CIPHERS, StringRef{optarg});
break;
case 165:
// --tls13-client-ciphers
cmdcfgs.emplace_back(SHRPX_OPT_TLS13_CLIENT_CIPHERS, StringRef{optarg});
break;
default:
break;
}

View File

@ -1759,6 +1759,11 @@ int option_lookup_token(const char *name, size_t namelen) {
return SHRPX_OPTID_FORWARDED_FOR;
}
break;
case 's':
if (util::strieq_l("tls13-cipher", name, 12)) {
return SHRPX_OPTID_TLS13_CIPHERS;
}
break;
case 't':
if (util::strieq_l("verify-clien", name, 12)) {
return SHRPX_OPTID_VERIFY_CLIENT;
@ -1956,6 +1961,11 @@ int option_lookup_token(const char *name, size_t namelen) {
return SHRPX_OPTID_OCSP_UPDATE_INTERVAL;
}
break;
case 's':
if (util::strieq_l("tls13-client-cipher", name, 19)) {
return SHRPX_OPTID_TLS13_CLIENT_CIPHERS;
}
break;
case 't':
if (util::strieq_l("backend-read-timeou", name, 19)) {
return SHRPX_OPTID_BACKEND_READ_TIMEOUT;
@ -2832,6 +2842,10 @@ int parse_config(Config *config, int optid, const StringRef &opt,
case SHRPX_OPTID_CIPHERS:
config->tls.ciphers = make_string_ref(config->balloc, optarg);
return 0;
case SHRPX_OPTID_TLS13_CIPHERS:
config->tls.tls13_ciphers = make_string_ref(config->balloc, optarg);
return 0;
case SHRPX_OPTID_CLIENT:
LOG(ERROR) << opt
@ -3547,6 +3561,10 @@ int parse_config(Config *config, int optid, const StringRef &opt,
case SHRPX_OPTID_CLIENT_CIPHERS:
config->tls.client.ciphers = make_string_ref(config->balloc, optarg);
return 0;
case SHRPX_OPTID_TLS13_CLIENT_CIPHERS:
config->tls.client.tls13_ciphers = make_string_ref(config->balloc, optarg);
return 0;
case SHRPX_OPTID_ACCESSLOG_WRITE_EARLY:
config->logging.access.write_early = util::strieq_l("yes", optarg);

View File

@ -351,6 +351,9 @@ constexpr auto SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA =
StringRef::from_lit("tls-no-postpone-early-data");
constexpr auto SHRPX_OPT_TLS_MAX_EARLY_DATA =
StringRef::from_lit("tls-max-early-data");
constexpr auto SHRPX_OPT_TLS13_CIPHERS = StringRef::from_lit("tls13-ciphers");
constexpr auto SHRPX_OPT_TLS13_CLIENT_CIPHERS =
StringRef::from_lit("tls13-client-ciphers");
constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
@ -626,6 +629,7 @@ struct TLSConfig {
StringRef private_key_file;
StringRef cert_file;
StringRef ciphers;
StringRef tls13_ciphers;
bool no_http2_cipher_black_list;
} client;
@ -652,6 +656,7 @@ struct TLSConfig {
StringRef cert_file;
StringRef dh_param_file;
StringRef ciphers;
StringRef tls13_ciphers;
StringRef ecdh_curves;
StringRef cacert;
// The maximum amount of 0-RTT data that server accepts.
@ -1144,6 +1149,8 @@ enum {
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_RETRY,
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_PRIVATE_KEY_FILE,
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_TLS,
SHRPX_OPTID_TLS13_CIPHERS,
SHRPX_OPTID_TLS13_CLIENT_CIPHERS,
SHRPX_OPTID_USER,
SHRPX_OPTID_VERIFY_CLIENT,
SHRPX_OPTID_VERIFY_CLIENT_CACERT,

View File

@ -810,6 +810,14 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
DIE();
}
#if OPENSSL_1_1_1_API
if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.tls13_ciphers.c_str()) == 0) {
LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.tls13_ciphers
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
#endif // OPENSSL_1_1_1_API
#ifndef OPENSSL_NO_EC
# if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.c_str()) != 1) {
@ -1091,6 +1099,15 @@ SSL_CTX *create_ssl_client_context(
DIE();
}
#if OPENSSL_1_1_1_API
if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.client.tls13_ciphers.c_str()) ==
0) {
LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.client.tls13_ciphers
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
#endif // OPENSSL_1_1_1_API
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {

View File

@ -31,6 +31,8 @@
#include <openssl/ssl.h>
#include "ssl_compat.h"
namespace nghttp2 {
namespace tls {
@ -54,6 +56,14 @@ constexpr char DEFAULT_CIPHER_LIST[] =
"SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-"
"AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
constexpr char DEFAULT_TLS13_CIPHER_LIST[] =
#if OPENSSL_1_1_1_API
TLS_DEFAULT_CIPHERSUITES
#else // !OPENSSL_1_1_1_API
""
#endif // !OPENSSL_1_1_1_API
;
constexpr auto NGHTTP2_TLS_MIN_VERSION = TLS1_VERSION;
#ifdef TLS1_3_VERSION
constexpr auto NGHTTP2_TLS_MAX_VERSION = TLS1_3_VERSION;