nghttpx: Add --tls13-ciphers and --tls-client-ciphers options
This commit is contained in:
parent
cb8a9d58fd
commit
cfe7fa9a75
|
@ -172,6 +172,8 @@ OPTIONS = [
|
|||
"ignore-per-pattern-mruby-error",
|
||||
"tls-no-postpone-early-data",
|
||||
"tls-max-early-data",
|
||||
"tls13-ciphers",
|
||||
"tls13-client-ciphers",
|
||||
]
|
||||
|
||||
LOGVARS = [
|
||||
|
|
32
src/shrpx.cc
32
src/shrpx.cc
|
@ -1459,8 +1459,12 @@ void fill_default_config(Config *config) {
|
|||
|
||||
tlsconf.session_timeout = std::chrono::hours(12);
|
||||
tlsconf.ciphers = StringRef::from_lit(nghttp2::tls::DEFAULT_CIPHER_LIST);
|
||||
tlsconf.tls13_ciphers =
|
||||
StringRef::from_lit(nghttp2::tls::DEFAULT_TLS13_CIPHER_LIST);
|
||||
tlsconf.client.ciphers =
|
||||
StringRef::from_lit(nghttp2::tls::DEFAULT_CIPHER_LIST);
|
||||
tlsconf.client.tls13_ciphers =
|
||||
StringRef::from_lit(nghttp2::tls::DEFAULT_TLS13_CIPHER_LIST);
|
||||
tlsconf.min_proto_version =
|
||||
tls::proto_version_from_string(DEFAULT_TLS_MIN_PROTO_VERSION);
|
||||
tlsconf.max_proto_version =
|
||||
|
@ -2081,13 +2085,31 @@ SSL/TLS:
|
|||
--ciphers=<SUITE>
|
||||
Set allowed cipher list for frontend connection. The
|
||||
format of the string is described in OpenSSL ciphers(1).
|
||||
This option sets cipher suites for TLSv1.2 or earlier.
|
||||
Use --tls13-ciphers for TLSv1.3.
|
||||
Default: )"
|
||||
<< config->tls.ciphers << R"(
|
||||
--tls13-ciphers=<SUITE>
|
||||
Set allowed cipher list for frontend connection. The
|
||||
format of the string is described in OpenSSL ciphers(1).
|
||||
This option sets cipher suites for TLSv1.3. Use
|
||||
--ciphers for TLSv1.2 or earlier.
|
||||
Default: )"
|
||||
<< config->tls.tls13_ciphers << R"(
|
||||
--client-ciphers=<SUITE>
|
||||
Set allowed cipher list for backend connection. The
|
||||
format of the string is described in OpenSSL ciphers(1).
|
||||
This option sets cipher suites for TLSv1.2 or earlier.
|
||||
Use --tls13-client-ciphers for TLSv1.3.
|
||||
Default: )"
|
||||
<< config->tls.client.ciphers << R"(
|
||||
--tls13-client-ciphers=<SUITE>
|
||||
Set allowed cipher list for backend connection. The
|
||||
format of the string is described in OpenSSL ciphers(1).
|
||||
This option sets cipher suites for TLSv1.3. Use
|
||||
--tls13-client-ciphers for TLSv1.2 or earlier.
|
||||
Default: )"
|
||||
<< config->tls.client.tls13_ciphers << R"(
|
||||
--ecdh-curves=<LIST>
|
||||
Set supported curve list for frontend connections.
|
||||
<LIST> is a colon separated list of curve NID or names
|
||||
|
@ -3451,6 +3473,8 @@ int main(int argc, char **argv) {
|
|||
161},
|
||||
{SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA.c_str(), no_argument, &flag, 162},
|
||||
{SHRPX_OPT_TLS_MAX_EARLY_DATA.c_str(), required_argument, &flag, 163},
|
||||
{SHRPX_OPT_TLS13_CIPHERS.c_str(), required_argument, &flag, 164},
|
||||
{SHRPX_OPT_TLS13_CLIENT_CIPHERS.c_str(), required_argument, &flag, 165},
|
||||
{nullptr, 0, nullptr, 0}};
|
||||
|
||||
int option_index = 0;
|
||||
|
@ -4231,6 +4255,14 @@ int main(int argc, char **argv) {
|
|||
// --tls-max-early-data
|
||||
cmdcfgs.emplace_back(SHRPX_OPT_TLS_MAX_EARLY_DATA, StringRef{optarg});
|
||||
break;
|
||||
case 164:
|
||||
// --tls13-ciphers
|
||||
cmdcfgs.emplace_back(SHRPX_OPT_TLS13_CIPHERS, StringRef{optarg});
|
||||
break;
|
||||
case 165:
|
||||
// --tls13-client-ciphers
|
||||
cmdcfgs.emplace_back(SHRPX_OPT_TLS13_CLIENT_CIPHERS, StringRef{optarg});
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
|
|
@ -1759,6 +1759,11 @@ int option_lookup_token(const char *name, size_t namelen) {
|
|||
return SHRPX_OPTID_FORWARDED_FOR;
|
||||
}
|
||||
break;
|
||||
case 's':
|
||||
if (util::strieq_l("tls13-cipher", name, 12)) {
|
||||
return SHRPX_OPTID_TLS13_CIPHERS;
|
||||
}
|
||||
break;
|
||||
case 't':
|
||||
if (util::strieq_l("verify-clien", name, 12)) {
|
||||
return SHRPX_OPTID_VERIFY_CLIENT;
|
||||
|
@ -1956,6 +1961,11 @@ int option_lookup_token(const char *name, size_t namelen) {
|
|||
return SHRPX_OPTID_OCSP_UPDATE_INTERVAL;
|
||||
}
|
||||
break;
|
||||
case 's':
|
||||
if (util::strieq_l("tls13-client-cipher", name, 19)) {
|
||||
return SHRPX_OPTID_TLS13_CLIENT_CIPHERS;
|
||||
}
|
||||
break;
|
||||
case 't':
|
||||
if (util::strieq_l("backend-read-timeou", name, 19)) {
|
||||
return SHRPX_OPTID_BACKEND_READ_TIMEOUT;
|
||||
|
@ -2832,6 +2842,10 @@ int parse_config(Config *config, int optid, const StringRef &opt,
|
|||
case SHRPX_OPTID_CIPHERS:
|
||||
config->tls.ciphers = make_string_ref(config->balloc, optarg);
|
||||
|
||||
return 0;
|
||||
case SHRPX_OPTID_TLS13_CIPHERS:
|
||||
config->tls.tls13_ciphers = make_string_ref(config->balloc, optarg);
|
||||
|
||||
return 0;
|
||||
case SHRPX_OPTID_CLIENT:
|
||||
LOG(ERROR) << opt
|
||||
|
@ -3547,6 +3561,10 @@ int parse_config(Config *config, int optid, const StringRef &opt,
|
|||
case SHRPX_OPTID_CLIENT_CIPHERS:
|
||||
config->tls.client.ciphers = make_string_ref(config->balloc, optarg);
|
||||
|
||||
return 0;
|
||||
case SHRPX_OPTID_TLS13_CLIENT_CIPHERS:
|
||||
config->tls.client.tls13_ciphers = make_string_ref(config->balloc, optarg);
|
||||
|
||||
return 0;
|
||||
case SHRPX_OPTID_ACCESSLOG_WRITE_EARLY:
|
||||
config->logging.access.write_early = util::strieq_l("yes", optarg);
|
||||
|
|
|
@ -351,6 +351,9 @@ constexpr auto SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA =
|
|||
StringRef::from_lit("tls-no-postpone-early-data");
|
||||
constexpr auto SHRPX_OPT_TLS_MAX_EARLY_DATA =
|
||||
StringRef::from_lit("tls-max-early-data");
|
||||
constexpr auto SHRPX_OPT_TLS13_CIPHERS = StringRef::from_lit("tls13-ciphers");
|
||||
constexpr auto SHRPX_OPT_TLS13_CLIENT_CIPHERS =
|
||||
StringRef::from_lit("tls13-client-ciphers");
|
||||
|
||||
constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
|
||||
|
||||
|
@ -626,6 +629,7 @@ struct TLSConfig {
|
|||
StringRef private_key_file;
|
||||
StringRef cert_file;
|
||||
StringRef ciphers;
|
||||
StringRef tls13_ciphers;
|
||||
bool no_http2_cipher_black_list;
|
||||
} client;
|
||||
|
||||
|
@ -652,6 +656,7 @@ struct TLSConfig {
|
|||
StringRef cert_file;
|
||||
StringRef dh_param_file;
|
||||
StringRef ciphers;
|
||||
StringRef tls13_ciphers;
|
||||
StringRef ecdh_curves;
|
||||
StringRef cacert;
|
||||
// The maximum amount of 0-RTT data that server accepts.
|
||||
|
@ -1144,6 +1149,8 @@ enum {
|
|||
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_RETRY,
|
||||
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_PRIVATE_KEY_FILE,
|
||||
SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_TLS,
|
||||
SHRPX_OPTID_TLS13_CIPHERS,
|
||||
SHRPX_OPTID_TLS13_CLIENT_CIPHERS,
|
||||
SHRPX_OPTID_USER,
|
||||
SHRPX_OPTID_VERIFY_CLIENT,
|
||||
SHRPX_OPTID_VERIFY_CLIENT_CACERT,
|
||||
|
|
|
@ -810,6 +810,14 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
|
|||
DIE();
|
||||
}
|
||||
|
||||
#if OPENSSL_1_1_1_API
|
||||
if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.tls13_ciphers.c_str()) == 0) {
|
||||
LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.tls13_ciphers
|
||||
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr);
|
||||
DIE();
|
||||
}
|
||||
#endif // OPENSSL_1_1_1_API
|
||||
|
||||
#ifndef OPENSSL_NO_EC
|
||||
# if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||
if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.c_str()) != 1) {
|
||||
|
@ -1091,6 +1099,15 @@ SSL_CTX *create_ssl_client_context(
|
|||
DIE();
|
||||
}
|
||||
|
||||
#if OPENSSL_1_1_1_API
|
||||
if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.client.tls13_ciphers.c_str()) ==
|
||||
0) {
|
||||
LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.client.tls13_ciphers
|
||||
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr);
|
||||
DIE();
|
||||
}
|
||||
#endif // OPENSSL_1_1_1_API
|
||||
|
||||
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
|
||||
|
||||
if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
|
||||
|
|
10
src/tls.h
10
src/tls.h
|
@ -31,6 +31,8 @@
|
|||
|
||||
#include <openssl/ssl.h>
|
||||
|
||||
#include "ssl_compat.h"
|
||||
|
||||
namespace nghttp2 {
|
||||
|
||||
namespace tls {
|
||||
|
@ -54,6 +56,14 @@ constexpr char DEFAULT_CIPHER_LIST[] =
|
|||
"SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-"
|
||||
"AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
|
||||
|
||||
constexpr char DEFAULT_TLS13_CIPHER_LIST[] =
|
||||
#if OPENSSL_1_1_1_API
|
||||
TLS_DEFAULT_CIPHERSUITES
|
||||
#else // !OPENSSL_1_1_1_API
|
||||
""
|
||||
#endif // !OPENSSL_1_1_1_API
|
||||
;
|
||||
|
||||
constexpr auto NGHTTP2_TLS_MIN_VERSION = TLS1_VERSION;
|
||||
#ifdef TLS1_3_VERSION
|
||||
constexpr auto NGHTTP2_TLS_MAX_VERSION = TLS1_3_VERSION;
|
||||
|
|
Loading…
Reference in New Issue