mirror of https://gitee.com/bigwinds/arangodb
added ssl-cipher-list option, added cipher-server-preference, changed protocol to TLSv1 by default
This commit is contained in:
Jan Steemann
parent
a8cf75b245
commit
57e681b314
|
|
@ -96,9 +96,10 @@ ApplicationHttpsServer::ApplicationHttpsServer (ApplicationScheduler* applicatio
|
|||
: ApplicationFeature("HttpsServer"),
|
||||
_applicationScheduler(applicationScheduler),
|
||||
_applicationDispatcher(applicationDispatcher),
|
||||
_sslProtocol(3),
|
||||
_sslProtocol(HttpsServer::TLS_V1),
|
||||
_sslCacheMode(0),
|
||||
_sslOptions(SSL_OP_TLS_ROLLBACK_BUG),
|
||||
_sslOptions(SSL_OP_TLS_ROLLBACK_BUG | SSL_OP_CIPHER_SERVER_PREFERENCE),
|
||||
_sslCipherList(""),
|
||||
_sslContext(0) {
|
||||
}
|
||||
|
||||
|
|
@ -153,9 +154,10 @@ void ApplicationHttpsServer::setupOptions (map<string, ProgramOptionsDescription
|
|||
options[ApplicationServer::OPTIONS_SERVER + ":help-ssl"]
|
||||
("server.keyfile", &_httpsKeyfile, "keyfile for SSL connections")
|
||||
("server.cafile", &_cafile, "file containing the CA certificates of clients")
|
||||
("server.ssl-protocol", &_sslProtocol, "1 = SSLv2, 2 = SSLv3, 3 = SSLv23, 4 = TLSv1")
|
||||
("server.ssl-protocol", &_sslProtocol, "1 = SSLv2, 2 = SSLv23, 3 = SSLv3, 4 = TLSv1")
|
||||
("server.ssl-cache-mode", &_sslCacheMode, "0 = off, 1 = client, 2 = server")
|
||||
("server.ssl-options", &_sslOptions, "ssl options, see OpenSSL documentation")
|
||||
("server.ssl-cipher-list", &_sslCipherList, "ssl cipher list, see OpenSSL documentation")
|
||||
;
|
||||
}
|
||||
|
||||
|
|
@ -292,7 +294,6 @@ bool ApplicationHttpsServer::createSslContext () {
|
|||
return true;
|
||||
}
|
||||
|
||||
|
||||
// create context
|
||||
_sslContext = HttpsServer::sslContext(HttpsServer::protocol_e(_sslProtocol), _httpsKeyfile);
|
||||
|
||||
|
|
@ -309,6 +310,14 @@ bool ApplicationHttpsServer::createSslContext () {
|
|||
SSL_CTX_set_options(_sslContext, _sslOptions);
|
||||
LOGGER_INFO << "using SSL options: " << _sslOptions;
|
||||
|
||||
if (_sslCipherList.size() > 0) {
|
||||
LOGGER_INFO << "using SSL cipher-list '" << _sslCipherList << "'";
|
||||
if (SSL_CTX_set_cipher_list(_sslContext, _sslCipherList.c_str()) != 1) {
|
||||
LOGGER_FATAL << "cannot set SSL cipher list '" << _sslCipherList << "'";
|
||||
LOGGER_ERROR << lastSSLError();
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
// set ssl context
|
||||
Random::UniformCharacter r("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");
|
||||
|
|
|
|||
|
|
@ -240,6 +240,12 @@ namespace triagens {
|
|||
|
||||
uint64_t _sslOptions;
|
||||
|
||||
////////////////////////////////////////////////////////////////////////////////
|
||||
/// @brief ssl cipher list to use
|
||||
////////////////////////////////////////////////////////////////////////////////
|
||||
|
||||
string _sslCipherList;
|
||||
|
||||
////////////////////////////////////////////////////////////////////////////////
|
||||
/// @brief ssl context
|
||||
////////////////////////////////////////////////////////////////////////////////
|
||||
|
|
|
|||
|
|
@ -82,7 +82,7 @@ namespace {
|
|||
////////////////////////////////////////////////////////////////////////////////
|
||||
|
||||
////////////////////////////////////////////////////////////////////////////////
|
||||
/// @brief creates a SSL context
|
||||
/// @brief creates an SSL context
|
||||
////////////////////////////////////////////////////////////////////////////////
|
||||
|
||||
#if (OPENSSL_VERSION_NUMBER < 0x00999999L)
|
||||
|
|
@ -141,6 +141,23 @@ SSL_CTX* HttpsServer::sslContext (protocol_e protocol, string const& keyfile) {
|
|||
return sslctx;
|
||||
}
|
||||
|
||||
////////////////////////////////////////////////////////////////////////////////
|
||||
/// @brief get the name of an SSL protocol version
|
||||
////////////////////////////////////////////////////////////////////////////////
|
||||
|
||||
const string HttpsServer::protocolName (const protocol_e protocol) {
|
||||
switch (protocol) {
|
||||
case SSL_V2:
|
||||
return "SSLv2";
|
||||
case SSL_V23:
|
||||
return "SSLv23";
|
||||
case SSL_V3:
|
||||
return "SSLv3";
|
||||
case TLS_V1:
|
||||
return "TLSv1";
|
||||
}
|
||||
}
|
||||
|
||||
////////////////////////////////////////////////////////////////////////////////
|
||||
/// @}
|
||||
////////////////////////////////////////////////////////////////////////////////
|
||||
|
|
|
|||
|
|
@ -70,10 +70,10 @@ namespace triagens {
|
|||
////////////////////////////////////////////////////////////////////////////////
|
||||
|
||||
enum protocol_e {
|
||||
SSL_V2 = 1,
|
||||
SSL_V3 = 2,
|
||||
SSL_V23 = 3,
|
||||
TLS_V1 = 4
|
||||
SSL_V2 = 1,
|
||||
SSL_V23 = 2,
|
||||
SSL_V3 = 3,
|
||||
TLS_V1 = 4
|
||||
};
|
||||
|
||||
////////////////////////////////////////////////////////////////////////////////
|
||||
|
|
@ -97,6 +97,12 @@ namespace triagens {
|
|||
|
||||
static SSL_CTX* sslContext (protocol_e, string const& keyfile);
|
||||
|
||||
////////////////////////////////////////////////////////////////////////////////
|
||||
/// @brief get the name of an SSL protocol version
|
||||
////////////////////////////////////////////////////////////////////////////////
|
||||
|
||||
static const string protocolName (const protocol_e);
|
||||
|
||||
////////////////////////////////////////////////////////////////////////////////
|
||||
/// @}
|
||||
////////////////////////////////////////////////////////////////////////////////
|
||||
|
|
|
|||
Loading…
Reference in New Issue