Hawkin
/
arangodb
mirror of https://gitee.com/bigwinds/arangodb
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

@neunhoef (#10335)

This commit is contained in:
Jan 2019-11-04 11:31:09 +01:00 committed by GitHub
parent 611b4547f4
commit 7c5c1dd6cc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 26 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
CHANGELOG
View File

@ -168,11 +168,12 @@ devel
* Added support for TLS 1.3 for the arangod server and the client tools. * Added support for TLS 1.3 for the arangod server and the client tools.
The default TLS protocol for the arangod server is now TLS 1.3 as well, in The arangod server can be started with option `--ssl.protocol 6` to make it require
contrast to TLS 1.2 in previous versions. TLS 1.3 for incoming client connections. The server can be started with option
`--ssl.protocol 5` to make it require TLS 1.2, as in previous versions of arangod.
The arangod server can be started with option `--ssl.protocol 5` to make it use The default TLS protocol for the arangod server is now generic TLS, which will allow
TLS 1.2 again. the negotation of the TLS version between the client and the server.
All client tools also support TLS 1.3, by using the `--ssl.protocol 6` option when All client tools also support TLS 1.3, by using the `--ssl.protocol 6` option when
invoking them. The client tools will use TLS 1.2 by default, in order to be invoking them. The client tools will use TLS 1.2 by default, in order to be
@ -185,6 +186,7 @@ devel
- 4 = TLSv1 - 4 = TLSv1
- 5 = TLSv1.2 - 5 = TLSv1.2
- 6 = TLSv1.3 - 6 = TLSv1.3
- 9 = generic TLS
* Added TransactionStatistics to ServerStatistics (transactions started / * Added TransactionStatistics to ServerStatistics (transactions started /
aborted / committed and number of intermediate commits). aborted / committed and number of intermediate commits).

6
arangod/GeneralServer/SslServerFeature.cpp
View File

@ -67,11 +67,7 @@ SslServerFeature::SslServerFeature(application_features::ApplicationServer& serv
_keyfile(), _keyfile(),
_sessionCache(false), _sessionCache(false),
_cipherList("HIGH:!EXPORT:!aNULL@STRENGTH"), _cipherList("HIGH:!EXPORT:!aNULL@STRENGTH"),
#if OPENSSL_VERSION_NUMBER >= 0x10101000L _sslProtocol(TLS_GENERIC),
_sslProtocol(TLS_V13),
#else
_sslProtocol(TLS_V12),
#endif
_sslOptions(asio_ns::ssl::context::default_workarounds | _sslOptions(asio_ns::ssl::context::default_workarounds |
asio_ns::ssl::context::single_dh_use), asio_ns::ssl::context::single_dh_use),
_ecdhCurve("prime256v1") { _ecdhCurve("prime256v1") {

5
lib/SimpleHttpClient/SslClientConnection.cpp
View File

@ -265,6 +265,10 @@ void SslClientConnection::init(uint64_t sslProtocol) {
break; break;
#endif #endif
case TLS_GENERIC:
meth = TLS_client_method();
break;
case SSL_UNKNOWN: case SSL_UNKNOWN:
default: default:
#if OPENSSL_VERSION_NUMBER >= 0x10100000L #if OPENSSL_VERSION_NUMBER >= 0x10100000L
@ -331,6 +335,7 @@ bool SslClientConnection::connectSocket() {
#if OPENSSL_VERSION_NUMBER >= 0x10101000L #if OPENSSL_VERSION_NUMBER >= 0x10101000L
case TLS_V13: case TLS_V13:
#endif #endif
case TLS_GENERIC:
default: default:
SSL_set_tlsext_host_name(_ssl, _endpoint->host().c_str()); SSL_set_tlsext_host_name(_ssl, _endpoint->host().c_str());
} }

16
lib/Ssl/ssl-helper.cpp
View File

@ -86,6 +86,10 @@ asio_ns::ssl::context arangodb::sslContext(SslProtocol protocol, std::string con
break; break;
#endif #endif
case TLS_GENERIC:
meth = asio_ns::ssl::context::method::tls_server;
break;
default: default:
THROW_ARANGO_EXCEPTION_MESSAGE(TRI_ERROR_NOT_IMPLEMENTED, THROW_ARANGO_EXCEPTION_MESSAGE(TRI_ERROR_NOT_IMPLEMENTED,
"unknown SSL protocol method"); "unknown SSL protocol method");
@ -150,6 +154,9 @@ std::string arangodb::protocolName(SslProtocol protocol) {
return "TLSv13"; return "TLSv13";
#endif #endif
case TLS_GENERIC:
return "TLS";
default: default:
return "unknown"; return "unknown";
} }
@ -163,12 +170,13 @@ std::unordered_set<uint64_t> arangodb::availableSslProtocols() {
return std::unordered_set<uint64_t>{SslProtocol::SSL_V2, // unsupported! return std::unordered_set<uint64_t>{SslProtocol::SSL_V2, // unsupported!
SslProtocol::SSL_V23, SslProtocol::SSL_V3, SslProtocol::SSL_V23, SslProtocol::SSL_V3,
SslProtocol::TLS_V1, SslProtocol::TLS_V12, SslProtocol::TLS_V1, SslProtocol::TLS_V12,
SslProtocol::TLS_V13}; SslProtocol::TLS_V13, SslProtocol::TLS_GENERIC};
#else #else
// no support for TLS 1.3 // no support for TLS 1.3
return std::unordered_set<uint64_t>{SslProtocol::SSL_V2, // unsupported! return std::unordered_set<uint64_t>{SslProtocol::SSL_V2, // unsupported!
SslProtocol::SSL_V23, SslProtocol::SSL_V3, SslProtocol::SSL_V23, SslProtocol::SSL_V3,
SslProtocol::TLS_V1, SslProtocol::TLS_V12}; SslProtocol::TLS_V1, SslProtocol::TLS_V12,
SslProtocol::TLS_GENERIC};
#endif #endif
} }
@ -176,11 +184,11 @@ std::string arangodb::availableSslProtocolsDescription() {
#if OPENSSL_VERSION_NUMBER >= 0x10101000L #if OPENSSL_VERSION_NUMBER >= 0x10101000L
return "ssl protocol (1 = SSLv2 (unsupported), 2 = SSLv2 or SSLv3 " return "ssl protocol (1 = SSLv2 (unsupported), 2 = SSLv2 or SSLv3 "
"(negotiated), 3 = SSLv3, 4 = " "(negotiated), 3 = SSLv3, 4 = "
"TLSv1, 5 = TLSv1.2, 6 = TLSv1.3)"; "TLSv1, 5 = TLSv1.2, 6 = TLSv1.3, 9 = generic TLS)";
#else #else
return "ssl protocol (1 = SSLv2 (unsupported), 2 = SSLv2 or SSLv3 " return "ssl protocol (1 = SSLv2 (unsupported), 2 = SSLv2 or SSLv3 "
"(negotiated), 3 = SSLv3, 4 = " "(negotiated), 3 = SSLv3, 4 = "
"TLSv1, 5 = TLSv1.2)"; "TLSv1, 5 = TLSv1.2, 9 = generic TLS)";
#endif #endif
} }

1
lib/Ssl/ssl-helper.h
View File

@ -53,6 +53,7 @@ enum SslProtocol {
#if OPENSSL_VERSION_NUMBER >= 0x10101000L #if OPENSSL_VERSION_NUMBER >= 0x10101000L
TLS_V13 = 6, TLS_V13 = 6,
#endif #endif
TLS_GENERIC = 9,
SSL_LAST SSL_LAST
}; };