@neunhoef (#10335)

2019-11-04 11:31:09 +01:00 · 2019-11-04 11:31:09 +01:00 · 7c5c1dd6cc
parent 611b4547f4
commit 7c5c1dd6cc
5 changed files with 26 additions and 14 deletions
--- a/10
+++ b/10
@ -168,11 +168,12 @@ devel

 * Added support for TLS 1.3 for the arangod server and the client tools.
  
-  The default TLS protocol for the arangod server is now TLS 1.3 as well, in
-  contrast to TLS 1.2 in previous versions.
+  The arangod server can be started with option `--ssl.protocol 6` to make it require
+  TLS 1.3 for incoming client connections. The server can be started with option 
+  `--ssl.protocol 5` to make it require TLS 1.2, as in previous versions of arangod.

-  The arangod server can be started with option `--ssl.protocol 5` to make it use
-  TLS 1.2 again.
+  The default TLS protocol for the arangod server is now generic TLS, which will allow
+  the negotation of the TLS version between the client and the server.

  All client tools also support TLS 1.3, by using the `--ssl.protocol 6` option when
  invoking them. The client tools will use TLS 1.2 by default, in order to be
@ -185,6 +186,7 @@ devel
  - 4 = TLSv1
  - 5 = TLSv1.2
  - 6 = TLSv1.3
+  - 9 = generic TLS

 * Added TransactionStatistics to ServerStatistics (transactions started /
  aborted / committed and number of intermediate commits).
--- a/arangod/GeneralServer/SslServerFeature.cpp
+++ b/arangod/GeneralServer/SslServerFeature.cpp
@ -67,11 +67,7 @@ SslServerFeature::SslServerFeature(application_features::ApplicationServer& serv
      _keyfile(),
      _sessionCache(false),
      _cipherList("HIGH:!EXPORT:!aNULL@STRENGTH"),
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
-      _sslProtocol(TLS_V13),
-#else
-      _sslProtocol(TLS_V12),
-#endif
+      _sslProtocol(TLS_GENERIC),
      _sslOptions(asio_ns::ssl::context::default_workarounds |
                  asio_ns::ssl::context::single_dh_use),
      _ecdhCurve("prime256v1") {
--- a/lib/SimpleHttpClient/SslClientConnection.cpp
+++ b/lib/SimpleHttpClient/SslClientConnection.cpp
@ -265,6 +265,10 @@ void SslClientConnection::init(uint64_t sslProtocol) {
      break;
 #endif

+    case TLS_GENERIC:
+      meth = TLS_client_method();
+      break;
+
    case SSL_UNKNOWN:
    default:
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
@ -331,6 +335,7 @@ bool SslClientConnection::connectSocket() {
 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
    case TLS_V13:
 #endif
+    case TLS_GENERIC:
    default:
      SSL_set_tlsext_host_name(_ssl, _endpoint->host().c_str());
  }
--- a/lib/Ssl/ssl-helper.cpp
+++ b/lib/Ssl/ssl-helper.cpp
@ -86,6 +86,10 @@ asio_ns::ssl::context arangodb::sslContext(SslProtocol protocol, std::string con
      break;
 #endif

+    case TLS_GENERIC:
+      meth = asio_ns::ssl::context::method::tls_server;
+      break;
+
    default:
      THROW_ARANGO_EXCEPTION_MESSAGE(TRI_ERROR_NOT_IMPLEMENTED,
                                     "unknown SSL protocol method");
@ -150,6 +154,9 @@ std::string arangodb::protocolName(SslProtocol protocol) {
      return "TLSv13";
 #endif
    
+    case TLS_GENERIC:
+      return "TLS";
+
    default:
      return "unknown";
  }
@ -163,12 +170,13 @@ std::unordered_set<uint64_t> arangodb::availableSslProtocols() {
  return std::unordered_set<uint64_t>{SslProtocol::SSL_V2,  // unsupported!
                                      SslProtocol::SSL_V23, SslProtocol::SSL_V3,
                                      SslProtocol::TLS_V1, SslProtocol::TLS_V12,
-                                      SslProtocol::TLS_V13};
+                                      SslProtocol::TLS_V13, SslProtocol::TLS_GENERIC};
 #else
  // no support for TLS 1.3                                      
  return std::unordered_set<uint64_t>{SslProtocol::SSL_V2,  // unsupported!
                                      SslProtocol::SSL_V23, SslProtocol::SSL_V3,
-                                      SslProtocol::TLS_V1, SslProtocol::TLS_V12};
+                                      SslProtocol::TLS_V1, SslProtocol::TLS_V12,
+                                      SslProtocol::TLS_GENERIC};
 #endif
 }

@ -176,11 +184,11 @@ std::string arangodb::availableSslProtocolsDescription() {
 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
  return "ssl protocol (1 = SSLv2 (unsupported), 2 = SSLv2 or SSLv3 "
         "(negotiated), 3 = SSLv3, 4 = "
-         "TLSv1, 5 = TLSv1.2, 6 = TLSv1.3)";
+         "TLSv1, 5 = TLSv1.2, 6 = TLSv1.3, 9 = generic TLS)";
 #else
  return "ssl protocol (1 = SSLv2 (unsupported), 2 = SSLv2 or SSLv3 "
         "(negotiated), 3 = SSLv3, 4 = "
-         "TLSv1, 5 = TLSv1.2)";
+         "TLSv1, 5 = TLSv1.2, 9 = generic TLS)";
 #endif
 }

--- a/lib/Ssl/ssl-helper.h
+++ b/lib/Ssl/ssl-helper.h
@ -53,6 +53,7 @@ enum SslProtocol {
 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
  TLS_V13 = 6,
 #endif
+  TLS_GENERIC = 9,

  SSL_LAST
 };