Repository: qpid-dispatch Updated Branches: refs/heads/master 272398ddc -> a33dd4602
DISPATCH-844 - Added cipher field to sslProfile object. This will allow users to disable weak ciphers in an SSL connection Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/a33dd460 Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/a33dd460 Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/a33dd460 Branch: refs/heads/master Commit: a33dd4602b6a08a808eb72d1e4bf514c30478908 Parents: 272398d Author: Ganesh Murthy <gmur...@redhat.com> Authored: Fri Sep 29 14:13:40 2017 -0400 Committer: Ganesh Murthy <gmur...@redhat.com> Committed: Mon Oct 2 16:50:03 2017 -0400 ---------------------------------------------------------------------- include/qpid/dispatch/server.h | 5 +++++ python/qpid_dispatch/management/qdrouter.json | 5 +++++ src/connection_manager.c | 24 +++++++++++++++------- src/http-libwebsockets.c | 2 ++ src/server.c | 15 ++++++++++++++ tests/system_tests_http.py | 4 +--- tests/system_tests_sasl_plain.py | 1 + 7 files changed, 46 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/a33dd460/include/qpid/dispatch/server.h ---------------------------------------------------------------------- diff --git a/include/qpid/dispatch/server.h b/include/qpid/dispatch/server.h index 472fda6..bd51fa6 100644 --- a/include/qpid/dispatch/server.h +++ b/include/qpid/dispatch/server.h @@ -301,6 +301,11 @@ typedef struct qd_server_config_t { bool ssl_require_peer_authentication; /** + * Specifies the enabled ciphers so the SSL Ciphers can be hardened. + */ + char *ciphers; + + /** * Allow the connection to be redirected by the peer (via CLOSE->Redirect). This is * meaningful for outgoing (connector) connections only. */ http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/a33dd460/python/qpid_dispatch/management/qdrouter.json ---------------------------------------------------------------------- diff --git a/python/qpid_dispatch/management/qdrouter.json b/python/qpid_dispatch/management/qdrouter.json index aeebe9a..c7dabc8 100644 --- a/python/qpid_dispatch/management/qdrouter.json +++ b/python/qpid_dispatch/management/qdrouter.json @@ -507,6 +507,11 @@ "extends": "configurationEntity", "operations": ["CREATE", "DELETE"], "attributes": { + "ciphers": { + "type": "string", + "description": "Specifies the enabled ciphers so the SSL Ciphers can be hardened. In other words, use this field to disable weak ciphers. The ciphers are specified in the format understood by the OpenSSL library. For example, ciphers can be set to ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; -- The full list of allowed ciphers can be viewed using the openssl ciphers command", + "create": true + }, "certDb": { "type": "path", "description": "The absolute path to the database that contains the public certificates of trusted certificate authorities (CA).", http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/a33dd460/src/connection_manager.c ---------------------------------------------------------------------- diff --git a/src/connection_manager.c b/src/connection_manager.c index f9e0e76..9a9d61d 100644 --- a/src/connection_manager.c +++ b/src/connection_manager.c @@ -44,6 +44,7 @@ struct qd_config_ssl_profile_t { char *ssl_display_name_file; char *ssl_certificate_file; char *ssl_private_key_file; + char *ciphers; }; DEQ_DECLARE(qd_config_ssl_profile_t, qd_config_ssl_profile_list_t); @@ -138,13 +139,14 @@ void qd_server_config_free(qd_server_config_t *cf) if (cf->failover_list) qd_failover_list_free(cf->failover_list); if (cf->log_message) free(cf->log_message); - if (cf->ssl_certificate_file) free(cf->ssl_certificate_file); - if (cf->ssl_private_key_file) free(cf->ssl_private_key_file); - if (cf->ssl_password) free(cf->ssl_password); + if (cf->ssl_certificate_file) free(cf->ssl_certificate_file); + if (cf->ssl_private_key_file) free(cf->ssl_private_key_file); + if (cf->ciphers) free(cf->ciphers); + if (cf->ssl_password) free(cf->ssl_password); if (cf->ssl_trusted_certificate_db) free(cf->ssl_trusted_certificate_db); - if (cf->ssl_trusted_certificates) free(cf->ssl_trusted_certificates); - if (cf->ssl_uid_format) free(cf->ssl_uid_format); - if (cf->ssl_display_name_file) free(cf->ssl_display_name_file); + if (cf->ssl_trusted_certificates) free(cf->ssl_trusted_certificates); + if (cf->ssl_uid_format) free(cf->ssl_uid_format); + if (cf->ssl_display_name_file) free(cf->ssl_display_name_file); memset(cf, 0, sizeof(*cf)); } @@ -383,6 +385,7 @@ static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *conf if (ssl_profile) { config->ssl_certificate_file = SSTRDUP(ssl_profile->ssl_certificate_file); config->ssl_private_key_file = SSTRDUP(ssl_profile->ssl_private_key_file); + config->ciphers = SSTRDUP(ssl_profile->ciphers); config->ssl_password = SSTRDUP(ssl_profile->ssl_password); config->ssl_trusted_certificate_db = SSTRDUP(ssl_profile->ssl_trusted_certificate_db); config->ssl_trusted_certificates = SSTRDUP(ssl_profile->ssl_trusted_certificates); @@ -421,6 +424,12 @@ static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t *conf } } } + if (auth_ssl_profile->ciphers) { + if (pn_ssl_domain_set_ciphers(config->auth_ssl_conf, auth_ssl_profile->ciphers)) { + return qd_error(QD_ERROR_RUNTIME, "Cannot set ciphers. The ciphers string might be invalid. Use openssl ciphers -v <ciphers> to validate"); + } + } + } } else { qd_error(QD_ERROR_RUNTIME, "Cannot find sasl plugin %s", config->sasl_plugin); CHECK(); @@ -461,6 +470,7 @@ static bool config_ssl_profile_free(qd_connection_manager_t *cm, qd_config_ssl_p free(ssl_profile->ssl_display_name_file); free(ssl_profile->ssl_certificate_file); free(ssl_profile->ssl_private_key_file); + free(ssl_profile->ciphers); free(ssl_profile); return true; @@ -523,7 +533,7 @@ qd_config_ssl_profile_t *qd_dispatch_configure_ssl_profile(qd_dispatch_t *qd, qd } free(password_file); } - + ssl_profile->ciphers = qd_entity_opt_string(entity, "ciphers", 0); CHECK(); ssl_profile->ssl_trusted_certificate_db = qd_entity_opt_string(entity, "certDb", 0); CHECK(); ssl_profile->ssl_trusted_certificates = qd_entity_opt_string(entity, "trustedCerts", 0); CHECK(); ssl_profile->ssl_uid_format = qd_entity_opt_string(entity, "uidFormat", 0); CHECK(); http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/a33dd460/src/http-libwebsockets.c ---------------------------------------------------------------------- diff --git a/src/http-libwebsockets.c b/src/http-libwebsockets.c index 502b937..990d694 100644 --- a/src/http-libwebsockets.c +++ b/src/http-libwebsockets.c @@ -286,6 +286,8 @@ static void listener_start(qd_http_listener_t *hl, qd_http_server_t *hs) { info.ssl_private_key_filepath = config->ssl_private_key_file; info.ssl_private_key_password = config->ssl_password; info.ssl_ca_filepath = config->ssl_trusted_certificates; + info.ssl_cipher_list = config->ciphers; + info.options |= LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT | (config->ssl_required ? 0 : LWS_SERVER_OPTION_ALLOW_NON_SSL_ON_SSL_PORT) | http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/a33dd460/src/server.c ---------------------------------------------------------------------- diff --git a/src/server.c b/src/server.c index 4b96ffb..88144a5 100644 --- a/src/server.c +++ b/src/server.c @@ -380,6 +380,13 @@ static qd_error_t listener_setup_ssl(qd_connection_t *ctx, const qd_server_confi } } + if (config->ciphers) { + if (pn_ssl_domain_set_ciphers(domain, config->ciphers)) { + pn_ssl_domain_free(domain); + return qd_error(QD_ERROR_RUNTIME, "Cannot set ciphers. The ciphers string might be invalid. Use openssl ciphers -v <ciphers> to validate"); + } + } + const char *trusted = config->ssl_trusted_certificate_db; if (config->ssl_trusted_certificates) trusted = config->ssl_trusted_certificates; @@ -1030,6 +1037,14 @@ static void setup_ssl_sasl_and_open(qd_connection_t *ctx) } } + if (config->ciphers) { + if (pn_ssl_domain_set_ciphers(domain, config->ciphers)) { + qd_log(ct->server->log_source, QD_LOG_ERROR, + "SSL cipher configuration failed for %s:%s", + config->host, config->port); + } + } + //If ssl is enabled and verify_host_name is true, instruct proton to verify peer name if (config->verify_host_name) { if (pn_ssl_domain_set_peer_authentication(domain, PN_SSL_VERIFY_PEER_NAME, NULL)) { http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/a33dd460/tests/system_tests_http.py ---------------------------------------------------------------------- diff --git a/tests/system_tests_http.py b/tests/system_tests_http.py index 5450097..adfbd54 100644 --- a/tests/system_tests_http.py +++ b/tests/system_tests_http.py @@ -19,10 +19,7 @@ import unittest, os, json, threading, sys, ssl, urllib2 import ssl -import run -from subprocess import PIPE, Popen, STDOUT from system_test import TestCase, Qdrouterd, main_module, DIR, TIMEOUT, Process -from qpid_dispatch.management.client import Node class RouterTestHttp(TestCase): @@ -111,6 +108,7 @@ class RouterTestHttp(TestCase): 'certDb': self.ssl_file('ca-certificate.pem'), 'certFile': self.ssl_file('server-certificate.pem'), 'keyFile': self.ssl_file('server-private-key.pem'), + 'ciphers': 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS', 'password': 'server-password' }), listener(sslProfile='simple-ssl', requireSsl=False, authenticatePeer=False), http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/a33dd460/tests/system_tests_sasl_plain.py ---------------------------------------------------------------------- diff --git a/tests/system_tests_sasl_plain.py b/tests/system_tests_sasl_plain.py index 79632ea..05e591f 100644 --- a/tests/system_tests_sasl_plain.py +++ b/tests/system_tests_sasl_plain.py @@ -226,6 +226,7 @@ class RouterTestPlainSaslOverSsl(RouterTestPlainSaslCommon): 'certDb': cls.ssl_file('ca-certificate.pem'), 'certFile': cls.ssl_file('server-certificate.pem'), 'keyFile': cls.ssl_file('server-private-key.pem'), + 'ciphers': 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS', 'password': 'server-password'}), ('router', {'workerThreads': 1, 'id': 'QDR.X', --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org