diff options
author | thiagoftsm <thiagoftsm@gmail.com> | 2020-03-31 22:53:32 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-03-31 22:53:32 +0000 |
commit | a12d4e56d7db6bcb0f84a26b930ab745ffdd427a (patch) | |
tree | 2fcd6b9b61e7709cfc73edfb836174ced6918beb /libnetdata | |
parent | 905a2dd54edacbddf31e633193920b0ba8f8aff4 (diff) |
Extend TLS Support (#8505)
* tls13: This commit brings TLS 1.3 to Netdata
* tls13: Update variables on slave side
* tls13: Fix compilation error for old libraries
* tls13: Fix compilation error for old libraries 2
* tls13 remove ciphers
* tls13: TLS versions
This commit brings the missing tls versions accpeted for Netdata
and it also brings documentation update related to these versions
* tls13: Remove dupplication
This commit removes wrong dupplication of code
* tls13: Documentation
This commit brings fix for the documentation
* tls13: Remove magic number
This commit removes the magic number to allow the code to be readable
* tls13: TLS version
Small adjust with TLS version
* tls13: Security Init
This commit removes array from the function and overwrite the magic number
with a string
* tls13: Remove new variable name from stream
* tls13: OpenSSL versions and old key name
This commit removes the new key names and also update the names
used to define openssl version
Diffstat (limited to 'libnetdata')
-rw-r--r-- | libnetdata/socket/security.c | 78 | ||||
-rw-r--r-- | libnetdata/socket/security.h | 9 |
2 files changed, 61 insertions, 26 deletions
diff --git a/libnetdata/socket/security.c b/libnetdata/socket/security.c index 6781dc6f5b..486a2f711b 100644 --- a/libnetdata/socket/security.c +++ b/libnetdata/socket/security.c @@ -7,6 +7,8 @@ SSL_CTX *netdata_client_ctx=NULL; SSL_CTX *netdata_srv_ctx=NULL; const char *security_key=NULL; const char *security_cert=NULL; +const char *tls_version=NULL; +const char *tls_ciphers=NULL; int netdata_validate_server = NETDATA_SSL_VALID_CERTIFICATE; /** @@ -32,14 +34,12 @@ static void security_info_callback(const SSL *ssl, int where, int ret __maybe_un */ void security_openssl_library() { -#if OPENSSL_VERSION_NUMBER < 0x10100000L -# if (SSLEAY_VERSION_NUMBER >= 0x0907000L) +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 +# if (SSLEAY_VERSION_NUMBER >= OPENSSL_VERSION_097) OPENSSL_config(NULL); # endif -# if OPENSSL_API_COMPAT < 0x10100000L SSL_load_error_strings(); -# endif SSL_library_init(); #else @@ -49,32 +49,60 @@ void security_openssl_library() #endif } +#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_110 +/** + * TLS version + * + * Returns the TLS version depending of the user input. + * + * @param lversion is the user input. + * + * @return it returns the version number. + */ +int tls_select_version(const char *lversion) { + if (!strcmp(lversion, "1") || !strcmp(lversion, "1.0")) + return TLS1_VERSION; + else if (!strcmp(lversion, "1.1")) + return TLS1_1_VERSION; + else if (!strcmp(lversion, "1.2")) + return TLS1_2_VERSION; +#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_111 + else if (!strcmp(lversion, "1.3")) + return TLS1_3_VERSION; +#endif + + return TLS_MAX_VERSION; +} +#endif + /** * OpenSSL common options * * Clients and SERVER have common options, this function is responsible to set them in the context. * - * @param ctx + * @param ctx the initialized SSL context. + * @param side 0 means server, and 1 client. */ -void security_openssl_common_options(SSL_CTX *ctx) { -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - static char *ciphers = {"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"}; +void security_openssl_common_options(SSL_CTX *ctx, int side) { +#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_110 + if (!side) { + int version = tls_select_version(tls_version) ; #endif -#if OPENSSL_VERSION_NUMBER < 0x10100000L - SSL_CTX_set_options (ctx,SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION); +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 + SSL_CTX_set_options (ctx,SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION); #else - SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); - //We are avoiding the TLS v1.3 for while, because Google Chrome - //is giving the message net::ERR_SSL_VERSION_INTERFERENCE with it. - SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); -#endif - SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); + SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); + SSL_CTX_set_max_proto_version(ctx, version); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - if (!SSL_CTX_set_cipher_list(ctx, ciphers)) { - error("SSL error. cannot set the cipher list"); + if(tls_ciphers && strcmp(tls_ciphers, "none") != 0) { + if (!SSL_CTX_set_cipher_list(ctx, tls_ciphers)) { + error("SSL error. cannot set the cipher list"); + } + } } #endif + + SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); } /** @@ -86,13 +114,13 @@ void security_openssl_common_options(SSL_CTX *ctx) { */ SSL_CTX * security_initialize_openssl_client() { SSL_CTX *ctx; -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 ctx = SSL_CTX_new(SSLv23_client_method()); #else ctx = SSL_CTX_new(TLS_client_method()); #endif if(ctx) { - security_openssl_common_options(ctx); + security_openssl_common_options(ctx, 1); } return ctx; @@ -111,7 +139,7 @@ static SSL_CTX * security_initialize_openssl_server() { static int netdata_id_context = 1; //TO DO: Confirm the necessity to check return for other OPENSSL function -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 ctx = SSL_CTX_new(SSLv23_server_method()); if (!ctx) { error("Cannot create a new SSL context, netdata won't encrypt communication"); @@ -128,7 +156,7 @@ static SSL_CTX * security_initialize_openssl_server() { SSL_CTX_use_certificate_chain_file(ctx, security_cert); #endif - security_openssl_common_options(ctx); + security_openssl_common_options(ctx, 0); SSL_CTX_use_PrivateKey_file(ctx,security_key,SSL_FILETYPE_PEM); @@ -142,7 +170,7 @@ static SSL_CTX * security_initialize_openssl_server() { SSL_CTX_set_session_id_context(ctx,(void*)&netdata_id_context,(unsigned int)sizeof(netdata_id_context)); SSL_CTX_set_info_callback(ctx,security_info_callback); -#if (OPENSSL_VERSION_NUMBER < 0x00905100L) +#if (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_095) SSL_CTX_set_verify_depth(ctx,1); #endif debug(D_WEB_CLIENT,"SSL GLOBAL CONTEXT STARTED\n"); @@ -207,7 +235,7 @@ void security_clean_openssl() { SSL_CTX_free(netdata_opentsdb_ctx); } -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 ERR_free_strings(); #endif } diff --git a/libnetdata/socket/security.h b/libnetdata/socket/security.h index 741135c1f9..01703d7863 100644 --- a/libnetdata/socket/security.h +++ b/libnetdata/socket/security.h @@ -17,9 +17,14 @@ # ifdef ENABLE_HTTPS +#define OPENSSL_VERSION_095 0x00905100L +#define OPENSSL_VERSION_097 0x0907000L +#define OPENSSL_VERSION_110 0x10100000L +#define OPENSSL_VERSION_111 0x10101000L + # include <openssl/ssl.h> # include <openssl/err.h> -# if (SSLEAY_VERSION_NUMBER >= 0x0907000L) && (OPENSSL_VERSION_NUMBER < 0x10100000L) +# if (SSLEAY_VERSION_NUMBER >= OPENSSL_VERSION_097) && (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110) # include <openssl/conf.h> # endif @@ -33,6 +38,8 @@ extern SSL_CTX *netdata_client_ctx; extern SSL_CTX *netdata_srv_ctx; extern const char *security_key; extern const char *security_cert; +extern const char *tls_version; +extern const char *tls_ciphers; extern int netdata_validate_server; extern int security_location_for_context(SSL_CTX *ctx,char *file,char *path); |