Added configuration options for TLS cipher suites and TLS versions.
This commit is contained in:
Jan Vidar Krey
@@ -428,7 +428,6 @@
|
||||
<since>0.3.3</since>
|
||||
</option>
|
||||
|
||||
|
||||
<option name="tls_certificate" type="file" default="">
|
||||
<short>Certificate file</short>
|
||||
<description><![CDATA[
|
||||
@@ -445,6 +444,40 @@
|
||||
<since>0.3.0</since>
|
||||
</option>
|
||||
|
||||
<option name="tls_ciphersuite" type="string" default="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS">
|
||||
<short>List of TLS ciphers to use</short>
|
||||
<description><![CDATA[
|
||||
This is a colon separated list of preferred ciphers in the OpenSSL format.
|
||||
]]></description>
|
||||
<since>0.5.0</since>
|
||||
<example><![CDATA[
|
||||
<p>
|
||||
High security with emphasis on forward secrecy:<br />
|
||||
tls_ciphersuite = "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
|
||||
</p>
|
||||
<p>
|
||||
Allow ChaCha20/Poly1305 which are secure, yet generally faster:<br />
|
||||
tls_ciphersuite = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA"
|
||||
</p>
|
||||
]]></example>
|
||||
</option>
|
||||
|
||||
<option name="tls_version" type="string" default="1.2">
|
||||
<short>Specify minimum TLS version supported.</short>
|
||||
<description><![CDATA[
|
||||
<p>
|
||||
This allows you to specify the minimum TLS version the hub requires from connecting clients in order to
|
||||
connect to the hub.
|
||||
</p>
|
||||
<p>
|
||||
TLS version 1.2 is recommended and enabled by default.
|
||||
TLS version 1.1 is acceptable without any known flaws, and allows for older clients to connect.
|
||||
TLS version 1.0 should be avoided, even though it is the most compatible with older ADC clients.
|
||||
</p>
|
||||
]]></description>
|
||||
<since>0.5.0</since>
|
||||
</option>
|
||||
|
||||
<option name="file_acl" type="file" default="">
|
||||
<short>File containing access control lists</short>
|
||||
<description><![CDATA[
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
* Copyright (C) 2007-2014, Jan Vidar Krey
|
||||
*
|
||||
* THIS FILE IS AUTOGENERATED - DO NOT MODIFY
|
||||
* Created 2014-05-14 11:38, by config.py
|
||||
* Created 2014-07-29 12:22, by config.py
|
||||
*/
|
||||
|
||||
void config_defaults(struct hub_config* config)
|
||||
@@ -51,6 +51,8 @@ void config_defaults(struct hub_config* config)
|
||||
config->tls_require_redirect_addr = hub_strdup("");
|
||||
config->tls_certificate = hub_strdup("");
|
||||
config->tls_private_key = hub_strdup("");
|
||||
config->tls_ciphersuite = hub_strdup("ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS");
|
||||
config->tls_version = hub_strdup("1.2");
|
||||
config->file_acl = hub_strdup("");
|
||||
config->file_plugins = hub_strdup("");
|
||||
config->msg_hub_full = hub_strdup("Hub is full");
|
||||
@@ -552,6 +554,26 @@ static int apply_config(struct hub_config* config, char* key, char* data, int li
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!strcmp(key, "tls_ciphersuite"))
|
||||
{
|
||||
if (!apply_string(key, data, &config->tls_ciphersuite, (char*) ""))
|
||||
{
|
||||
LOG_ERROR("Configuration parse error on line %d", line_count);
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!strcmp(key, "tls_version"))
|
||||
{
|
||||
if (!apply_string(key, data, &config->tls_version, (char*) ""))
|
||||
{
|
||||
LOG_ERROR("Configuration parse error on line %d", line_count);
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!strcmp(key, "file_acl"))
|
||||
{
|
||||
if (!apply_string(key, data, &config->file_acl, (char*) ""))
|
||||
@@ -955,6 +977,10 @@ void free_config(struct hub_config* config)
|
||||
|
||||
hub_free(config->tls_private_key);
|
||||
|
||||
hub_free(config->tls_ciphersuite);
|
||||
|
||||
hub_free(config->tls_version);
|
||||
|
||||
hub_free(config->file_acl);
|
||||
|
||||
hub_free(config->file_plugins);
|
||||
@@ -1164,6 +1190,12 @@ void dump_config(struct hub_config* config, int ignore_defaults)
|
||||
if (!ignore_defaults || strcmp(config->tls_private_key, "") != 0)
|
||||
fprintf(stdout, "tls_private_key = \"%s\"\n", config->tls_private_key);
|
||||
|
||||
if (!ignore_defaults || strcmp(config->tls_ciphersuite, "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS") != 0)
|
||||
fprintf(stdout, "tls_ciphersuite = \"%s\"\n", config->tls_ciphersuite);
|
||||
|
||||
if (!ignore_defaults || strcmp(config->tls_version, "1.2") != 0)
|
||||
fprintf(stdout, "tls_version = \"%s\"\n", config->tls_version);
|
||||
|
||||
if (!ignore_defaults || strcmp(config->file_acl, "") != 0)
|
||||
fprintf(stdout, "file_acl = \"%s\"\n", config->file_acl);
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
* Copyright (C) 2007-2014, Jan Vidar Krey
|
||||
*
|
||||
* THIS FILE IS AUTOGENERATED - DO NOT MODIFY
|
||||
* Created 2014-05-14 11:38, by config.py
|
||||
* Created 2014-07-29 12:22, by config.py
|
||||
*/
|
||||
|
||||
struct hub_config
|
||||
@@ -51,6 +51,8 @@ struct hub_config
|
||||
char* tls_require_redirect_addr; /*<<< A redirect address in case a client connects using "adc://" when "adcs://" is required. (default: "") */
|
||||
char* tls_certificate; /*<<< Certificate file (default: "") */
|
||||
char* tls_private_key; /*<<< Private key file (default: "") */
|
||||
char* tls_ciphersuite; /*<<< List of TLS ciphers to use (default: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS") */
|
||||
char* tls_version; /*<<< Specify minimum TLS version supported. (default: "1.2") */
|
||||
char* file_acl; /*<<< File containing access control lists (default: "") */
|
||||
char* file_plugins; /*<<< Plugin configuration file (default: "") */
|
||||
char* msg_hub_full; /*<<< "Hub is full" */
|
||||
|
||||
@@ -731,7 +731,11 @@ static int load_ssl_certificates(struct hub_info* hub, struct hub_config* config
|
||||
{
|
||||
if (config->tls_enable)
|
||||
{
|
||||
hub->ctx = net_ssl_context_create();
|
||||
hub->ctx = net_ssl_context_create(config->tls_version, config->tls_ciphersuite);
|
||||
|
||||
if (!hub->ctx)
|
||||
return 0;
|
||||
|
||||
if (ssl_load_certificate(hub->ctx, config->tls_certificate) &&
|
||||
ssl_load_private_key(hub->ctx, config->tls_private_key) &&
|
||||
ssl_check_private_key(hub->ctx))
|
||||
|
||||
Reference in New Issue
Block a user