tyler.durden/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2025-07-25 06:34:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Support TLS 1.3

Browse Source
This commit is contained in:
Julian Brost 2021-04-14 15:35:54 +02:00
parent 8dc069dc24
commit 0e7a05ad7a
3 changed files with 44 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
lib/base/tlsutility.cpp
View File

@ -179,7 +179,7 @@ Shared<boost::asio::ssl::context>::Ptr MakeAsioSslContext(const String& pubkey,
InitializeOpenSSL(); InitializeOpenSSL();
auto context (Shared<ssl::context>::Make(ssl::context::tlsv12)); auto context (Shared<ssl::context>::Make(ssl::context::tls));
SetupSslContext(context, pubkey, privkey, cakey); SetupSslContext(context, pubkey, privkey, cakey);
@ -227,6 +227,28 @@ void SetCipherListToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& con
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ #endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
} }
/**
* Resolves a string describing a TLS protocol version to the value of a TLS*_VERSION macro of OpenSSL.
*
* Throws an exception if the version is unknown or not supported.
*
* @param version String of a TLS version, for example "TLSv1.2".
* @return The value of the corresponding TLS*_VERSION macro.
*/
int ResolveTlsProtocolVersion(const std::string& version) {
if (version == "TLSv1.2") {
return TLS1_2_VERSION;
} else if (version == "TLSv1.3") {
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
return TLS1_3_VERSION;
#else /* OPENSSL_VERSION_NUMBER >= 0x10101000L */
throw std::runtime_error("'" + version + "' is only supported with OpenSSL 1.1.1 or newer");
#endif /* OPENSSL_VERSION_NUMBER >= 0x10101000L */
} else {
throw std::runtime_error("Unknown TLS protocol version '" + version + "'");
}
}
/** /**
* Set the minimum TLS protocol version to the specified SSL context. * Set the minimum TLS protocol version to the specified SSL context.
* *
@ -235,16 +257,24 @@ void SetCipherListToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& con
*/ */
void SetTlsProtocolminToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, const String& tlsProtocolmin) void SetTlsProtocolminToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, const String& tlsProtocolmin)
{ {
// tlsProtocolmin has no effect since we enforce TLS 1.2 since 2.11. #if OPENSSL_VERSION_NUMBER >= 0x10100000L
/* int ret = SSL_CTX_set_min_proto_version(context->native_handle(), ResolveTlsProtocolVersion(tlsProtocolmin));
std::shared_ptr<SSL_CTX> sslContext = std::shared_ptr<SSL_CTX>(context->native_handle());
long flags = SSL_CTX_get_options(sslContext.get()); if (ret != 1) {
char errbuf[256];
flags |= ...; ERR_error_string_n(ERR_peek_error(), errbuf, sizeof errbuf);
Log(LogCritical, "SSL")
SSL_CTX_set_options(sslContext.get(), flags); << "Error setting minimum TLS protocol version: " << ERR_peek_error() << ", \"" << errbuf << "\"";
*/ BOOST_THROW_EXCEPTION(openssl_error()
<< boost::errinfo_api_function("SSL_CTX_set_min_proto_version")
<< errinfo_openssl_error(ERR_peek_error()));
}
#else /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
// This should never happen. On this OpenSSL version, ResolveTlsProtocolVersion() should either return TLS 1.2
// or throw an exception, as that's the only TLS version supported by both Icinga and ancient OpenSSL.
VERIFY(ResolveTlsProtocolVersion(tlsProtocolmin) == TLS1_2_VERSION);
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
} }
/** /**

1
lib/base/tlsutility.hpp
View File

@ -33,6 +33,7 @@ void AddCRLToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, c
void AddCRLToSSLContext(X509_STORE *x509_store, const String& crlPath); void AddCRLToSSLContext(X509_STORE *x509_store, const String& crlPath);
void SetCipherListToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, const String& cipherList); void SetCipherListToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, const String& cipherList);
void SetTlsProtocolminToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, const String& tlsProtocolmin); void SetTlsProtocolminToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, const String& tlsProtocolmin);
int ResolveTlsProtocolVersion(const std::string& version);
String GetCertificateCN(const std::shared_ptr<X509>& certificate); String GetCertificateCN(const std::shared_ptr<X509>& certificate);
std::shared_ptr<X509> GetX509Certificate(const String& pemfile); std::shared_ptr<X509> GetX509Certificate(const String& pemfile);

8
lib/remote/apilistener.cpp
View File

@ -1802,10 +1802,10 @@ void ApiListener::ValidateTlsProtocolmin(const Lazy<String>& lvalue, const Valid
{ {
ObjectImpl<ApiListener>::ValidateTlsProtocolmin(lvalue, utils); ObjectImpl<ApiListener>::ValidateTlsProtocolmin(lvalue, utils);
if (lvalue() != SSL_TXT_TLSV1_2) { try {
String message = "Invalid TLS version. Must be '" SSL_TXT_TLSV1_2 "'"; ResolveTlsProtocolVersion(lvalue());
} catch (const std::exception& ex) {
BOOST_THROW_EXCEPTION(ValidationError(this, { "tls_protocolmin" }, message)); BOOST_THROW_EXCEPTION(ValidationError(this, { "tls_protocolmin" }, ex.what()));
} }
} }