tyler.durden/pandorafms
1
0
Fork 0
mirror of https://github.com/pandorafms/pandorafms.git synced 2025-07-31 01:35:36 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'ent-10120-extend-the-tentacle_server-to-allow-limiting-the-ssl-version-and-cipher-2' into 'develop'

Browse Source 
Ent-10120-extend-the-tentacle_server-to-allow-limiting-the-ssl-version-and-cipher-2

See merge request artica/pandorafms!6699
This commit is contained in:
Daniel Rodriguez 2024-02-01 10:21:03 +00:00
commit e658a35229
2 changed files with 42 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
tentacle/conf/tentacle_server.conf.new
View File

@ -72,4 +72,10 @@ log_file /dev/null
# ssl_password 0 # ssl_password 0
# [-T] Use libwrap library (Authen::Libwrap perl module) # [-T] Use libwrap library (Authen::Libwrap perl module)
# use_libwrap 0 # use_libwrap 0
# [-z] Restrict to a specific ssl version
# ssl_version TLSv1_3
# [-u] Restrict to a specific ssl cipher
# ssl_cipher AES256-SHA

46
tentacle/tentacle_server
View File

@ -187,6 +187,12 @@ my $t_proxy_ip = undef;
# Port to proxy client requests to # Port to proxy client requests to
my $t_proxy_port = 41121; my $t_proxy_port = 41121;
# Allowed SSL Cipher
my $t_ssl_cipher= '';
# Allowed SSL Version
my $t_ssl_version= '';
# Proxy socket # Proxy socket
my $t_proxy_socket; my $t_proxy_socket;
@ -230,7 +236,7 @@ sub print_help {
print ("\t-p port\t\tPort to listen on (default $t_port).\n"); print ("\t-p port\t\tPort to listen on (default $t_port).\n");
print ("\t-q\t\tQuiet. Do now print error messages.\n"); print ("\t-q\t\tQuiet. Do now print error messages.\n");
print ("\t-r number\tNumber of retries for network opertions (default $t_retries).\n"); print ("\t-r number\tNumber of retries for network opertions (default $t_retries).\n");
print ("\t-S (install|uninstall|run) Manage the win32 service.\n"); print ("\t-S \t\t(install|uninstall|run) Manage the win32 service.\n");
print ("\t-t time\t\tTime-out for network operations in seconds (default ${t_timeout}s).\n"); print ("\t-t time\t\tTime-out for network operations in seconds (default ${t_timeout}s).\n");
print ("\t-v\t\tBe verbose (display errors).\n"); print ("\t-v\t\tBe verbose (display errors).\n");
print ("\t-V\t\tBe verbose on hard way (display errors and other info).\n"); print ("\t-V\t\tBe verbose on hard way (display errors and other info).\n");
@ -239,7 +245,9 @@ sub print_help {
print ("\t-b ip_address\tProxy requests to the given address.\n"); print ("\t-b ip_address\tProxy requests to the given address.\n");
print ("\t-g port\t\tProxy requests to the given port.\n"); print ("\t-g port\t\tProxy requests to the given port.\n");
print ("\t-T\t\tEnable tcpwrappers support.\n"); print ("\t-T\t\tEnable tcpwrappers support.\n");
print ("\t \t\t(To use this option, 'Authen::Libwrap' should be installed.)\n\n"); print ("\t \t\t(To use this option, 'Authen::Libwrap' should be installed.)\n");
print ("\t-z\t\tRestrict to a specific SSL Version.\n");
print ("\t-u\t\tRestrict to a specific SSL Cipher.\n\n");
} }
################################################################################ ################################################################################
@ -287,7 +295,7 @@ sub parse_options {
my @t_addresses_tmp; my @t_addresses_tmp;
# Get options # Get options
if (getopts ('a:b:c:de:f:F:g:hIi:k:l:m:op:qr:s:S:t:TvVwx:', \%opts) == 0 || defined ($opts{'h'})) { if (getopts ('a:b:c:de:f:F:g:hIi:k:l:m:op:qr:s:S:t:TvVwx:z:u:', \%opts) == 0 || defined ($opts{'h'})) {
print_help (); print_help ();
exit 1; exit 1;
} }
@ -547,6 +555,18 @@ sub parse_options {
} }
} }
# Specific SSL Version
$token_value = get_config_value($opts{'z'}, $CONF->{'ssl_version'});
if (defined ($token_value)) {
$t_ssl_version = $token_value;
}
# Specific SSL Cipher
$token_value = get_config_value($opts{'u'}, $CONF->{'ssl_cipher'});
if (defined ($token_value)) {
$t_ssl_cipher = $token_value;
}
# Win32 service management # Win32 service management
if (defined ($opts{'S'})) { if (defined ($opts{'S'})) {
my $service_action = $opts{'S'}; my $service_action = $opts{'S'};
@ -788,13 +808,19 @@ sub stop_server {
sub start_ssl { sub start_ssl {
my $err; my $err;
my %ssl_args = (
SSL_cert_file => $t_ssl_cert,
SSL_key_file => $t_ssl_key,
SSL_passwd_cb => sub {return $t_ssl_pwd},
SSL_server => 1,
SSL_cipher_list => $t_ssl_cipher // '',
SSL_version => $t_ssl_version // '',
);
if ($t_ssl_ca eq '') { if ($t_ssl_ca eq '') {
IO::Socket::SSL->start_SSL ( IO::Socket::SSL->start_SSL (
$t_client_socket, $t_client_socket,
SSL_cert_file => $t_ssl_cert, %ssl_args,
SSL_key_file => $t_ssl_key,
SSL_passwd_cb => sub {return $t_ssl_pwd},
SSL_server => 1,
# Verify peer # Verify peer
SSL_verify_mode => 0x01, SSL_verify_mode => 0x01,
); );
@ -802,11 +828,8 @@ sub start_ssl {
else { else {
IO::Socket::SSL->start_SSL ( IO::Socket::SSL->start_SSL (
$t_client_socket, $t_client_socket,
%ssl_args,
SSL_ca_file => $t_ssl_ca, SSL_ca_file => $t_ssl_ca,
SSL_cert_file => $t_ssl_cert,
SSL_key_file => $t_ssl_key,
SSL_passwd_cb => sub {return $t_ssl_pwd},
SSL_server => 1,
# Fail verification if no peer certificate exists # Fail verification if no peer certificate exists
SSL_verify_mode => 0x03, SSL_verify_mode => 0x03,
); );
@ -820,6 +843,7 @@ sub start_ssl {
print_log ("SSL started for " . $t_client_socket->sockhost ()); print_log ("SSL started for " . $t_client_socket->sockhost ());
} }
################################################################################ ################################################################################
## SUB accept_connections ## SUB accept_connections
## Manage incoming connections. ## Manage incoming connections.