qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gmur...@apache.org
Subject qpid-dispatch git commit: DISPATCH-844 - Added cipher field to sslProfile object. This will allow users to disable weak ciphers in an SSL connection
Date Mon, 02 Oct 2017 20:53:22 GMT
Repository: qpid-dispatch
Updated Branches:
  refs/heads/master 272398ddc -> a33dd4602


DISPATCH-844 - Added cipher field to sslProfile object. This will allow users to disable weak
ciphers in an SSL connection


Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/a33dd460
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/a33dd460
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/a33dd460

Branch: refs/heads/master
Commit: a33dd4602b6a08a808eb72d1e4bf514c30478908
Parents: 272398d
Author: Ganesh Murthy <gmurthy@redhat.com>
Authored: Fri Sep 29 14:13:40 2017 -0400
Committer: Ganesh Murthy <gmurthy@redhat.com>
Committed: Mon Oct 2 16:50:03 2017 -0400

----------------------------------------------------------------------
 include/qpid/dispatch/server.h                |  5 +++++
 python/qpid_dispatch/management/qdrouter.json |  5 +++++
 src/connection_manager.c                      | 24 +++++++++++++++-------
 src/http-libwebsockets.c                      |  2 ++
 src/server.c                                  | 15 ++++++++++++++
 tests/system_tests_http.py                    |  4 +---
 tests/system_tests_sasl_plain.py              |  1 +
 7 files changed, 46 insertions(+), 10 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/a33dd460/include/qpid/dispatch/server.h
----------------------------------------------------------------------
diff --git a/include/qpid/dispatch/server.h b/include/qpid/dispatch/server.h
index 472fda6..bd51fa6 100644
--- a/include/qpid/dispatch/server.h
+++ b/include/qpid/dispatch/server.h
@@ -301,6 +301,11 @@ typedef struct qd_server_config_t {
     bool ssl_require_peer_authentication;
 
     /**
+     * Specifies the enabled ciphers so the SSL Ciphers can be hardened.
+     */
+    char *ciphers;
+
+    /**
      * Allow the connection to be redirected by the peer (via CLOSE->Redirect).  This
is
      * meaningful for outgoing (connector) connections only.
      */

http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/a33dd460/python/qpid_dispatch/management/qdrouter.json
----------------------------------------------------------------------
diff --git a/python/qpid_dispatch/management/qdrouter.json b/python/qpid_dispatch/management/qdrouter.json
index aeebe9a..c7dabc8 100644
--- a/python/qpid_dispatch/management/qdrouter.json
+++ b/python/qpid_dispatch/management/qdrouter.json
@@ -507,6 +507,11 @@
             "extends": "configurationEntity",
             "operations": ["CREATE", "DELETE"],
             "attributes": {
+                "ciphers": {
+                    "type": "string",
+                    "description": "Specifies the enabled ciphers so the SSL Ciphers can
be hardened. In other words, use this field to disable weak ciphers. The ciphers are specified
in the format understood by the OpenSSL library. For example, ciphers can be set to ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
-- The full list of allowed ciphers can be viewed using the openssl ciphers command",
+                    "create": true
+                },            
                 "certDb": {
                     "type": "path",
                     "description": "The absolute path to the database that contains the public
certificates of trusted certificate authorities (CA).",

http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/a33dd460/src/connection_manager.c
----------------------------------------------------------------------
diff --git a/src/connection_manager.c b/src/connection_manager.c
index f9e0e76..9a9d61d 100644
--- a/src/connection_manager.c
+++ b/src/connection_manager.c
@@ -44,6 +44,7 @@ struct qd_config_ssl_profile_t {
     char        *ssl_display_name_file;
     char        *ssl_certificate_file;
     char        *ssl_private_key_file;
+    char        *ciphers;
 };
 
 DEQ_DECLARE(qd_config_ssl_profile_t, qd_config_ssl_profile_list_t);
@@ -138,13 +139,14 @@ void qd_server_config_free(qd_server_config_t *cf)
     if (cf->failover_list)   qd_failover_list_free(cf->failover_list);
     if (cf->log_message)     free(cf->log_message);
 
-    if (cf->ssl_certificate_file) free(cf->ssl_certificate_file);
-    if (cf->ssl_private_key_file) free(cf->ssl_private_key_file);
-    if (cf->ssl_password) free(cf->ssl_password);
+    if (cf->ssl_certificate_file)       free(cf->ssl_certificate_file);
+    if (cf->ssl_private_key_file)       free(cf->ssl_private_key_file);
+    if (cf->ciphers)                    free(cf->ciphers);
+    if (cf->ssl_password)               free(cf->ssl_password);
     if (cf->ssl_trusted_certificate_db) free(cf->ssl_trusted_certificate_db);
-    if (cf->ssl_trusted_certificates) free(cf->ssl_trusted_certificates);
-    if (cf->ssl_uid_format) free(cf->ssl_uid_format);
-    if (cf->ssl_display_name_file) free(cf->ssl_display_name_file);
+    if (cf->ssl_trusted_certificates)   free(cf->ssl_trusted_certificates);
+    if (cf->ssl_uid_format)             free(cf->ssl_uid_format);
+    if (cf->ssl_display_name_file)      free(cf->ssl_display_name_file);
     memset(cf, 0, sizeof(*cf));
 }
 
@@ -383,6 +385,7 @@ static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t
*conf
         if (ssl_profile) {
             config->ssl_certificate_file = SSTRDUP(ssl_profile->ssl_certificate_file);
             config->ssl_private_key_file = SSTRDUP(ssl_profile->ssl_private_key_file);
+            config->ciphers = SSTRDUP(ssl_profile->ciphers);
             config->ssl_password = SSTRDUP(ssl_profile->ssl_password);
             config->ssl_trusted_certificate_db = SSTRDUP(ssl_profile->ssl_trusted_certificate_db);
             config->ssl_trusted_certificates = SSTRDUP(ssl_profile->ssl_trusted_certificates);
@@ -421,6 +424,12 @@ static qd_error_t load_server_config(qd_dispatch_t *qd, qd_server_config_t
*conf
                         }
                     }
                 }
+                if (auth_ssl_profile->ciphers) {
+                    if (pn_ssl_domain_set_ciphers(config->auth_ssl_conf, auth_ssl_profile->ciphers))
{
+                        return qd_error(QD_ERROR_RUNTIME, "Cannot set ciphers. The ciphers
string might be invalid. Use openssl ciphers -v <ciphers> to validate");
+                    }
+                }
+
             }
         } else {
             qd_error(QD_ERROR_RUNTIME, "Cannot find sasl plugin %s", config->sasl_plugin);
CHECK();
@@ -461,6 +470,7 @@ static bool config_ssl_profile_free(qd_connection_manager_t *cm, qd_config_ssl_p
     free(ssl_profile->ssl_display_name_file);
     free(ssl_profile->ssl_certificate_file);
     free(ssl_profile->ssl_private_key_file);
+    free(ssl_profile->ciphers);
     free(ssl_profile);
     return true;
 
@@ -523,7 +533,7 @@ qd_config_ssl_profile_t *qd_dispatch_configure_ssl_profile(qd_dispatch_t
*qd, qd
         }
         free(password_file);
     }
-
+    ssl_profile->ciphers = qd_entity_opt_string(entity, "ciphers", 0); CHECK();
     ssl_profile->ssl_trusted_certificate_db = qd_entity_opt_string(entity, "certDb", 0);
CHECK();
     ssl_profile->ssl_trusted_certificates   = qd_entity_opt_string(entity, "trustedCerts",
0); CHECK();
     ssl_profile->ssl_uid_format             = qd_entity_opt_string(entity, "uidFormat",
0); CHECK();

http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/a33dd460/src/http-libwebsockets.c
----------------------------------------------------------------------
diff --git a/src/http-libwebsockets.c b/src/http-libwebsockets.c
index 502b937..990d694 100644
--- a/src/http-libwebsockets.c
+++ b/src/http-libwebsockets.c
@@ -286,6 +286,8 @@ static void listener_start(qd_http_listener_t *hl, qd_http_server_t *hs)
{
         info.ssl_private_key_filepath = config->ssl_private_key_file;
         info.ssl_private_key_password = config->ssl_password;
         info.ssl_ca_filepath = config->ssl_trusted_certificates;
+        info.ssl_cipher_list = config->ciphers;
+
         info.options |=
             LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT |
             (config->ssl_required ? 0 : LWS_SERVER_OPTION_ALLOW_NON_SSL_ON_SSL_PORT) |

http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/a33dd460/src/server.c
----------------------------------------------------------------------
diff --git a/src/server.c b/src/server.c
index 4b96ffb..88144a5 100644
--- a/src/server.c
+++ b/src/server.c
@@ -380,6 +380,13 @@ static qd_error_t listener_setup_ssl(qd_connection_t *ctx, const qd_server_confi
         }
     }
 
+    if (config->ciphers) {
+        if (pn_ssl_domain_set_ciphers(domain, config->ciphers)) {
+            pn_ssl_domain_free(domain);
+            return qd_error(QD_ERROR_RUNTIME, "Cannot set ciphers. The ciphers string might
be invalid. Use openssl ciphers -v <ciphers> to validate");
+        }
+    }
+
     const char *trusted = config->ssl_trusted_certificate_db;
     if (config->ssl_trusted_certificates)
         trusted = config->ssl_trusted_certificates;
@@ -1030,6 +1037,14 @@ static void setup_ssl_sasl_and_open(qd_connection_t *ctx)
             }
         }
 
+        if (config->ciphers) {
+            if (pn_ssl_domain_set_ciphers(domain, config->ciphers)) {
+                qd_log(ct->server->log_source, QD_LOG_ERROR,
+                       "SSL cipher configuration failed for %s:%s",
+                       config->host, config->port);
+            }
+        }
+
         //If ssl is enabled and verify_host_name is true, instruct proton to verify peer
name
         if (config->verify_host_name) {
             if (pn_ssl_domain_set_peer_authentication(domain, PN_SSL_VERIFY_PEER_NAME, NULL))
{

http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/a33dd460/tests/system_tests_http.py
----------------------------------------------------------------------
diff --git a/tests/system_tests_http.py b/tests/system_tests_http.py
index 5450097..adfbd54 100644
--- a/tests/system_tests_http.py
+++ b/tests/system_tests_http.py
@@ -19,10 +19,7 @@
 
 import unittest, os, json, threading, sys, ssl, urllib2
 import ssl
-import run
-from subprocess import PIPE, Popen, STDOUT
 from system_test import TestCase, Qdrouterd, main_module, DIR, TIMEOUT, Process
-from qpid_dispatch.management.client import Node
 
 class RouterTestHttp(TestCase):
 
@@ -111,6 +108,7 @@ class RouterTestHttp(TestCase):
                             'certDb': self.ssl_file('ca-certificate.pem'),
                             'certFile': self.ssl_file('server-certificate.pem'),
                             'keyFile': self.ssl_file('server-private-key.pem'),
+                            'ciphers': 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS',
                             'password': 'server-password'
             }),
             listener(sslProfile='simple-ssl', requireSsl=False, authenticatePeer=False),

http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/a33dd460/tests/system_tests_sasl_plain.py
----------------------------------------------------------------------
diff --git a/tests/system_tests_sasl_plain.py b/tests/system_tests_sasl_plain.py
index 79632ea..05e591f 100644
--- a/tests/system_tests_sasl_plain.py
+++ b/tests/system_tests_sasl_plain.py
@@ -226,6 +226,7 @@ class RouterTestPlainSaslOverSsl(RouterTestPlainSaslCommon):
                                      'certDb': cls.ssl_file('ca-certificate.pem'),
                                      'certFile': cls.ssl_file('server-certificate.pem'),
                                      'keyFile': cls.ssl_file('server-private-key.pem'),
+                                     'ciphers': 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS',
                                      'password': 'server-password'}),
                      ('router', {'workerThreads': 1,
                                  'id': 'QDR.X',


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org


Mime
View raw message