Browse Source

HPCC-15237 Make ESP SSL cipher list configurable

Signed-off-by: Anthony Fishbeck <anthony.fishbeck@lexisnexis.com>
Anthony Fishbeck 9 years ago
parent
commit
4d61366bd4

+ 8 - 1
initfiles/componentfiles/configxml/esp.xsd.in

@@ -323,7 +323,14 @@
 		         <xs:appinfo>
 		            <docid>ESP.t5</docid>
 		         </xs:appinfo>
-		      </xs:annotation>  
+		      </xs:annotation>
+                       <xs:attribute name="cipherList" type="xs:string" use="optional" default="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5">
+                            <xs:annotation>
+                                <xs:appinfo>
+                                    <tooltip>Sets the ordered list of available ciphers for use by openssl.  See openssl documentation on ciphers for information on use and formatting.</tooltip>
+                                </xs:appinfo>
+                            </xs:annotation>
+                        </xs:attribute>
                         <xs:attribute name="certificateFileName" type="xs:string" use="optional" default="certificate.cer">
                             <xs:annotation>
                                 <xs:appinfo>

+ 3 - 0
initfiles/componentfiles/configxml/esp.xsl

@@ -163,6 +163,9 @@
                     <passphrase>
                         <xsl:value-of select="HTTPS/@passphrase"/>
                     </passphrase>
+                    <cipherList>
+                        <xsl:value-of select="HTTPS/@cipherList"/>
+                    </cipherList>
                     <verify enable="{HTTPS/@enableVerification}" address_match="{HTTPS/@requireAddressMatch}" accept_selfsigned="{HTTPS/@acceptSelfSigned}">
                         <ca_certificates path="{HTTPS/@CA_Certificates_Path}"/>
                         <trusted_peers><xsl:value-of select="HTTPS/@trustedPeers"/></trusted_peers>

+ 5 - 0
system/security/securesocket/securesocket.cpp

@@ -932,6 +932,11 @@ public:
             throw MakeStringException(-1, "ctx can't be created");
         }
 
+        const char *cipherList = config->queryProp("cipherList");
+        if (!cipherList || !*cipherList)
+            cipherList = "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5";
+        SSL_CTX_set_cipher_list(m_ctx, cipherList);
+
         const char* passphrase = config->queryProp("passphrase");
         if(passphrase && *passphrase)
         {