Home Explore Help
Sign In
RONCC
/
Big-Data-HPC-Platform
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

HPCC-15237 Make ESP SSL cipher list configurable

Signed-off-by: Anthony Fishbeck <anthony.fishbeck@lexisnexis.com>
Anthony Fishbeck 9 years ago
parent
743767410b
commit
4d61366bd4
3 changed files with 16 additions and 1 deletions
Split View Show Diff Stats
  1. 8 1
      initfiles/componentfiles/configxml/esp.xsd.in
  2. 3 0
      initfiles/componentfiles/configxml/esp.xsl
  3. 5 0
      system/security/securesocket/securesocket.cpp

+ 8 - 1
initfiles/componentfiles/configxml/esp.xsd.in
View File 

@@ -323,7 +323,14 @@
 
 		         <xs:appinfo>
 
 		            <docid>ESP.t5</docid>
 
 		         </xs:appinfo>
 
-		      </xs:annotation>  
+		      </xs:annotation>
 
+                       <xs:attribute name="cipherList" type="xs:string" use="optional" default="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5">
 
+                            <xs:annotation>
 
+                                <xs:appinfo>
 
+                                    <tooltip>Sets the ordered list of available ciphers for use by openssl.  See openssl documentation on ciphers for information on use and formatting.</tooltip>
 
+                                </xs:appinfo>
 
+                            </xs:annotation>
 
+                        </xs:attribute>
 
                         <xs:attribute name="certificateFileName" type="xs:string" use="optional" default="certificate.cer">
 
                             <xs:annotation>
 
                                 <xs:appinfo>

+ 3 - 0
initfiles/componentfiles/configxml/esp.xsl
View File 

@@ -163,6 +163,9 @@
 
                     <passphrase>
 
                         <xsl:value-of select="HTTPS/@passphrase"/>
 
                     </passphrase>
 
+                    <cipherList>
 
+                        <xsl:value-of select="HTTPS/@cipherList"/>
 
+                    </cipherList>
 
                     <verify enable="{HTTPS/@enableVerification}" address_match="{HTTPS/@requireAddressMatch}" accept_selfsigned="{HTTPS/@acceptSelfSigned}">
 
                         <ca_certificates path="{HTTPS/@CA_Certificates_Path}"/>
 
                         <trusted_peers><xsl:value-of select="HTTPS/@trustedPeers"/></trusted_peers>

+ 5 - 0
system/security/securesocket/securesocket.cpp
View File 

@@ -932,6 +932,11 @@ public:
 
             throw MakeStringException(-1, "ctx can't be created");
 
         }
 
 
+        const char *cipherList = config->queryProp("cipherList");
 
+        if (!cipherList || !*cipherList)
 
+            cipherList = "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5";
 
+        SSL_CTX_set_cipher_list(m_ctx, cipherList);
 
+
 
         const char* passphrase = config->queryProp("passphrase");
 
         if(passphrase && *passphrase)
 
         {