[icinga-checkins] icinga.org: icinga2/master: Make the cipher list configurable for TLS streams

git at icinga.org git at icinga.org
Mon Jul 18 13:48:06 CEST 2016


Module: icinga2
Branch: master
Commit: 1ca8b293cbed3ac14783ccc29881762e53b7868a
URL:    https://git.icinga.org/?p=icinga2.git;a=commit;h=1ca8b293cbed3ac14783ccc29881762e53b7868a

Author: Uwe Ebel <kobmaki at aol.com>
Date:   Fri Mar 25 21:25:19 2016 +0100

Make the cipher list configurable for TLS streams

fixes #11063

Signed-off-by: Gunnar Beutner <gunnar.beutner at netways.de>

---

 doc/6-object-types.md      |    1 +
 lib/base/tlsutility.cpp    |   23 +++++++++++++++++++++++
 lib/base/tlsutility.hpp    |    1 +
 lib/remote/apilistener.cpp |    9 +++++++++
 lib/remote/apilistener.ti  |    3 +++
 5 files changed, 37 insertions(+)

diff --git a/doc/6-object-types.md b/doc/6-object-types.md
index b192ca0..9e3e7e9 100644
--- a/doc/6-object-types.md
+++ b/doc/6-object-types.md
@@ -50,6 +50,7 @@ Configuration Attributes:
   bind\_port                |**Optional.** The port the api listener should be bound to. Defaults to `5665`.
   accept\_config            |**Optional.** Accept zone configuration. Defaults to `false`.
   accept\_commands          |**Optional.** Accept remote commands. Defaults to `false`.
+  cipher\_list		    |**Optional.** Cipher list that is allowed.
 
 ## <a id="objecttype-apiuser"></a> ApiUser
 
diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp
index 37f53b9..65bb83d 100644
--- a/lib/base/tlsutility.cpp
+++ b/lib/base/tlsutility.cpp
@@ -159,6 +159,29 @@ boost::shared_ptr<SSL_CTX> MakeSSLContext(const String& pubkey, const String& pr
 }
 
 /**
+ * Set the cipher list to the specified SSL context.
+ * @param context The ssl context.
+ * @param cipherList The ciper list.
+ **/
+void SetCipherListToSSLContext(const boost::shared_ptr<SSL_CTX>& context, const String& cipherList)
+{
+	char errbuf[256];
+
+	if (SSL_CTX_set_cipher_list(context.get(), cipherList.CStr()) == 0) {
+		Log(LogCritical, "SSL")
+		    << "Error with cipher list '"
+		    << cipherList
+		    << "' results in no availabe ciphers: "
+		    << ERR_peek_error() << ", \""
+		    << ERR_error_string(ERR_peek_error(), errbuf) << "\"";
+
+		BOOST_THROW_EXCEPTION(openssl_error()
+		    << boost::errinfo_api_function("SSL_CTX_set_cipher_list")
+		    << errinfo_openssl_error(ERR_peek_error()));
+	}
+}
+
+/**
  * Loads a CRL and appends its certificates to the specified SSL context.
  *
  * @param context The SSL context.
diff --git a/lib/base/tlsutility.hpp b/lib/base/tlsutility.hpp
index 3bafb26..6a41d48 100644
--- a/lib/base/tlsutility.hpp
+++ b/lib/base/tlsutility.hpp
@@ -40,6 +40,7 @@ namespace icinga
 void I2_BASE_API InitializeOpenSSL(void);
 boost::shared_ptr<SSL_CTX> I2_BASE_API MakeSSLContext(const String& pubkey = String(), const String& privkey = String(), const String& cakey = String());
 void I2_BASE_API AddCRLToSSLContext(const boost::shared_ptr<SSL_CTX>& context, const String& crlPath);
+void I2_BASE_API SetCipherListToSSLContext(const boost::shared_ptr<SSL_CTX>& context, const String& cipherList);
 String I2_BASE_API GetCertificateCN(const boost::shared_ptr<X509>& certificate);
 boost::shared_ptr<X509> I2_BASE_API GetX509Certificate(const String& pemfile);
 int I2_BASE_API MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile = String(), const String& certfile = String(), const String& serialFile = String(), bool ca = false);
diff --git a/lib/remote/apilistener.cpp b/lib/remote/apilistener.cpp
index c51a1a8..4a31eb8 100644
--- a/lib/remote/apilistener.cpp
+++ b/lib/remote/apilistener.cpp
@@ -95,6 +95,15 @@ void ApiListener::OnConfigLoaded(void)
 			    + GetCrlPath() + "'.", GetDebugInfo()));
 		}
 	}
+
+	if (!GetCipherList().IsEmpty()) {
+		try {
+			SetCipherListToSSLContext(m_SSLContext, GetCipherList());
+		} catch (const std::exception&) {
+			BOOST_THROW_EXCEPTION(ScriptError("Cannot set cipher list to SSL context for cipher list: '"
+			    + GetCipherList() + "'.", GetDebugInfo()));
+		}
+	}
 }
 
 void ApiListener::OnAllConfigLoaded(void)
diff --git a/lib/remote/apilistener.ti b/lib/remote/apilistener.ti
index 34e235c..91e4b0e 100644
--- a/lib/remote/apilistener.ti
+++ b/lib/remote/apilistener.ti
@@ -32,6 +32,9 @@ class ApiListener : ConfigObject
 	[config, required] String key_path;
 	[config, required] String ca_path;
 	[config] String crl_path;
+	[config] String cipher_list {
+		default {{{ return "ALL:!LOW:!WEAK:!MEDIUM:!EXP:!NULL"; }}}
+	};
 
 	[config] String bind_host;
 	[config] String bind_port {



More information about the icinga-checkins mailing list