tls: Introduce OpenSSL #1
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
michael-redpanda
force-pushed
the
add-openssl-implementation
branch
15 times, most recently
from
01a3d05 to
bda87fc
Compare
michael-redpanda
force-pushed
the
add-openssl-implementation
branch
4 times, most recently
from
0ad0b66 to
2f16ad8
Compare
|
@michael-redpanda - made a subtask for this https://redpandadata.atlassian.net/browse/CORE-7791 Seems that the ossl backend is not raising a |
|
Seems to be failing on https://github.com/redpanda-data/seastar/tree/v24.2.x as well |
|
This is from our fork v24.2.x branch: |
|
oh, duh, that's just where we turned OpenSSL on I guess? prior to that would the openssl have been totally inert, or is there another way to run the tests w/ openssl backend or what? |
michael-redpanda
force-pushed
the
add-openssl-implementation
branch
5 times, most recently
from
939311d to
5638717
Compare
michael-redpanda
force-pushed
the
add-openssl-implementation
branch
3 times, most recently
from
31f5632 to
637a9a3
Compare
Created tls-impl.cc and tls-impl.h which contains common structures and definitions that are not dependent on the underlying TLS mechanism. These changes set the stage for implementing other TLS providers. Signed-off-by: Michael Boquard <[email protected]>
This commit adds support for using OpenSSL, instead of GnuTLS, as the TLS provider within Seastar. To support this change, the configure script has been updated to allow users to select which cryptographic provider should be used by supply `--crypto-provider` and specificying either `OpenSSL` or `GnuTLS`. The OpenSSL implementation mirrors the GnuTLS implementation. Instead of using callbacks, a custom BIO was created to handle moving data on/off of the OpenSSL SSL session into the Seastar TLS session data sinks. When compiled for OpenSSL, the `certificate_credentials::set_priority_string` method is compiled out and replaced with the following: * `set_cipher_string` * `set_ciphersuites` * `enable_server_precedence` * `set_minimum_tls_version` * `set_maximum_tls_version` These methods are specific to OpenSSL. The github actions have been updated to run the full suite of tests against both cryptographic providers. `src/net/tcp.hh` and `src/websocket/server.cc` have been updated to use OpenSSL instead of GnuTLS, depending upon the build configuration. Signed-off-by: Michael Boquard <[email protected]>
A class that wraps around a typical logger that appends useful information about the connection when logging. Added use to the OpenSSL implementation. Signed-off-by: Michael Boquard <[email protected]>
More recent versions of OpenSSL requrire CA certificates to have CA:true Signed-off-by: Michael Boquard <[email protected]>
Now handling situations where the get() call doesn't throw but does return an empty buffer indicating EOF. Signed-off-by: Michael Boquard <[email protected]>
michael-redpanda
force-pushed
the
add-openssl-implementation
branch
from
637a9a3 to
5c709c2
Compare
|
Started upstream PR: scylladb#2569 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introduces OpenSSL as an alternative TLS implementation to GnuTLS. This is a build-time configuration controlled by the CMake variable
Seastar_USE_OPENSSL. Theconfigure.pyscript has been updated to now have a--crypto-provideroption. Valid arguments to that areOpenSSLandGnuTLS.This implementation was released in Redpanda v24.2 on July 31st, and has been running on production clusters since.
Redpanda implemented these changes in order to provide a FIPS-compliant build to customers that require it (such as those wishing to undergo FedRAMP evaluation). OpenSSL was selected as it allows implementors to maintain the validation of the cryptographic module even when it's built from source.
modules
No changes have been introduced to enable the FIPS provider for Seastar. It is up to the implementor to enable and use the FIPS cryptographic module if desired.
Notes for Redpanda developers:
This implementation is nearly identical to the one we are currently running with the following exceptions:
tls_session_loggeris present only in this PR