tls/ossl: Added option to enable TLS renegotiation

TLS client renegotiation was removed in TLSv1.3 due to vulnerabilities
found in the protocol.  For safety reasons, it is by default disabled,
however an option is provided to re-enable it if desired.

Signed-off-by: Michael Boquard <[email protected]>

include/seastar/net/tls.hh

@@ -259,6 +259,10 @@ namespace tls {
          * If unset, will default to the maximum of the underly implementation
          */
         void set_maximum_tls_version(tls_version);
+        /**
+         * @brief Permits TLS renegotiation on TLSv1.2 and below connections
+         */
+        void enable_tls_renegotiation();
 #endif
 
         /**
@@ -392,6 +396,7 @@ namespace tls {
         void enable_server_precedence();
         void set_minimum_tls_version(tls_version);
         void set_maximum_tls_version(tls_version);
+        void enable_tls_renegotiation();
 #endif
 
         void apply_to(certificate_credentials&) const;
@@ -417,6 +422,7 @@ namespace tls {
         sstring _cipher_string;
         sstring _ciphersuites;
         bool _enable_server_precedence = false;
+        bool _enable_tls_renegotiation = false;
         std::optional<tls_version> _min_tls_version;
         std::optional<tls_version> _max_tls_version;
     };

src/net/ossl.cc

@@ -593,6 +593,10 @@ class tls::certificate_credentials::impl {
         _enable_server_precedence = true;
     }
 
+    void enable_tls_renegotiation() {
+        _enable_tls_renegotiation = true;
+    }
+
     void set_minimum_tls_version(tls_version version) {
         _min_tls_version.emplace(version);
     }
@@ -613,6 +617,10 @@ class tls::certificate_credentials::impl {
         return _enable_server_precedence;
     }
 
+    bool is_tls_renegotiation_enabled() {
+        return _enable_tls_renegotiation;
+    }
+
     const std::optional<tls_version>& minimum_tls_version() const noexcept {
         return _min_tls_version;
     }
@@ -658,6 +666,7 @@ class tls::certificate_credentials::impl {
     session_resume_mode _session_resume_mode = session_resume_mode::NONE;
     bool _load_system_trust = false;
     bool _enable_server_precedence = false;
+    bool _enable_tls_renegotiation = false;
     bool _crl_check_flag_set = false;
 
 };
@@ -711,6 +720,10 @@ void tls::certificate_credentials::enable_server_precedence() {
     _impl->enable_server_precedence();
 }
 
+void tls::certificate_credentials::enable_tls_renegotiation() {
+    _impl->enable_tls_renegotiation();
+}
+
 void tls::certificate_credentials::set_minimum_tls_version(tls_version version) {
     _impl->set_minimum_tls_version(version);
 }
@@ -1659,11 +1672,15 @@ class session : public enable_shared_from_this<session>, public session_impl {
                 break;
             }
 
-            auto options = SSL_OP_ALL | SSL_OP_ALLOW_CLIENT_RENEGOTIATION;
+            auto options = SSL_OP_ALL;
             if (_creds->is_server_precedence_enabled()) {
                 options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
             }
 
+            if (_creds->is_tls_renegotiation_enabled()) {
+                options |= SSL_OP_ALLOW_CLIENT_RENEGOTIATION;
+            }
+
             SSL_CTX_set_options(ssl_ctx.get(), options);
 
             switch(_creds->get_session_resume_mode()) {

src/net/tls-impl.cc

@@ -242,6 +242,10 @@ void tls::credentials_builder::enable_server_precedence() {
     _enable_server_precedence = true;
 }
 
+void tls::credentials_builder::enable_tls_renegotiation() {
+    _enable_tls_renegotiation = true;
+}
+
 void tls::credentials_builder::set_minimum_tls_version(tls_version version) {
     _min_tls_version.emplace(version);
 }
@@ -312,6 +316,10 @@ void tls::credentials_builder::apply_to(certificate_credentials& creds) const {
         creds.enable_server_precedence();
     }
 
+    if (_enable_tls_renegotiation) {
+        creds.enable_tls_renegotiation();
+    }
+
     if (_min_tls_version.has_value()) {
         creds.set_minimum_tls_version(*_min_tls_version);
     }