diff --git a/include/seastar/net/tls.hh b/include/seastar/net/tls.hh index df7fb90e44..03133e0908 100644 --- a/include/seastar/net/tls.hh +++ b/include/seastar/net/tls.hh @@ -259,6 +259,10 @@ namespace tls { * If unset, will default to the maximum of the underly implementation */ void set_maximum_tls_version(tls_version); + /** + * @brief Permits TLS renegotiation on TLSv1.2 and below connections + */ + void enable_tls_renegotiation(); #endif /** @@ -392,6 +396,7 @@ namespace tls { void enable_server_precedence(); void set_minimum_tls_version(tls_version); void set_maximum_tls_version(tls_version); + void enable_tls_renegotiation(); #endif void apply_to(certificate_credentials&) const; @@ -417,6 +422,7 @@ namespace tls { sstring _cipher_string; sstring _ciphersuites; bool _enable_server_precedence = false; + bool _enable_tls_renegotiation = false; std::optional _min_tls_version; std::optional _max_tls_version; }; diff --git a/src/net/ossl.cc b/src/net/ossl.cc index d159e6a11c..eed3b6f4a4 100644 --- a/src/net/ossl.cc +++ b/src/net/ossl.cc @@ -593,6 +593,10 @@ class tls::certificate_credentials::impl { _enable_server_precedence = true; } + void enable_tls_renegotiation() { + _enable_tls_renegotiation = true; + } + void set_minimum_tls_version(tls_version version) { _min_tls_version.emplace(version); } @@ -613,6 +617,10 @@ class tls::certificate_credentials::impl { return _enable_server_precedence; } + bool is_tls_renegotiation_enabled() { + return _enable_tls_renegotiation; + } + const std::optional& minimum_tls_version() const noexcept { return _min_tls_version; } @@ -658,6 +666,7 @@ class tls::certificate_credentials::impl { session_resume_mode _session_resume_mode = session_resume_mode::NONE; bool _load_system_trust = false; bool _enable_server_precedence = false; + bool _enable_tls_renegotiation = false; bool _crl_check_flag_set = false; }; @@ -711,6 +720,10 @@ void tls::certificate_credentials::enable_server_precedence() { _impl->enable_server_precedence(); } +void tls::certificate_credentials::enable_tls_renegotiation() { + _impl->enable_tls_renegotiation(); +} + void tls::certificate_credentials::set_minimum_tls_version(tls_version version) { _impl->set_minimum_tls_version(version); } @@ -1659,11 +1672,15 @@ class session : public enable_shared_from_this, public session_impl { break; } - auto options = SSL_OP_ALL | SSL_OP_ALLOW_CLIENT_RENEGOTIATION; + auto options = SSL_OP_ALL; if (_creds->is_server_precedence_enabled()) { options |= SSL_OP_CIPHER_SERVER_PREFERENCE; } + if (_creds->is_tls_renegotiation_enabled()) { + options |= SSL_OP_ALLOW_CLIENT_RENEGOTIATION; + } + SSL_CTX_set_options(ssl_ctx.get(), options); switch(_creds->get_session_resume_mode()) { diff --git a/src/net/tls-impl.cc b/src/net/tls-impl.cc index b07dceaff1..2a9061f88f 100644 --- a/src/net/tls-impl.cc +++ b/src/net/tls-impl.cc @@ -242,6 +242,10 @@ void tls::credentials_builder::enable_server_precedence() { _enable_server_precedence = true; } +void tls::credentials_builder::enable_tls_renegotiation() { + _enable_tls_renegotiation = true; +} + void tls::credentials_builder::set_minimum_tls_version(tls_version version) { _min_tls_version.emplace(version); } @@ -312,6 +316,10 @@ void tls::credentials_builder::apply_to(certificate_credentials& creds) const { creds.enable_server_precedence(); } + if (_enable_tls_renegotiation) { + creds.enable_tls_renegotiation(); + } + if (_min_tls_version.has_value()) { creds.set_minimum_tls_version(*_min_tls_version); }