From 62ec6bdd9fdd0ea2d10f436018040c0a10c92abd Mon Sep 17 00:00:00 2001 From: Michael Boquard Date: Fri, 20 Dec 2024 14:04:46 -0500 Subject: [PATCH] tls/ossl: Added option to enable TLS renegotiation TLS client renegotiation was removed in TLSv1.3 due to vulnerabilities found in the protocol. For safety reasons, it is by default disabled, however an option is provided to re-enable it if desired. Signed-off-by: Michael Boquard --- include/seastar/net/tls.hh | 6 ++++++ src/net/ossl.cc | 19 ++++++++++++++++++- src/net/tls-impl.cc | 8 ++++++++ 3 files changed, 32 insertions(+), 1 deletion(-) diff --git a/include/seastar/net/tls.hh b/include/seastar/net/tls.hh index df7fb90e44..03133e0908 100644 --- a/include/seastar/net/tls.hh +++ b/include/seastar/net/tls.hh @@ -259,6 +259,10 @@ namespace tls { * If unset, will default to the maximum of the underly implementation */ void set_maximum_tls_version(tls_version); + /** + * @brief Permits TLS renegotiation on TLSv1.2 and below connections + */ + void enable_tls_renegotiation(); #endif /** @@ -392,6 +396,7 @@ namespace tls { void enable_server_precedence(); void set_minimum_tls_version(tls_version); void set_maximum_tls_version(tls_version); + void enable_tls_renegotiation(); #endif void apply_to(certificate_credentials&) const; @@ -417,6 +422,7 @@ namespace tls { sstring _cipher_string; sstring _ciphersuites; bool _enable_server_precedence = false; + bool _enable_tls_renegotiation = false; std::optional _min_tls_version; std::optional _max_tls_version; }; diff --git a/src/net/ossl.cc b/src/net/ossl.cc index d159e6a11c..eed3b6f4a4 100644 --- a/src/net/ossl.cc +++ b/src/net/ossl.cc @@ -593,6 +593,10 @@ class tls::certificate_credentials::impl { _enable_server_precedence = true; } + void enable_tls_renegotiation() { + _enable_tls_renegotiation = true; + } + void set_minimum_tls_version(tls_version version) { _min_tls_version.emplace(version); } @@ -613,6 +617,10 @@ class tls::certificate_credentials::impl { return _enable_server_precedence; } + bool is_tls_renegotiation_enabled() { + return _enable_tls_renegotiation; + } + const std::optional& minimum_tls_version() const noexcept { return _min_tls_version; } @@ -658,6 +666,7 @@ class tls::certificate_credentials::impl { session_resume_mode _session_resume_mode = session_resume_mode::NONE; bool _load_system_trust = false; bool _enable_server_precedence = false; + bool _enable_tls_renegotiation = false; bool _crl_check_flag_set = false; }; @@ -711,6 +720,10 @@ void tls::certificate_credentials::enable_server_precedence() { _impl->enable_server_precedence(); } +void tls::certificate_credentials::enable_tls_renegotiation() { + _impl->enable_tls_renegotiation(); +} + void tls::certificate_credentials::set_minimum_tls_version(tls_version version) { _impl->set_minimum_tls_version(version); } @@ -1659,11 +1672,15 @@ class session : public enable_shared_from_this, public session_impl { break; } - auto options = SSL_OP_ALL | SSL_OP_ALLOW_CLIENT_RENEGOTIATION; + auto options = SSL_OP_ALL; if (_creds->is_server_precedence_enabled()) { options |= SSL_OP_CIPHER_SERVER_PREFERENCE; } + if (_creds->is_tls_renegotiation_enabled()) { + options |= SSL_OP_ALLOW_CLIENT_RENEGOTIATION; + } + SSL_CTX_set_options(ssl_ctx.get(), options); switch(_creds->get_session_resume_mode()) { diff --git a/src/net/tls-impl.cc b/src/net/tls-impl.cc index b07dceaff1..2a9061f88f 100644 --- a/src/net/tls-impl.cc +++ b/src/net/tls-impl.cc @@ -242,6 +242,10 @@ void tls::credentials_builder::enable_server_precedence() { _enable_server_precedence = true; } +void tls::credentials_builder::enable_tls_renegotiation() { + _enable_tls_renegotiation = true; +} + void tls::credentials_builder::set_minimum_tls_version(tls_version version) { _min_tls_version.emplace(version); } @@ -312,6 +316,10 @@ void tls::credentials_builder::apply_to(certificate_credentials& creds) const { creds.enable_server_precedence(); } + if (_enable_tls_renegotiation) { + creds.enable_tls_renegotiation(); + } + if (_min_tls_version.has_value()) { creds.set_minimum_tls_version(*_min_tls_version); }