diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst index 27bab4dc3bc..223df54af55 100644 --- a/doc/admin-guide/files/records.config.en.rst +++ b/doc/admin-guide/files/records.config.en.rst @@ -3126,6 +3126,30 @@ SSL Termination connections to origin or next hop. This configuration works with OpenSSL v1.1.1 and above. +.. ts:cv:: CONFIG proxy.config.ssl.server.groups_list STRING + + Configures the list of supported groups provided by OpenSSL which + |TS| will be used to determine the set of shared groups. The value + is a colon separated list of group NIDs or names, for example + "P-521:P-384:P-256". For instructions, see "Groups" section of + `TLS1.3 - OpenSSLWiki `_. + + The current default value with OpenSSL is: + + X25519:P-256:X448:P-521:P-384 + + This configuration works with OpenSSL v1.1.1 and above. + +.. ts:cv:: CONFIG proxy.config.ssl.client.groups_list STRING + + Configures the list of supported groups provided by OpenSSL which + |TS| will use for the "key_share" and "supported groups" extention + of TLSv1.3 connections. The value is a colon separated list of + group NIDs or names, for example "P-521:P-384:P-256". For + instructions, see "Groups" section of `TLS1.3 - OpenSSLWiki `_. + + This configuration works with OpenSSL v1.1.1 and above. + .. ts:cv:: CONFIG proxy.config.ssl.TLSv1 INT 1 Enables (``1``) or disables (``0``) TLSv1. diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h index f4cde7abc1d..5a3ae7051f5 100644 --- a/iocore/net/P_SSLConfig.h +++ b/iocore/net/P_SSLConfig.h @@ -89,6 +89,8 @@ struct SSLConfigParams : public ConfigInfo { char *server_tls13_cipher_suites; char *client_tls13_cipher_suites; + char *server_groups_list; + char *client_groups_list; static int ssl_maxrecord; static bool ssl_allow_client_renegotiation; diff --git a/iocore/net/SSLClientUtils.cc b/iocore/net/SSLClientUtils.cc index bb478df7391..4ec7534045f 100644 --- a/iocore/net/SSLClientUtils.cc +++ b/iocore/net/SSLClientUtils.cc @@ -146,6 +146,15 @@ SSLInitClientContext(const SSLConfigParams *params) } #endif +#ifdef SSL_CTX_set1_groups_list + if (params->client_groups_list != nullptr) { + if (!SSL_CTX_set1_groups_list(client_ctx, params->client_groups_list)) { + SSLError("invalid groups list for client in records.config"); + goto fail; + } + } +#endif + // if no path is given for the client private key, // assume it is contained in the client certificate file. clientKeyPtr = params->clientKeyPath; diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc index 13fcc2fef42..62326af06e2 100644 --- a/iocore/net/SSLConfig.cc +++ b/iocore/net/SSLConfig.cc @@ -96,6 +96,8 @@ SSLConfigParams::reset() nullptr; server_tls13_cipher_suites = nullptr; client_tls13_cipher_suites = nullptr; + server_groups_list = nullptr; + client_groups_list = nullptr; client_ctx = nullptr; clientCertLevel = client_verify_depth = verify_depth = clientVerify = 0; ssl_ctx_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; @@ -129,6 +131,8 @@ SSLConfigParams::cleanup() server_tls13_cipher_suites = (char *)ats_free_null(server_tls13_cipher_suites); client_tls13_cipher_suites = (char *)ats_free_null(client_tls13_cipher_suites); + server_groups_list = (char *)ats_free_null(server_groups_list); + client_groups_list = (char *)ats_free_null(client_groups_list); freeCTXmap(); SSLReleaseContext(client_ctx); @@ -312,6 +316,8 @@ SSLConfigParams::initialize() REC_ReadConfigInt32(async_handshake_enabled, "proxy.config.ssl.async.handshake.enabled"); REC_ReadConfigStringAlloc(engine_conf_file, "proxy.config.ssl.engine.conf_file"); + REC_ReadConfigStringAlloc(server_groups_list, "proxy.config.ssl.server.groups_list"); + // ++++++++++++++++++++++++ Client part ++++++++++++++++++++ client_verify_depth = 7; REC_EstablishStaticConfigByte(clientVerify, "proxy.config.ssl.client.verify.server"); @@ -338,6 +344,8 @@ SSLConfigParams::initialize() ats_free(clientCACertRelativePath); ats_free(ssl_client_ca_cert_filename); + REC_ReadConfigStringAlloc(client_groups_list, "proxy.config.ssl.client.groups_list"); + // Enable/disable sni mapping REC_ReadConfigInteger(sni_map_enable, "proxy.config.ssl.sni.map.enable"); diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index 562e8264288..97f5a56ad09 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -1852,6 +1852,15 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config *sslMu } #endif +#ifdef SSL_CTX_set1_groups_list + if (params->server_groups_list != nullptr) { + if (!SSL_CTX_set1_groups_list(ctx, params->server_groups_list)) { + SSLError("invalid groups list for server in records.config"); + goto fail; + } + } +#endif + if (!ssl_context_enable_dhe(params->dhparamsFile, ctx)) { goto fail; } diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc index ac5e95e17d0..360b3d4dc39 100644 --- a/mgmt/RecordsConfig.cc +++ b/mgmt/RecordsConfig.cc @@ -1175,6 +1175,10 @@ static const RecordElement RecordsConfig[] = , {RECT_CONFIG, "proxy.config.ssl.cert.load_elevated", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_READ_ONLY} , + {RECT_CONFIG, "proxy.config.ssl.server.groups_list", RECD_STRING, nullptr, RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL} + , + {RECT_CONFIG, "proxy.config.ssl.client.groups_list", RECD_STRING, nullptr, RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL} + , //############################################################################## //#