diff options
Diffstat (limited to 'libnetdata/socket/security.c')
-rw-r--r-- | libnetdata/socket/security.c | 131 |
1 files changed, 86 insertions, 45 deletions
diff --git a/libnetdata/socket/security.c b/libnetdata/socket/security.c index ab324a16..53366c4d 100644 --- a/libnetdata/socket/security.c +++ b/libnetdata/socket/security.c @@ -2,11 +2,13 @@ #ifdef ENABLE_HTTPS -SSL_CTX *netdata_opentsdb_ctx=NULL; +SSL_CTX *netdata_exporting_ctx=NULL; SSL_CTX *netdata_client_ctx=NULL; SSL_CTX *netdata_srv_ctx=NULL; const char *security_key=NULL; const char *security_cert=NULL; +const char *tls_version=NULL; +const char *tls_ciphers=NULL; int netdata_validate_server = NETDATA_SSL_VALID_CERTIFICATE; /** @@ -32,14 +34,12 @@ static void security_info_callback(const SSL *ssl, int where, int ret __maybe_un */ void security_openssl_library() { -#if OPENSSL_VERSION_NUMBER < 0x10100000L -# if (SSLEAY_VERSION_NUMBER >= 0x0907000L) +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 +# if (SSLEAY_VERSION_NUMBER >= OPENSSL_VERSION_097) OPENSSL_config(NULL); # endif -# if OPENSSL_API_COMPAT < 0x10100000L SSL_load_error_strings(); -# endif SSL_library_init(); #else @@ -49,32 +49,64 @@ void security_openssl_library() #endif } +#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_110 +/** + * TLS version + * + * Returns the TLS version depending of the user input. + * + * @param lversion is the user input. + * + * @return it returns the version number. + */ +int tls_select_version(const char *lversion) { + if (!strcmp(lversion, "1") || !strcmp(lversion, "1.0")) + return TLS1_VERSION; + else if (!strcmp(lversion, "1.1")) + return TLS1_1_VERSION; + else if (!strcmp(lversion, "1.2")) + return TLS1_2_VERSION; +#if defined(TLS1_3_VERSION) + else if (!strcmp(lversion, "1.3")) + return TLS1_3_VERSION; +#endif + +#if defined(TLS_MAX_VERSION) + return TLS_MAX_VERSION; +#else + return TLS1_2_VERSION; +#endif +} +#endif + /** * OpenSSL common options * * Clients and SERVER have common options, this function is responsible to set them in the context. * - * @param ctx + * @param ctx the initialized SSL context. + * @param side 0 means server, and 1 client. */ -void security_openssl_common_options(SSL_CTX *ctx) { -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - static char *ciphers = {"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"}; +void security_openssl_common_options(SSL_CTX *ctx, int side) { +#if OPENSSL_VERSION_NUMBER >= OPENSSL_VERSION_110 + if (!side) { + int version = tls_select_version(tls_version) ; #endif -#if OPENSSL_VERSION_NUMBER < 0x10100000L - SSL_CTX_set_options (ctx,SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION); +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 + SSL_CTX_set_options (ctx,SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION); #else - SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); - //We are avoiding the TLS v1.3 for while, because Google Chrome - //is giving the message net::ERR_SSL_VERSION_INTERFERENCE with it. - SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); -#endif - SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); + SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); + SSL_CTX_set_max_proto_version(ctx, version); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - if (!SSL_CTX_set_cipher_list(ctx, ciphers)) { - error("SSL error. cannot set the cipher list"); + if(tls_ciphers && strcmp(tls_ciphers, "none") != 0) { + if (!SSL_CTX_set_cipher_list(ctx, tls_ciphers)) { + error("SSL error. cannot set the cipher list"); + } + } } #endif + + SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); } /** @@ -84,15 +116,26 @@ void security_openssl_common_options(SSL_CTX *ctx) { * * @return It returns the context on success or NULL otherwise */ -static SSL_CTX * security_initialize_openssl_client() { +SSL_CTX * security_initialize_openssl_client() { SSL_CTX *ctx; -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 ctx = SSL_CTX_new(SSLv23_client_method()); #else ctx = SSL_CTX_new(TLS_client_method()); #endif if(ctx) { - security_openssl_common_options(ctx); +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 + SSL_CTX_set_options (ctx,SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION); +#else + SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); +# if defined(TLS_MAX_VERSION) + SSL_CTX_set_max_proto_version(ctx, TLS_MAX_VERSION); +# elif defined(TLS1_3_VERSION) + SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION); +# elif defined(TLS1_2_VERSION) + SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); +# endif +#endif } return ctx; @@ -111,7 +154,7 @@ static SSL_CTX * security_initialize_openssl_server() { static int netdata_id_context = 1; //TO DO: Confirm the necessity to check return for other OPENSSL function -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 ctx = SSL_CTX_new(SSLv23_server_method()); if (!ctx) { error("Cannot create a new SSL context, netdata won't encrypt communication"); @@ -128,7 +171,7 @@ static SSL_CTX * security_initialize_openssl_server() { SSL_CTX_use_certificate_chain_file(ctx, security_cert); #endif - security_openssl_common_options(ctx); + security_openssl_common_options(ctx, 0); SSL_CTX_use_PrivateKey_file(ctx,security_key,SSL_FILETYPE_PEM); @@ -142,7 +185,7 @@ static SSL_CTX * security_initialize_openssl_server() { SSL_CTX_set_session_id_context(ctx,(void*)&netdata_id_context,(unsigned int)sizeof(netdata_id_context)); SSL_CTX_set_info_callback(ctx,security_info_callback); -#if (OPENSSL_VERSION_NUMBER < 0x00905100L) +#if (OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_095) SSL_CTX_set_verify_depth(ctx,1); #endif debug(D_WEB_CLIENT,"SSL GLOBAL CONTEXT STARTED\n"); @@ -158,7 +201,7 @@ static SSL_CTX * security_initialize_openssl_server() { * @param selector informs the context that must be initialized, the following list has the valid values: * NETDATA_SSL_CONTEXT_SERVER - the server context * NETDATA_SSL_CONTEXT_STREAMING - Starts the streaming context. - * NETDATA_SSL_CONTEXT_OPENTSDB - Starts the OpenTSDB contextv + * NETDATA_SSL_CONTEXT_EXPORTING - Starts the OpenTSDB contextv */ void security_start_ssl(int selector) { switch (selector) { @@ -179,8 +222,8 @@ void security_start_ssl(int selector) { SSL_CTX_set_mode(netdata_client_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |SSL_MODE_AUTO_RETRY); break; } - case NETDATA_SSL_CONTEXT_OPENTSDB: { - netdata_opentsdb_ctx = security_initialize_openssl_client(); + case NETDATA_SSL_CONTEXT_EXPORTING: { + netdata_exporting_ctx = security_initialize_openssl_client(); break; } } @@ -191,23 +234,21 @@ void security_start_ssl(int selector) { * * Clean all the allocated contexts from netdata. */ -void security_clean_openssl() { - if (netdata_srv_ctx) - { - SSL_CTX_free(netdata_srv_ctx); - } +void security_clean_openssl() +{ + if (netdata_srv_ctx) { + SSL_CTX_free(netdata_srv_ctx); + } - if (netdata_client_ctx) - { + if (netdata_client_ctx) { SSL_CTX_free(netdata_client_ctx); } - if ( netdata_opentsdb_ctx ) - { - SSL_CTX_free(netdata_opentsdb_ctx); + if (netdata_exporting_ctx) { + SSL_CTX_free(netdata_exporting_ctx); } -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_110 ERR_free_strings(); #endif } @@ -273,7 +314,7 @@ int security_process_accept(SSL *ssl,int msg) { /** * Test Certificate * - * Check the certificate of Netdata master + * Check the certificate of Netdata parent * * @param ssl is the connection structure * @@ -305,10 +346,10 @@ int security_test_certificate(SSL *ssl) { * Location for context * * Case the user give us a directory with the certificates available and - * the Netdata master certificate, we use this function to validate the certificate. + * the Netdata parent certificate, we use this function to validate the certificate. * * @param ctx the context where the path will be set. - * @param file the file with Netdata master certificate. + * @param file the file with Netdata parent certificate. * @param path the directory where the certificates are stored. * * @return It returns 0 on success and -1 otherwise. @@ -316,7 +357,7 @@ int security_test_certificate(SSL *ssl) { int security_location_for_context(SSL_CTX *ctx, char *file, char *path) { struct stat statbuf; if (stat(file, &statbuf)) { - info("Netdata does not have a SSL master certificate, so it will use the default OpenSSL configuration to validate certificates!"); + info("Netdata does not have the parent's SSL certificate, so it will use the default OpenSSL configuration to validate certificates!"); return 0; } @@ -336,7 +377,7 @@ int security_location_for_context(SSL_CTX *ctx, char *file, char *path) { slfc: while ((err = ERR_get_error()) != 0) { ERR_error_string_n(err, buf, sizeof(buf)); - error("Cannot set the directory for the certificates and the master SSL certificate: %s",buf); + error("Cannot set the directory for the certificates and the parent SSL certificate: %s",buf); } return -1; } |