Skip to content

Commit c52c09e

Browse files
syedrikosyedriko
authored
Merge pull request #129 from syedriko/syedriko-log-3398
LOG-3398: Apply TLSSecurityProfile settings to TLS listeners in log collectors
2 parents 427ddec + 8f2c4af commit c52c09e

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

88 files changed

+39
-3
lines changed

Cargo.lock

-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

+1
Original file line numberDiff line numberDiff line change
@@ -337,6 +337,7 @@ chrono = { git = "https://github.com/vectordotdev/chrono.git", branch = "no-defa
337337
aws-config = { path = "patch/aws-config" }
338338
aws-sigv4 = { path = "patch/aws-sigv4" }
339339
hyper-openssl = { path = "patch/hyper-openssl" }
340+
openssl = { path = "patch/openssl" }
340341

341342
[features]
342343
ocp-logging = [

Dockerfile.unit

+1
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ FROM registry.redhat.io/ubi8:8.6-754 as builder
33
RUN INSTALL_PKGS=" \
44
cmake \
55
libarchive \
6+
gcc-c++ \
67
make \
78
git \
89
openssl-devel \

vendor/openssl/.cargo-checksum.json patch/openssl/.cargo-checksum.json

File renamed without changes.

vendor/openssl/CHANGELOG.md patch/openssl/CHANGELOG.md

vendor/openssl/Cargo.lock patch/openssl/Cargo.lock

File renamed without changes.

vendor/openssl/Cargo.toml patch/openssl/Cargo.toml

File renamed without changes.

vendor/openssl/LICENSE patch/openssl/LICENSE

File renamed without changes.

vendor/openssl/README.md patch/openssl/README.md

vendor/openssl/build.rs patch/openssl/build.rs

File renamed without changes.

vendor/openssl/examples/mk_certs.rs patch/openssl/examples/mk_certs.rs

File renamed without changes.

vendor/openssl/src/aes.rs patch/openssl/src/aes.rs

File renamed without changes.

vendor/openssl/src/asn1.rs patch/openssl/src/asn1.rs

File renamed without changes.

vendor/openssl/src/base64.rs patch/openssl/src/base64.rs

File renamed without changes.

vendor/openssl/src/bio.rs patch/openssl/src/bio.rs

File renamed without changes.

vendor/openssl/src/bn.rs patch/openssl/src/bn.rs

File renamed without changes.

vendor/openssl/src/cms.rs patch/openssl/src/cms.rs

File renamed without changes.

vendor/openssl/src/conf.rs patch/openssl/src/conf.rs

File renamed without changes.

vendor/openssl/src/derive.rs patch/openssl/src/derive.rs

File renamed without changes.

vendor/openssl/src/dh.rs patch/openssl/src/dh.rs

File renamed without changes.

vendor/openssl/src/dsa.rs patch/openssl/src/dsa.rs

File renamed without changes.

vendor/openssl/src/ec.rs patch/openssl/src/ec.rs

File renamed without changes.

vendor/openssl/src/ecdsa.rs patch/openssl/src/ecdsa.rs

File renamed without changes.

vendor/openssl/src/encrypt.rs patch/openssl/src/encrypt.rs

File renamed without changes.

vendor/openssl/src/envelope.rs patch/openssl/src/envelope.rs

File renamed without changes.

vendor/openssl/src/error.rs patch/openssl/src/error.rs

File renamed without changes.

vendor/openssl/src/ex_data.rs patch/openssl/src/ex_data.rs

File renamed without changes.

vendor/openssl/src/fips.rs patch/openssl/src/fips.rs

File renamed without changes.

vendor/openssl/src/hash.rs patch/openssl/src/hash.rs

File renamed without changes.

vendor/openssl/src/lib.rs patch/openssl/src/lib.rs

File renamed without changes.

vendor/openssl/src/macros.rs patch/openssl/src/macros.rs

File renamed without changes.

vendor/openssl/src/memcmp.rs patch/openssl/src/memcmp.rs

File renamed without changes.

vendor/openssl/src/nid.rs patch/openssl/src/nid.rs

File renamed without changes.

vendor/openssl/src/ocsp.rs patch/openssl/src/ocsp.rs

File renamed without changes.

vendor/openssl/src/pkcs12.rs patch/openssl/src/pkcs12.rs

File renamed without changes.

vendor/openssl/src/pkcs5.rs patch/openssl/src/pkcs5.rs

File renamed without changes.

vendor/openssl/src/pkcs7.rs patch/openssl/src/pkcs7.rs

File renamed without changes.

vendor/openssl/src/pkey.rs patch/openssl/src/pkey.rs

File renamed without changes.

vendor/openssl/src/rand.rs patch/openssl/src/rand.rs

File renamed without changes.

vendor/openssl/src/rsa.rs patch/openssl/src/rsa.rs

File renamed without changes.

vendor/openssl/src/sha.rs patch/openssl/src/sha.rs

File renamed without changes.

vendor/openssl/src/sign.rs patch/openssl/src/sign.rs

File renamed without changes.

vendor/openssl/src/srtp.rs patch/openssl/src/srtp.rs

File renamed without changes.

vendor/openssl/src/ssl/bio.rs patch/openssl/src/ssl/bio.rs

File renamed without changes.

vendor/openssl/src/ssl/callbacks.rs patch/openssl/src/ssl/callbacks.rs

File renamed without changes.

vendor/openssl/src/ssl/connector.rs patch/openssl/src/ssl/connector.rs

+23-1
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ use crate::dh::Dh;
66
use crate::error::ErrorStack;
77
use crate::ssl::{
88
HandshakeError, Ssl, SslContext, SslContextBuilder, SslContextRef, SslMethod, SslMode,
9-
SslOptions, SslRef, SslStream, SslVerifyMode,
9+
SslOptions, SslRef, SslStream, SslVerifyMode, SslVersion,
1010
};
1111
use crate::version;
1212

@@ -217,6 +217,28 @@ impl DerefMut for ConnectConfiguration {
217217
pub struct SslAcceptor(SslContext);
218218

219219
impl SslAcceptor {
220+
pub fn custom(method: SslMethod, min_tls_version: &String, ciphersuites: &String) -> Result<SslAcceptorBuilder, ErrorStack> {
221+
let mut ctx = ctx(method)?;
222+
let min_proto_version: SslVersion;
223+
match min_tls_version.as_str() {
224+
"VersionTLS10" => min_proto_version = SslVersion::TLS1,
225+
"VersionTLS11" => min_proto_version = SslVersion::TLS1_1,
226+
"VersionTLS12" => min_proto_version = SslVersion::TLS1_2,
227+
"VersionTLS13" => min_proto_version = SslVersion::TLS1_3,
228+
_ => min_proto_version = SslVersion::TLS1,
229+
}
230+
ctx.set_min_proto_version(Some(min_proto_version))?;
231+
let dh = Dh::params_from_pem(FFDHE_2048.as_bytes())?;
232+
ctx.set_tmp_dh(&dh)?;
233+
setup_curves(&mut ctx)?;
234+
ctx.set_cipher_list(ciphersuites.replace(",", ":").as_str())?;
235+
#[cfg(ossl111)]
236+
ctx.set_ciphersuites(
237+
"TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256",
238+
)?;
239+
Ok(SslAcceptorBuilder(ctx))
240+
}
241+
220242
/// Creates a new builder configured to connect to non-legacy clients. This should generally be
221243
/// considered a reasonable default choice.
222244
///

vendor/openssl/src/ssl/error.rs patch/openssl/src/ssl/error.rs

File renamed without changes.

vendor/openssl/src/ssl/mod.rs patch/openssl/src/ssl/mod.rs

File renamed without changes.

vendor/openssl/src/ssl/test/mod.rs patch/openssl/src/ssl/test/mod.rs

File renamed without changes.

vendor/openssl/src/ssl/test/server.rs patch/openssl/src/ssl/test/server.rs

File renamed without changes.

vendor/openssl/src/stack.rs patch/openssl/src/stack.rs

File renamed without changes.

vendor/openssl/src/string.rs patch/openssl/src/string.rs

File renamed without changes.

vendor/openssl/src/symm.rs patch/openssl/src/symm.rs

File renamed without changes.

vendor/openssl/src/util.rs patch/openssl/src/util.rs

File renamed without changes.

vendor/openssl/src/version.rs patch/openssl/src/version.rs

File renamed without changes.

vendor/openssl/src/x509/extension.rs patch/openssl/src/x509/extension.rs

File renamed without changes.

vendor/openssl/src/x509/mod.rs patch/openssl/src/x509/mod.rs

File renamed without changes.

vendor/openssl/src/x509/store.rs patch/openssl/src/x509/store.rs

File renamed without changes.

vendor/openssl/src/x509/tests.rs patch/openssl/src/x509/tests.rs

File renamed without changes.

vendor/openssl/src/x509/verify.rs patch/openssl/src/x509/verify.rs

File renamed without changes.

vendor/openssl/test/aia_test_cert.pem patch/openssl/test/aia_test_cert.pem

File renamed without changes.

vendor/openssl/test/alt_name_cert.pem patch/openssl/test/alt_name_cert.pem

File renamed without changes.

vendor/openssl/test/cert.pem patch/openssl/test/cert.pem

File renamed without changes.

vendor/openssl/test/certs.pem patch/openssl/test/certs.pem

File renamed without changes.

vendor/openssl/test/cms.p12 patch/openssl/test/cms.p12

File renamed without changes.

vendor/openssl/test/cms_pubkey.der patch/openssl/test/cms_pubkey.der

File renamed without changes.

vendor/openssl/test/dhparams.pem patch/openssl/test/dhparams.pem

File renamed without changes.

vendor/openssl/test/dsa.pem patch/openssl/test/dsa.pem

File renamed without changes.

vendor/openssl/test/dsa.pem.pub patch/openssl/test/dsa.pem.pub

File renamed without changes.

vendor/openssl/test/dsaparam.pem patch/openssl/test/dsaparam.pem

File renamed without changes.

vendor/openssl/test/identity.p12 patch/openssl/test/identity.p12

File renamed without changes.

vendor/openssl/test/key.der patch/openssl/test/key.der

File renamed without changes.

vendor/openssl/test/key.der.pub patch/openssl/test/key.der.pub

File renamed without changes.

vendor/openssl/test/key.pem patch/openssl/test/key.pem

File renamed without changes.

vendor/openssl/test/key.pem.pub patch/openssl/test/key.pem.pub

File renamed without changes.

vendor/openssl/test/keystore-empty-chain.p12 patch/openssl/test/keystore-empty-chain.p12

File renamed without changes.

vendor/openssl/test/nid_test_cert.pem patch/openssl/test/nid_test_cert.pem

File renamed without changes.

vendor/openssl/test/nid_uid_test_cert.pem patch/openssl/test/nid_uid_test_cert.pem

File renamed without changes.

vendor/openssl/test/pkcs1.pem.pub patch/openssl/test/pkcs1.pem.pub

File renamed without changes.

vendor/openssl/test/pkcs8-nocrypt.der patch/openssl/test/pkcs8-nocrypt.der

File renamed without changes.

vendor/openssl/test/pkcs8.der patch/openssl/test/pkcs8.der

File renamed without changes.

vendor/openssl/test/root-ca.key patch/openssl/test/root-ca.key

File renamed without changes.

vendor/openssl/test/root-ca.pem patch/openssl/test/root-ca.pem

File renamed without changes.

vendor/openssl/test/rsa-encrypted.pem patch/openssl/test/rsa-encrypted.pem

File renamed without changes.

vendor/openssl/test/rsa.pem patch/openssl/test/rsa.pem

File renamed without changes.

vendor/openssl/test/rsa.pem.pub patch/openssl/test/rsa.pem.pub

File renamed without changes.

src/tls/incoming.rs

+8
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,14 @@ impl TlsSettings {
3030
match self.identity {
3131
None => Err(TlsError::MissingRequiredIdentity),
3232
Some(_) => {
33+
if let Some(min_tls_version) = &self.min_tls_version {
34+
if let Some (ciphersuites) = &self.ciphersuites {
35+
let mut acceptor = SslAcceptor::custom(SslMethod::tls(), min_tls_version, ciphersuites)
36+
.context(CreateAcceptorSnafu)?;
37+
self.apply_context(&mut acceptor)?;
38+
return Ok(acceptor.build())
39+
}
40+
}
3341
let mut acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls())
3442
.context(CreateAcceptorSnafu)?;
3543
self.apply_context(&mut acceptor)?;

src/tls/settings.rs

+6
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,8 @@ pub struct TlsOptions {
6868
#[serde(alias = "key_path")]
6969
pub key_file: Option<PathBuf>,
7070
pub key_pass: Option<String>,
71+
pub min_tls_version: Option<String>,
72+
pub ciphersuites: Option<String>,
7173
}
7274

7375
impl TlsOptions {
@@ -89,6 +91,8 @@ pub struct TlsSettings {
8991
pub(super) verify_hostname: bool,
9092
authorities: Vec<X509>,
9193
pub(super) identity: Option<IdentityStore>, // openssl::pkcs12::ParsedPkcs12 doesn't impl Clone yet
94+
pub min_tls_version: Option<String>,
95+
pub ciphersuites: Option<String>,
9296
}
9397

9498
#[derive(Clone)]
@@ -125,6 +129,8 @@ impl TlsSettings {
125129
verify_hostname: options.verify_hostname.unwrap_or(!for_server),
126130
authorities: options.load_authorities()?,
127131
identity: options.load_identity()?,
132+
min_tls_version: options.min_tls_version.clone(),
133+
ciphersuites: options.ciphersuites.clone(),
128134
})
129135
}
130136

0 commit comments

Comments
 (0)