[Libreoffice-commits] online.git: Branch 'distro/collabora/collabora-online-3-0' - loolwsd.xml.in net/Ssl.cpp net/Ssl.hpp wsd/LOOLWSD.cpp
Michael Meeks
michael.meeks at collabora.com
Wed Nov 29 13:42:59 UTC 2017
loolwsd.xml.in | 1 +
net/Ssl.cpp | 10 ++++++++--
net/Ssl.hpp | 8 +++++---
wsd/LOOLWSD.cpp | 6 +++++-
4 files changed, 19 insertions(+), 6 deletions(-)
New commits:
commit 7a999e507c4b1439cfad583bc5f171c0c916304f
Author: Michael Meeks <michael.meeks at collabora.com>
Date: Wed Nov 22 15:54:42 2017 +0000
Make the WSD SSL cipher list configurable.
Change-Id: If79b9efc9438cf0a2345b8e81385adafef63ce22
Reviewed-on: https://gerrit.libreoffice.org/45103
Reviewed-by: Jan Holesovsky <kendy at collabora.com>
Tested-by: Jan Holesovsky <kendy at collabora.com>
diff --git a/loolwsd.xml.in b/loolwsd.xml.in
index abec21ca..754aa6c3 100644
--- a/loolwsd.xml.in
+++ b/loolwsd.xml.in
@@ -66,6 +66,7 @@
<cert_file_path desc="Path to the cert file" relative="false">/etc/loolwsd/cert.pem</cert_file_path>
<key_file_path desc="Path to the key file" relative="false">/etc/loolwsd/key.pem</key_file_path>
<ca_file_path desc="Path to the ca file" relative="false">/etc/loolwsd/ca-chain.cert.pem</ca_file_path>
+ <cipher_list desc="List of OpenSSL ciphers to accept" default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list>
<hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
<max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>
<report_uri desc="HPKP's report-uri directive - pin validation failure are reported at this URL" enable="false"></report_uri>
diff --git a/net/Ssl.cpp b/net/Ssl.cpp
index 5a9f8280..dd0094b8 100644
--- a/net/Ssl.cpp
+++ b/net/Ssl.cpp
@@ -26,11 +26,14 @@ extern "C"
};
}
+#define DEFAULT_CIPHER_SET "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
+
std::unique_ptr<SslContext> SslContext::Instance(nullptr);
SslContext::SslContext(const std::string& certFilePath,
const std::string& keyFilePath,
- const std::string& caFilePath) :
+ const std::string& caFilePath,
+ const std::string& cipherList) :
_ctx(nullptr)
{
const std::vector<char> rand = Util::rng::getBytes(512);
@@ -107,7 +110,10 @@ SslContext::SslContext(const std::string& certFilePath,
}
SSL_CTX_set_verify(_ctx, SSL_VERIFY_NONE, nullptr /*&verifyServerCallback*/);
- SSL_CTX_set_cipher_list(_ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
+ std::string ciphers(cipherList);
+ if (ciphers.empty())
+ ciphers = DEFAULT_CIPHER_SET;
+ SSL_CTX_set_cipher_list(_ctx, ciphers.c_str());
SSL_CTX_set_verify_depth(_ctx, 9);
// The write buffer may re-allocate, and we don't mind partial writes.
diff --git a/net/Ssl.hpp b/net/Ssl.hpp
index b6fc0427..90ba4f44 100644
--- a/net/Ssl.hpp
+++ b/net/Ssl.hpp
@@ -29,10 +29,11 @@ class SslContext
public:
static void initialize(const std::string& certFilePath,
const std::string& keyFilePath,
- const std::string& caFilePath)
+ const std::string& caFilePath,
+ const std::string& cipherList = "")
{
assert (!Instance);
- Instance.reset(new SslContext(certFilePath, keyFilePath, caFilePath));
+ Instance.reset(new SslContext(certFilePath, keyFilePath, caFilePath, cipherList));
}
static void uninitialize();
@@ -47,7 +48,8 @@ public:
private:
SslContext(const std::string& certFilePath,
const std::string& keyFilePath,
- const std::string& caFilePath);
+ const std::string& caFilePath,
+ const std::string& cipherList);
void initDH();
void initECDH();
diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp
index 7ff87b79..102670e7 100644
--- a/wsd/LOOLWSD.cpp
+++ b/wsd/LOOLWSD.cpp
@@ -927,11 +927,15 @@ void LOOLWSD::initializeSSL()
const auto ssl_ca_file_path = getPathFromConfig("ssl.ca_file_path");
LOG_INF("SSL CA file: " << ssl_ca_file_path);
+ const auto ssl_cipher_list = getPathFromConfig("ssl.cipher_list");
+ LOG_INF("SSL Cipher list: " << ssl_cipher_list);
+
#if ENABLE_SSL
// Initialize the non-blocking socket SSL.
SslContext::initialize(ssl_cert_file_path,
ssl_key_file_path,
- ssl_ca_file_path);
+ ssl_ca_file_path,
+ ssl_cipher_list);
#endif
}
More information about the Libreoffice-commits
mailing list