[dev.icinga.com #11292] ApiListener: Make minimum TLS version configurable

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/11292

Created by tobiasvdk on 2016-03-03 13:37:53 +00:00

Assignee: gbeutner
Status: Resolved (closed on 2016-08-08 13:28:20 +00:00)
Target Version: 2.5.0
Last Update: 2016-08-08 13:48:55 +00:00 (in Redmine)

Backport?: Not yet backported
Include in Changelog: 1

---

In OpenSSL 1.1.0 there is the function "SSL_CTX_set_min_proto_version" "[1]":https://www.openssl.org/docs/manmaster/ssl/SSL\_CTX\_set\_min\_proto\_version.html to specify the minimum supported protocol version. For lower OpenSSL versions this needs to be implemented, afaik.

[1] https://www.openssl.org/docs/manmaster/ssl/SSL\_CTX\_set\_min\_proto\_version.html

Attachments

• 0001-feature-ApiListener-Make-minimum-TLS-version-configurable-11292.patch kobmaki - 2016-08-01 03:49:43 +00:00

Changesets

2016-08-03 05:46:50 +00:00 by kobmaki b2ac05a

Make the minimum TLS protocol version configurable

The ApiListener accepts all TLS versions that the underlying
OpenSSL library supports. This patch give the ability to restrict
the connection to a minimum TLS version.

fixes #11292

Signed-off-by: Gunnar Beutner <gunnar.beutner@netways.de>

2016-08-04 04:34:47 +00:00 by gbeutner bd3660f

Build fix for Windows

refs #11292

2016-08-08 13:27:16 +00:00 by gbeutner 231fd8d

Build fix for CentOS 5

refs #11292

---

Relations:

• relates #11292
• relates #11292

[icinga-migration]

Updated by tobiasvdk on 2016-03-03 13:37:54 +00:00

• Copied From set to 11063

[icinga-migration]

Updated by tobiasvdk on 2016-03-03 13:38:28 +00:00

• Copied From deleted 11063

[icinga-migration]

Updated by tobiasvdk on 2016-03-03 13:38:33 +00:00

• Relates set to 11063

[icinga-migration]

Updated by kobmaki on 2016-04-16 18:21:36 +00:00

Will be implement and PR will be send after the feature #11063.

[icinga-migration]

Updated by kobmaki on 2016-08-01 04:02:02 +00:00

• File added 0001-feature-ApiListener-Make-minimum-TLS-version-configurable-11292.patch

Attach is the patch for configuration the tls-minimum protocol.
On #11063#note-18 you see how you could verify the minimum TLS protocol.

[icinga-migration]

Updated by kobmaki on 2016-08-03 05:50:04 +00:00

• Status changed from Assigned to Resolved
• Done % changed from 0 to 100

Applied in changeset b2ac05a.

[icinga-migration]

Updated by mfriedrich on 2016-08-03 07:36:41 +00:00

• Target Version set to 2.5.0

[icinga-migration]

Updated by mfriedrich on 2016-08-05 13:54:10 +00:00

• Status changed from Resolved to Assigned
• Done % changed from 100 to 90

That patch breaks the el5 builds.

/home/build/rpmbuild/BUILD/icinga2/lib/base/tlsutility.cpp: In function 'void icinga::SetTlsProtocolminToSSLContext(const boost::shared_ptr&, const icinga::String&)':
/home/build/rpmbuild/BUILD/icinga2/lib/base/tlsutility.cpp:196:24: error: 'SSL_TXT_TLSV1_1' was not declared in this scope
  if (tlsProtocolmin == SSL_TXT_TLSV1_1)
                        ^
/home/build/rpmbuild/BUILD/icinga2/lib/base/tlsutility.cpp:198:29: error: 'SSL_TXT_TLSV1_2' was not declared in this scope
  else if (tlsProtocolmin == SSL_TXT_TLSV1_2)
                             ^
/home/build/rpmbuild/BUILD/icinga2/lib/base/tlsutility.cpp:199:30: error: 'SSL_OP_NO_TLSv1_1' was not declared in this scope
   flags |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
                              ^

[icinga-migration]

Updated by kobmaki on 2016-08-06 11:15:20 +00:00

On the build server, I can see the break.

https://build.icinga.org/job/icinga2-centos-package/lastBuild/

The build server show that a boost153 library is used. These libs are available from http://packages.icinga.org/ . But the distribution has only boost up to version 1.48 available. The used compiler looks newer than the gcc (latest gcc44) and distcc is used.

Some link compile options failed, as they are not recognize. E.g.

cc1: warning: command line option "-fvisibility-inlines-hidden" is valid for C++/ObjC++ but not for C
Building C object third-party/yajl/src/CMakeFiles/yajl.dir/yajl_version.c.o
cc1: warning: command line option "-fvisibility-inlines-hidden" is valid for C++/ObjC++ but not for C
Linking C shared library ../../../Bin/Release/libyajl.so
/usr/bin/ld: unrecognized option '--no-export-dynamic'
/usr/bin/ld: use the --help option for usage information
collect2: ld returned 1 exit status
make[2]: *** [Bin/Release/libyajl.so.2.1.0] Error 1
make[1]: *** [third-party/yajl/src/CMakeFiles/yajl.dir/all] Error 2
make: *** [all] Error 2
UNKNOWN 2 
[monmaki@kob-cent5 build]$ 

For compiling I use the gcc/**

[monmaki@kob-cent5 build]$ env | egrep "CC|CXX"
CXX=/usr/bin/g++44
CC=/usr/bin/gcc44
[monmaki@kob-cent5 build]$

How could I fix the broken ld option?

--no-export-dynamic

How could I disable the compile option or upgrade the gcc by adding a new repo to centos5?

[icinga-migration]

Updated by gbeutner on 2016-08-08 13:21:40 +00:00

1. You can use the boost packages from packages.icinga.org
2. We're using a more recent version of GCC to build Icinga on CentOS 5: https://people.centos.org/tru/devtools-2/readme
3. We're not using distcc.

[icinga-migration]

Updated by mfriedrich on 2016-08-08 13:27:31 +00:00

Hint: https://svnweb.freebsd.org/ports/head/www/aria2/files/patch-src-LibsslTLSContext.cc?view=markup&pathrev=384841

[icinga-migration]

Updated by gbeutner on 2016-08-08 13:28:20 +00:00

• Status changed from Assigned to Resolved
• Assigned to changed from kobmaki to gbeutner
• Done % changed from 90 to 100

[icinga-migration]

Updated by gbeutner on 2016-08-08 13:48:55 +00:00

Fixed in 231fd8d.

[icinga-migration]

Updated by gbeutner on 2016-08-18 08:22:07 +00:00

• Relates set to 12475