-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Honor configured cipher suites and add an option to honor the order #46
Conversation
I also added some tunables for TLS version and whether to check CRLs. |
how do I test this? |
You can test it, via https, with gnutls-cli-debug, which will print the cipher suites selected. I was going to write a riak_test, but ran out of time. I can do it once we hit the testing phase. |
CipherOrder = cuttlefish_util:conf_get_value("honor_cipher_order", Conf), | ||
%% This is only available, as of December 2013, in basho patched R16B02, | ||
%% so disable it if the VM is not patched by basho. This can be revised | ||
%% for R17, when this patch is expected to be present mainline. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
think it's worth adding a link to the basho tag? https://github.com/basho/otp/tree/OTP_R16B02_basho3
eunit test failures: https://gist.github.com/metadave/8059507 |
The default is to only allow TLS 1.2 and to check the CRL of any client certificates. This addresses some of the concerns in basho/riak#433
Rebased to fix the eunit failures and addressed review comments. |
eunit tests pass after rebasing: https://gist.github.com/metadave/8061127 |
+1 |
Honor configured cipher suites and add an option to honor the order
In additional to using the cipher suites configured in riak_core, you can also tell OTP to prefer the order in which the cipher suite is listed in Riak, over any client preferences. This is more secure as it allows the server to order the ciphers such that it can put the ciphers with the attributes it values the most at the top of the list, but list others for compatability.
This new option, as it is only available in a patched OTP, can only be passed to the SSL api if it is being enabled. To avoid crashing Riak built with unpatched VMs, cuttlefish will automatically switch this option off on non-patched VMs.
See also basho/riak_core#469