From b253675eb507f07f8072b287c0ea68448808eb0b Mon Sep 17 00:00:00 2001
From: "Golgowski, Wiktor" <wiktor.golgowski@intel.com>
Date: Wed, 23 Sep 2020 20:06:30 +0200
Subject: Add TLS version and cipher suites to legacy HTTPS.

This change adds nbdkit curl plugin parameters for specifying TLS
version and not allowed cipher suites (OWASP recommendation).

Tested: manually, TLSv1.0 is not negotiated during connection.
Awaiting confirmation for cipher suites.

Warning: this change may break legacy mode, if used with nbdkit
without ssl-version and ssl-cipher-list (see review #272350).

Change-Id: I06c5acc7a87de6c1bd1b0cdcef2af8585a3da965
Signed-off-by: Golgowski, Wiktor <wiktor.golgowski@intel.com>
---
 src/state/activating_state.cpp | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/state/activating_state.cpp b/src/state/activating_state.cpp
index bc9a30b..18afa60 100644
--- a/src/state/activating_state.cpp
+++ b/src/state/activating_state.cpp
@@ -62,7 +62,7 @@ std::unique_ptr<BasicState> ActivatingState::activateProxyMode()
                      "/usr/sbin/nbd-client", machine.getConfig().nbdDevice));
 
     if (!process->spawn(Configuration::MountPoint::toArgs(machine.getConfig()),
-                        [& machine = machine](int exitCode, bool isReady) {
+                        [&machine = machine](int exitCode, bool isReady) {
                             LogMsg(Logger::Info, machine.getName(),
                                    " process ended.");
                             machine.getExitCode() = exitCode;
@@ -197,7 +197,7 @@ std::unique_ptr<resource::Process>
     // Insert extra params
     args.insert(args.end(), params.begin(), params.end());
 
-    if (!process->spawn(args, [& machine = machine, secret = std::move(secret)](
+    if (!process->spawn(args, [&machine = machine, secret = std::move(secret)](
                                   int exitCode, bool isReady) {
             LogMsg(Logger::Info, machine.getName(), " process ended.");
             machine.getExitCode() = exitCode;
@@ -233,7 +233,12 @@ std::unique_ptr<resource::Process>
                                        // ... to mount http resource at url
                                        "url=" + url,
                                        // custom OpenBMC path for CA
-                                       "capath=/etc/ssl/certs/authority"};
+                                       "capath=/etc/ssl/certs/authority",
+                                       "ssl-version=tlsv1.1",
+                                       "ssl-cipher-list=\"!AES256-GCM-SHA384:"
+                                       "!AES128-GCM-SHA256:"
+                                       "!AES256-SHA256:"
+                                       "!AES128-SHA256"};
 
     // Authenticate if needed
     if (machine.getTarget()->credentials)
-- 
cgit v1.2.3