diff options
author | Golgowski, Wiktor <wiktor.golgowski@intel.com> | 2020-09-23 21:06:30 +0300 |
---|---|---|
committer | Golgowski, Wiktor <wiktor.golgowski@intel.com> | 2020-09-23 21:18:04 +0300 |
commit | b253675eb507f07f8072b287c0ea68448808eb0b (patch) | |
tree | 82eac5af1d1cac3bde757876b133146ff8494d2d | |
parent | 82935680e9bf7e26fa6363461e5416ff31659902 (diff) | |
download | virtual-media-b253675eb507f07f8072b287c0ea68448808eb0b.tar.xz |
Add TLS version and cipher suites to legacy HTTPS.
This change adds nbdkit curl plugin parameters for specifying TLS
version and not allowed cipher suites (OWASP recommendation).
Tested: manually, TLSv1.0 is not negotiated during connection.
Awaiting confirmation for cipher suites.
Warning: this change may break legacy mode, if used with nbdkit
without ssl-version and ssl-cipher-list (see review #272350).
Change-Id: I06c5acc7a87de6c1bd1b0cdcef2af8585a3da965
Signed-off-by: Golgowski, Wiktor <wiktor.golgowski@intel.com>
-rw-r--r-- | src/state/activating_state.cpp | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/src/state/activating_state.cpp b/src/state/activating_state.cpp index bc9a30b..18afa60 100644 --- a/src/state/activating_state.cpp +++ b/src/state/activating_state.cpp @@ -62,7 +62,7 @@ std::unique_ptr<BasicState> ActivatingState::activateProxyMode() "/usr/sbin/nbd-client", machine.getConfig().nbdDevice)); if (!process->spawn(Configuration::MountPoint::toArgs(machine.getConfig()), - [& machine = machine](int exitCode, bool isReady) { + [&machine = machine](int exitCode, bool isReady) { LogMsg(Logger::Info, machine.getName(), " process ended."); machine.getExitCode() = exitCode; @@ -197,7 +197,7 @@ std::unique_ptr<resource::Process> // Insert extra params args.insert(args.end(), params.begin(), params.end()); - if (!process->spawn(args, [& machine = machine, secret = std::move(secret)]( + if (!process->spawn(args, [&machine = machine, secret = std::move(secret)]( int exitCode, bool isReady) { LogMsg(Logger::Info, machine.getName(), " process ended."); machine.getExitCode() = exitCode; @@ -233,7 +233,12 @@ std::unique_ptr<resource::Process> // ... to mount http resource at url "url=" + url, // custom OpenBMC path for CA - "capath=/etc/ssl/certs/authority"}; + "capath=/etc/ssl/certs/authority", + "ssl-version=tlsv1.1", + "ssl-cipher-list=\"!AES256-GCM-SHA384:" + "!AES128-GCM-SHA256:" + "!AES256-SHA256:" + "!AES128-SHA256"}; // Authenticate if needed if (machine.getTarget()->credentials) |